[donohoe]

Actually no. It’s very likely this is fine. Context is important.

Not a layer but discussed this previously with lawyers when building a GDPR framework awhile back.

[sleepyhead]

Context is irrelevant. What is relevant is whether a value, for example a hash, can be identified to a specific person in some way.

[donohoe]

I'm really not going to argue here.

I've been told this directly by lawyers who specialize in GDPR and CCPA etc. I will take their word over yours.

If you are a lawyer with direct expertise in this area then I'm willing to listen.

[sleepyhead]

The GDPR is very clear here (https://gdpr-info.eu/art-4-gdpr/). So you must have misunderstood the lawyers you talked to or you are referring about a hash that cannot identify a person. If information can be linked to a person it is considered PII of that person.