Article 2a of EU directive 95/46/EC defines personal data as:
personal data’ shall mean any information relating to an identified or identifiable natural person (‘data subject’); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity;
In the US, there is a narrower definition, called PII (personally identifying information). NIST Special Publication 800-122 section 2.1 defines PII as:
any information about an individual maintained by an agency, including (1) any information that
can be used to distinguish or trace an individual‘s identity, such as name, social security number, date and
place of birth, mother‘s maiden name, or biometric records; and (2) any other information that is linked or
linkable to an individual, such as medical, educational, financial, and employment information.
If you leave out the link between something and the identifiable natural person, it is no longer personal data. It can not be used to identify a person!
This is untrue.
I can provide some examples:
Example1: (no link):
Every time someone enters/plays a radio URL in Roon, we note that. We do not track who added it, just what was added and when. Once we got an understanding of how people used internet radio, we decided it was worth tackling the problem of making an internet radio directory. Thus:
Once this project is completed, a very nice directory for all the world’s internet radio stations will be available in Roon organized, searchable, and sortable/focusable.
The station URL in our database is not tied to you at all. It can not be personal data because there is no way to go from the station to a person. If there was to be an attack on our database that holds all the stations, it would be impossible to determine who added what station.
Example 2 (no link):
Every time you view lyrics, we know who you are where you were when you did it. We then collect which lyrics were viewed in what regions. Nowhere is it noted an individual viewed a certain lyric. We then share this collected data with the company we license lyrics from, for purposes of compensating the copyright holders. If that data was compromised, it would be impossible to determine who viewed what lyrics.
Example 3: (link in local db, copy without link):
We have a notion of your play history. This is stored on your Roon Core machine (try installing Roon on another machine, you will see it disappear). A second copy of this play history data, with richer data, is also saved in the cloud, but with no link back to personal data. This is critical to why the play history data can be both usable and at the same time, not link back to an “identifiable natural person”. [Note: I have edited this section for clarity]
If implemented properly, it is possible to build a large class of data-driven products without compromising privacy.
We segment data we collect into various databases, in different locations, with different cloud service providers. Often, these decisions fall nicely in with costs. For example, personal data is often small and highly critical to operations, so it requires a higher level of availability. Non-personal data does not. You can store it in more cost-efficient locations. Most importantly, the “Core” if Roon’s architecture means we can do things that seem impossible because we have a database sitting on your network.