The days of names, addresses and dates of birth being the only details that fall under the definition of personally identifiable information (PII) are fleeting. As companies wait for case law to establish the growing definition more clearly, some are leaning on counsel and AI technology to make the final call on what constitutes PII, and personal health information (PHI) as well.  

Nick Schneider, head of business development and strategy at AI solution developer Text IQ, called identifying such information in a company's databases a "teamwork setup."

He said such a process starts with working alongside a corporate client or the client's counsel to get an idea of what's in the company's data sets. Next, the tech company will run its software to identify additional types of PII and PHI. Lastly, the tech team works with data subject experts/lawyers about which data falls under a regulation's scope.

Using AI to help automate the identification of PII or PHI always requires regulatory expertise and knowledge of where a company hosts data. And as new laws such as the General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA) go into effect, closer collaboration between counsel and software developers is needed, Schneider noted.

Perkins Coie partner and ad tech privacy and data management practice co-chair Dominique Shelton Leipzig agreed. "The tech tools, machine learning and AI are more refined. These are great tools, but they just aren't in the position yet to satisfy all the requirements you must meet."

She noted the CCPA considers "persistent identifiers," such as data that is linked to a consumer across different services, personal information. Such PII is difficult for a machine to distinguish and requires a lawyer's review.

Likewise, while a data subject access requests (DSAR) AI-automated tool is great for finding data quickly, the legal team needs to be involved to verify what the legal requirements are.

"Having a tool to grab that data and pull it into a customer's account is very helpful but the problem is, it isn't foolproof yet," Leipzig said.

Still, Seyfarth Shaw partner Richard Lutkus said developers can code algorithms to spot potential personally identifiable information and keep up with PII and PHI's expanding definitions. 

The real challenge is convincing clients an AI solution is best to assist their privacy compliance, Lutkus said.

"It takes some discussion with the client to get them comfortable with it, they don't trust the black box of AI," he said. But he noted that when clients realize the large volume of data they need to examine under the strict deadlines imposed by the GDPR, CCPA or a state's data breach notification law, AI-powered PII detection tools may become appealing.

"Now I think people are kind of gathering information and testing and figuring out first what the human process is to figure that out and through that, they are finding it's cumbersome and costly," Lutkus noted.