> But that's literally the question I'm asking. Where do you draw the line in a way that stops what we consider to be abuses, but doesn't stop what we think of as legitimate uses by journalists, academics, etc.?

I think the wrong assumption you're making, is that there is supposed to be a simple answer, like something you can describe with a thousand words. But with messy reality this basically never the case: Where do you draw the line of what is considered a taxable business? What are the limits of free speech? What procedures should be paid by health insurance?

It is important to accept this messiness and the complexity it brings instead of giving up and declaring the problem unsolvable. If you have ever asked yourself, why the GDPR is so difficult and so multifaceted in its implications, the messiness you are pointing out is the reason.

And of course, the answer to your question is: Look at the GDPR and European legislation as a precedent to where you draw the line for each instance and situation. It's not perfect of course, but given the problem, it can't be.

Generally, you do want the general principle of something like this to be explainable in a few sentences, yes.

Even if that results in a bunch of more detailed regulations, we can then understand the principles behind those regulations, even if they decide a bunch of edge cases with precise lines that seem arbitrary.

Things like the limits of free speech can be explained in a few sentences at a high level. So yes, I'm asking for what the equivalent might be here.

The idea that "it's so impossibly complicated that the general approach can't even be summarized" is not helpful. Even when regulations are complicated, they start from a few basic principles that can be clearly enumerated.

This is not how things ever work in practice in representative democracy. The world is too complex, and the many overlapping sets of political groups in a country/provice/city have different takes on what the policy should be, and more importantly, each group have different tolerances for what they will accept.

Because everyone has different principles by which they evaluate the world, most laws don't actually care about principles. They are simply arbitrary lines in the sand drawn by the legislature in a bid to satisfy (or not dissatisfy) as many groups as possible. Sometimes, some vague sounding principles are attached to the laws, but its always impossible for someone else to start with the same principles and derive the exact same law from them.

Constitutions on the other hand seem simple and often have simple sounding principles in them. The reason is that constitutions specify what the State institutions can and cannot do. The State is a relatively simple system compared to the world, so constitutions seem simple. Laws on the other hand specify what everyone else must or must not do, and they must deal with messy reality.

This is not just unhelpful (and overly cynical), but it is untrue.

Courts follow the law, but they also make determinations all the time based on the underlying principles when the law itself is not clear.

Law school itself is largely about learning all the relevant principles at work. (Along with lots of memorization of cases demonstrating which principle won where.)

I understand you're trying to take a realist or pragmatic approach, but you seem to have gone way too far in that direction.

The principle is that you should be able to casually document what you see in public, but you should not be able to intrude on the privacy of others.

Emphasis on casual, IMO. It is perfectly reasonable to decide that past norms which evolved in the absence of large scale computing power, digital cameras, and interconnected everything do not translate to the right to extrapolate freedom of casual observation into computer-assisted stalking.

It’s where you decouple the vehicle information (make, model, plate) from the PII (registered owner information)

License plate numbers are generally considered PII in their own right. A tuple of make, model, color, and year range is getting awfully close to an equivalent on its own as well.

no they're not. PII has to be able to identify an individual.

anyone can in theory be driving a car. is it my wife, or me, or my kid taking the station wagon out this weekend?

it's also why red light cameras and speed camera send tickets to the registered owner, not necessarily who is driving. my sister in law borrows the car and I get the ticket

Generally "I wasn't driving then" is actually a defense to the automated cameras. The registered owner things is just the first pass like any other lazy investigation.

In the broader context PII is a looser concept, and can be thought of like browser fingerprinting. The legal system hasn't formalized it nearly to the same degree, but does have the concept of how enough otherwise public information sufficiently correlated can break into the realm of privacy violations. I. The browser fingerprinting world that's thought of pretty explicitly in terms of contributions of bits of entropy, but the legal system has pushed back on massive public surveillance when it steps into the realm of stalking or a firm of investigation that should require a warrant.

PII isn’t limited to SSNs. By your logic, First name can’t be PII, and last name with no accompanying info wouldn’t be PII. Different types of data have different risk profiles. When multiple records about an individual are collected the risk grows exponentially. Location is absolutely PII when combined with other risky data, like license plate.

One big easy line to draw is personal+individual versus commercial+corporation. There should be sweeping privacy laws that individuals can use to prevent information about them (including government issued identifiers) from being recorded, processed, and stored. Then for private vs private, a de minimis exception for individuals doing it noncommercially on a small number of people.

Delivery trucks are operated by corporations so don't have privacy protection (although the individuals driving them would from things like facial recognition). Traffic patterns can be studied without the use of individual identifiers. Law enforcement is moot because the juicy commercial surveillance databases won't be generated in the first place, and without them we can have an honest societal conversation whether the government should create their own surveillance databases of everyone's movements.

These aren't insurmountable problems. GDPR gets these answers mostly right. What it requires is drawing a line in the sand and iterating to close loopholes, rather than simply assuming futility when trying to regulate the corporate surveillance industry.