If SSNs and bank account numbers are PII, why aren't all synthetic PKs PII?

Ewan's answer is a good overview of what constitutes personally identifiable information. Globally, we have a general understanding of what this means, but jurisdiction matters; we have specific legal frameworks to deal with in many countries. The General Data Protection Regulation (GDPR) is one such legal framework. Within the United State of America (where I'm from), we have some guidance from the National Institute of Standards and Technology (NIST).

GDPR Definition of Personal Data

While there is more to it, this is a good intro:

The data subjects are identifiable if they can be directly or indirectly identified, especially by reference to an identifier such as a name, an identification number, location data, an online identifier or one of several special characteristics, which expresses the physical, physiological, genetic, mental, commercial, cultural or social identity of these natural persons. In practice, these also include all data which are or can be assigned to a person in any kind of way. For example, the telephone, credit card or personnel number of a person, account data, number plate, appearance, customer number or address are all personal data.

Source: https://gdpr-info.eu/issues/personal-data/

NIST (USA) Definitions of Personal Data

Again, what follows isn't comprehensive, but it is a good overview. There are essentially three definitions of PII:

1. Personally Identifiable Information; Any representation of information that permits the identity of an individual to whom the information applies to be reasonably inferred by either direct or indirect means.

2. Any information about an individual maintained by an agency, including (1) any information that can be used to distinguish or trace an individual’s identity, such as name, social security number, date and place of birth, mother‘s maiden name, or biometric records; and (2) any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information.

3. Information that can be used to distinguish or trace an individual’s identity, either alone or when combined with other information that is linked or linkable to a specific individual.

Source: https://csrc.nist.gov/glossary/term/PII

Note that each country, and even coalition of countries, is allowed to come up with their own definitions. The GDPR and NIST are just two examples of many. The true test of whether information is considered PII comes in a court of law, argued by lawyers in front of a judge about a specific situation after the damage has already been done.

From an engineering perspective, you need to consider where information is published, displayed, or disseminated, combined with what kinds of information is included, to see if a combination of data points can identify an individual person.

Context Matters With PII

As an extreme example, Social Security Numbers are typically forbidden in e-mail exchanges between government employees in the USA; that's not because the mere existence of a Social Security Number in an e-mail allows me to open a bank account or claim government benefits if I happen to read it. Information in e-mails tends to come with other data points, too: names, e-mail addresses, phone numbers, mailing addresses — these can be combined with an SSN to wreak all sorts of financial havoc on a specific individual.

The Social Security Administration sends a list of SSNs describing the wages earned for each one in the past several quarters, called the Vocational Rehabilitation Client Earnings Report. This e-mail, sent only after an extensive background check and verification process, contains SSNs and a code representing wages earned; not the actual number — a letter code. Wha-whaaaat! SSNs in plain text in an e-mail!? Well, it all comes back to the individual data points; there isn't enough information in that e-mail to identify someone. In fact, you can't tell what they actually earned in wages; it's just a letter code, like "A" or "C". Not PII according to the US Government.

Summary

While we have some similar ideas about what constitutes PII, the legal definitions are open-ended enough to expand the definition if lawyers can make a good argument. I don't think we can guarantee that synthetic primary keys (e.g., surrogate keys) won't be considered PII; this depends on where those primary keys are disseminated, what information is included, and what other information sources can be combined to produce a more comprehensive dataset.

As a software engineer, it's good to understand which legal frameworks your application is subject to, and then do some reading to get a surface-level understanding. If you are put in a position where you are responsible for making this assessment, you need to recommend the organization consult a lawyer or qualified cyber security professional.

Do not make this judgement in isolation.