What Is Personally Identifiable Information (PII)? Finding Common Ground in the EU and US
This post was co-authored by Professor Paul Schwartz.
We recently released a draft of our new essay, Reconciling Personal Information in the European Union and the United States, and we want to highlight some of its main points here.
The privacy law of the United States (US) and European Union (EU) differs in many fundamental ways, greatly complicating commerce between the US and EU. At the broadest level, US privacy law focuses on redressing consumer harm and balancing privacy with efficient commercial transactions. In the EU, privacy is hailed as a fundamental right that trumps other interests. The result is that EU privacy protections are much more restrictive on the use and transfer of personal data than US privacy law.
Numerous attempts have been made to bridge the gap between US and EU privacy law, but a very large initial hurdle stands in the way. The two bodies of law can’t even agree on the scope of protection let alone the substance of the protections. The scope of protection of privacy laws turns on the definition of “personally identifiable information” (PII). If there is PII, privacy laws apply. If PII is absent, privacy laws do not apply.
In the US, the law provides multiple definitions of PII, most focusing on whether the information pertains to an identified person. In contrast, in the EU, there is a single definition of personal data to encompass all information identifiable to a person. Even if the data alone cannot be linked to a specific individual, if it is reasonably possible to use the data in combination with other information to identify a person, then the data is PII.
In our essay, Reconciling Personal Information in the European Union and the United States, we argue that both the US and EU approaches to defining PII are flawed. We also contend that a tiered approach to the concept of PII can bridge the differences between the US and EU approaches.
We first introduced our idea of “PII 2.0” in a 2011 article in the New York University Law Review. In our new essay, we demonstrate that PII 2.0 is also consistent with the vastly different philosophies of the US and EU privacy law regimes, and that it can serve as a foundational step in overcoming the differences between these regimes.
Under PII 2.0, data about identified individuals should be given the most protection. Identifiable data still deserves protection too, but that protection differs from identified data in that only some of the Fair Information Practice Principles (FIPPs) should apply.
Is PII 2.0 compatible with the EU approach? Upon initial reflection, one might expect the answer to be “no.” The EU approach also tends to be uniform regarding its FIPPs, and PII 2.0 permits variations in protection. Thus, on the surface, PII 2.0 might appear to weaken EU privacy protection and contravene its goal of providing a uniform and high level of privacy protection to data in order to respect people’s fundamental right to privacy.
In our view, however, PII 2.0 is fully compatible with the EU approach, consistent with its underlying philosophy, and furthers its goals effectively. We explore a few reasons in the essay, but the key reason is that PII 2.0 enhances the protection of privacy. It creates an incentive for companies to keep information in the least identifiable form. If we abandon PII, or treat identified and identifiable information as equivalents, companies will be less willing to expend resources to keep or transfer data in the most de-identifiable state practicable.
Beyond this incentive to keep data de-identified, PII 2.0 enhances privacy because administering certain FIPs requires that data be identified, and keeping data in identified format can create privacy risks. Providing individuals with access to their data, for example, requires that the information be kept in identified form. If data is not kept in this form, data processors would not know to whom to provide access. The problem is that by keeping the data in identified form, the privacy risks increase from a potential data security breach.
Despite what appears to be significant divergence between the concepts of personal data in the US and the EU, the differences between the two systems can be reconciled. PII 2.0 makes the US approach coherent, and it fits within the basic philosophy of both US and EU privacy law. Thus, we contend that PII 2.0 is the ideal starting point toward reconciling these divergent bodies of law.
You can read more of our argument in our essay.