This post was co-authored by Professor Paul Schwartz.
We recently released a draft of our new essay, Reconciling Personal Information in the European Union and the United States, and we want to highlight some of its main points here.
The privacy law of the United States (US) and European Union (EU) differs in many fundamental ways, greatly complicating commerce between the US and EU. At the broadest level, US privacy law focuses on redressing consumer harm and balancing privacy with efficient commercial transactions. In the EU, privacy is hailed as a fundamental right that trumps other interests. The result is that EU privacy protections are much more restrictive on the use and transfer of personal data than US privacy law.
Numerous attempts have been made to bridge the gap between US and EU privacy law, but a very large initial hurdle stands in the way. The two bodies of law can’t even agree on the scope of protection let alone the substance of the protections. The scope of protection of privacy laws turns on the definition of “personally identifiable information” (PII). If there is PII, privacy laws apply. If PII is absent, privacy laws do not apply.
In the US, the law provides multiple definitions of PII, most focusing on whether the information pertains to an identified person. In contrast, in the EU, there is a single definition of personal data to encompass all information identifiable to a person. Even if the data alone cannot be linked to a specific individual, if it is reasonably possible to use the data in combination with other information to identify a person, then the data is PII.
In our essay, Reconciling Personal Information in the European Union and the United States, we argue that both the US and EU approaches to defining PII are flawed. We also contend that a tiered approach to the concept of PII can bridge the differences between the US and EU approaches.