Author(s): Paul M. Schwartz
Year: 2014
Abstract:
US and
EU privacy law diverge greatly. At the foundational level, they diverge
in their underlying philosophy: In the US, privacy law focuses on
redressing consumer harm and balancing privacy with efficient commercial
transactions. In the EU, privacy is hailed as a fundamental right that
trumps other interests. Even at the threshold level – determining what
information is covered by the regulation – the US and EU differ
significantly. The existence of personal information – commonly referred
to as “personally identifiable information” (PII) – is the trigger for
when privacy laws apply. PII is defined quite differently in US and EU
privacy law. The US approach involves multiple and inconsistent
definitions of PII that are often quite narrow. The EU approach defines
PII to encompass all information identifiable to a person, a definition
that can be quite broad and vague. This divergence is so basic that it
significantly impedes international data flow. A way to bridge the
divergence remains elusive, and many commentators have generally viewed
the differences between US and EU privacy law as impossible to
reconcile.
In this essay, we argue that there is a way to bridge
these differences at least with PII. We contend that a tiered approach
to the concept of PII (which we call “PII 2.0”) represents a superior
way of defining PII than the current approaches in the US and EU. We
also argue that PII 2.0 is consistent with the different underlying
philosophies of the US and EU privacy law regimes. Under PII 2.0, all of
the Fair Information Practices (FIPs) should apply when data refers to
an identified person or where these is a significant risk of the data
being identified. Only some of the FIPs should apply when data is merely
identifiable, and no FIPs should apply when there is a minimal risk
that the data is identifiable. We demonstrate how PII 2.0 advances the
goals of both US and EU privacy law and is consistent with their
different underlying philosophies. PII 2.0 thus begins the process of
bridging the current gap between US and EU privacy law.
Keywords: privacy, PII, personal data, personally identifiable information, EU Data Protection Directive, Fair Information Practices, comparative law, European privacy
Link: http://papers.ssrn.com/sol3/papers.cfm?abstract_id=2271442