In their new essay, Reconciling Personal Information in the United States and European Union, Professors Dan Solove and Paul Schwartz explore the divergence between European and US privacy law. The pair point to trans-Atlantic differences in the definition of personally identifiable information (PII) as one of the biggest challenges for harmonizing the the two legal systems’ privacy regimes.
“The differences in the definitions of PII in the two systems are caused by their disparate treatment of this situation: frequently, data is merely identifiable, but the people to whom the data pertains are not currently identified,” they write. In the United States, PII has a plethora of different and inconsistent definitions, while the EU approach is broad and vague. This fundamental difference presents serious compliance costs for companies doing business in America and Europe.
Solove and Schwartz build on their conception of PII 2.0 to address this challenge. PII 2.0 establishes two categories of PII – ”identified” and “identifiable” data – and tailors legal protections to the level of risk to individuals. “PII 2.0 would enlarge the scope of some U.S. privacy laws, but it would not impede data flows within the United States or internationally. In the European Union, it would provide for more tailored and nuanced protections,” they conclude.