Paul M. Schwartz of Berkeley and Daniel J. Solove of George Washington have written Reconciling Personal Information in the United States and European Union. Herer's the abstract:
US and EU privacy law diverge greatly. At the foundational level, they diverge in their underlying philosophy: In the US, privacy law focuses on redressing consumer harm and balancing privacy with efficient commercial transactions. In the EU, privacy is hailed as a fundamental right that trumps other interests. Even at the threshold level – determining what information is covered by the regulation – the US and EU differ significantly. The existence of personal information – commonly referred to as “personally identifiable information” (PII) – is the trigger for when privacy laws apply. PII is defined quite differently in US and EU privacy law. The US approach involves multiple and inconsistent definitions of PII that are often quite narrow. The EU approach defines PII to encompass all information identifiable to a person, a definition that can be quite broad and vague. This divergence is so basic that it significantly impedes international data flow. A way to bridge the divergence remains elusive, and many commentators have generally viewed the differences between US and EU privacy law as impossible to reconcile.
In this essay, we argue that there is a way to bridge these differences at least with PII. We contend that a tiered approach to the concept of PII (which we call “PII 2.0”) represents a superior way of defining PII than the current approaches in the US and EU. We also argue that PII 2.0 is consistent with the different underlying philosophies of the US and EU privacy law regimes. Under PII 2.0, all of the Fair Information Practices (FIPs) should apply when data refers to an identified person or where these is a significant risk of the data being identified. Only some of the FIPs should apply when data is merely identifiable, and no FIPs should apply when there is a minimal risk that the data is identifiable. We demonstrate how PII 2.0 advances the goals of both US and EU privacy law and is consistent with their different underlying philosophies. PII 2.0 thus begins the process of bridging the current gap between US and EU privacy law.