Paul M. Schwartz


Global Data Privacy: The EU Way

Paul M. Schwartz

EU data protection law is playing an increasingly prominent role in today’s global technological environment. The cornerstone of EU law in this area, the General Data Protection Regulation (GDPR), is now widely regarded as a privacy law not just for the EU, but for the world. In the conventional wisdom, the EU has become the world’s privacy cop, acting in a unilateral fashion and exercising de facto influence over other nations through its market power. Yet, understanding the forces for convergence and divergence in data privacy law demands a more nuanced account of today’s regulatory environment.

In contrast to the established narrative about EU power, this Article develops a new account of the diffusion of EU data protection law. It does so through case studies of Japan and the United States that focus on how these countries have negotiated the terms for international data transfers from the EU. The resulting account reveals the EU to be both collaborative and innovative.

Three important lessons follow from the case studies. First, rather than exercising unilateral power, the EU has engaged in bilateral negotiations and accommodated varied paths for non-EU nations to meet the GDPR’s “adequacy” requirement for international data transfers. Second, while the adequacy requirement did provide significant leverage in these negotiations, it has been flexibly applied throughout its history. Third, the EU’s impressive regulatory capacity rests on a complex interplay of institutions beyond the European Commission. Not only are there a multiplicity of policy and lawmaking institutions within the EU, but the EU has also drawn on non-EU privacy innovations and involved institutions from non-EU countries in its privacy policymaking.

Finally, this Article identifies two overarching factors that have promoted the global diffusion of EU data protection law. The first such factor regards legal substance. Public discourse on consumer privacy has evolved dramatically, and important institutions and prominent individuals in many non-EU jurisdictions now acknowledge the appeal of EU-style data protection. Beyond substance, the EU has benefited from the accessibility of its omnibus legislative approach; other jurisdictions have been drawn to the EU’s highly transplantable legal model. In short, the world has weighed in, and the EU is being rewarded for its success in the marketplace of regulatory ideas.

Voting Technology and Democracy

Paul M. Schwartz

The 2000 presidential election exposed a voting-technology divide in Florida and many other states. In this Article, Professor Paul M. Schwartz critiques this phenomenon from the perspective of systems analysis. He considers both technology and social institutions as components of unified election systems. Schwartz first examines data from the Florida election and demonstrates the central importance of feedback to inform voters whether the technology they use to vote will validate their ballots according to their intent-an advantage he finds distributed on unequal terms, exacerbating built-in racial and socioeconomic bias. Schwartz then turns to the various judicial opinions in the ensuing litigation, which embraced competing epistemologies of technology. He suggests that judges who favored a recount saw election technology as a fallible instrument for converting voters’ choices into votes, while the U.S. Supreme Court majority trusted machines over fallible humans and required hard-edged rules to cabin discretion and avoid human imperfections. Finally, the Article concludes with a review of efforts to reform the unequal distribution of voting technology. Schwartz finds that some efforts at litigation and legislation show promise, but in many instances they are stalled, and in many others they exhibit shortcomings that would leave the voting-technology divide in place for future elections.

The PII Problem: Privacy and a New Concept of Personally Identifiable Information

Paul M. Schwartz, Daniel J. Solove

Personally identifiable information (PII) is one of the most central concepts in
information privacy regulation. The scope of privacy laws typically turns on
whether PII is involved. The basic assumption behind the applicable laws is that if
PII is not involved, then there can be no privacy harm. At the same time, there is no
uniform definition of PII in information privacy law. Moreover, computer science
has shown that in many circumstances non-PII can be linked to individuals, and
that de-identified data can be re-identified. PII and non-PII are thus not immutable
categories, and there is a risk that information deemed non-PII at one time can be
transformed into PII at a later juncture. Due to the malleable nature of what constitutes
PII, some commentators have even suggested that PII be abandoned as the
mechanism by which to define the boundaries of privacy law.
In this Article, we argue that although the current approaches to PII are flawed, the
concept of PII should not be abandoned. We develop a new approach called “PII
2.0,” which accounts for PII’s malleability. Based upon a standard rather than a
rule, PII 2.0 utilizes a continuum of risk of identification. PII 2.0 regulates information
that relates to either an “identified” or “identifiable” individual, and it establishes
different requirements for each category. To illustrate this theory, we use the
example of regulating behavioral marketing to adults and children. We show how
existing approaches to PII impede the effective regulation of behavioral marketing,
and how PII 2.0 would resolve these problems.