Data Protection & Privacy

Home Data Protection & Privacy
Information Privacy Law or data protection laws prohibit the disclosure or misuse of information about private individuals. Over 80 countries and independent territories, including nearly every country in Europe and many in Latin America and the Caribbean, Asia, and Africa, have now adopted comprehensive data protection laws. The European Union has the General Data Protection Regulation in force since May 25, 2018. The United States is notable for not having adopted a comprehensive information privacy law but rather having adopted limited sectoral laws in some areas. These laws are based on Fair Information Practice guidelines developed by a conglomerate of institutions and government agencies. The report submitted by the Chair to the HHS Secretary titled "Records, Computers and the Rights of Citizens" proposes universal principles for the privacy and protection of consumer and citizen data:
  • For all data collected there should be a stated purpose.
  • Information collected from an individual cannot be disclosed to other organizations or individuals unless specifically authorized by law or by consent of the individual
  • Records kept on an individual should be accurate and up to date
  • There should be mechanisms for individuals to review data about them, to ensure accuracy. This may include periodic reporting Data should be deleted when it is no longer needed for the stated purpose
  • Transmission of personal information to locations where "equivalent" personal data protection cannot be assured is prohibited
  • Some data is too sensitive to be collected unless there are extreme circumstances (e.g., sexual orientation, religion)
Unlike the U.S. approach to privacy protection, which relies on industry-specific legislation, regulation, and self-regulation, the European Union relies on comprehensive privacy legislation. The European Directive on Data Protection that went into effect in October 1998, includes, for example, the requirement to create government data protection agencies, registration of databases with those agencies, and in some instances, prior approval before personal data processing may begin. In order to bridge these different privacy approaches and provide a streamlined means for U.S. organizations to comply with the Directive, the U.S. Department of Commerce in consultation with the European Commission developed a "safe harbor" framework. The safe harbor - approved by the EU in July 2000 - is a way for U.S. companies to comply with European privacy laws.