A Brief Description of Privacy Law
After reading the below feel free to contact us to discuss your privacy legal needs.
Privacy Law in the United States
In the U.S., non-disclosure and confidentiality laws do not come in a single neat rule of law; the sources of these laws have evolved over the nation’s history to the present day. The laws came from common law, federal legislation and state laws. Currently, the driving forces include the public policy on internet usage and information technology.
The U.S. Constitution is the basis for individual rights in the U.S.; privacy rights derive from several parts of the First, Third, Fourth, and Fifth Amendments and the 14th Amendment’s due process of law. In common law, the basis is the rule of a reasonable expectation of confidentiality. This reasonable expectation of secrecy is the fundamental element in U.S. privacy laws, and it extends to the behavior required to protect persons in public and shared spaces including virtual and digital spaces.
The federal statutes and regulations that control the issue in the U.S. include the Privacy Act of 1974 and the Federal Trade Commission Act (15 U.S.C. §§41-58). The HIPAA or Health Insurance Portability and Accountability Act covers collection, usage and security of patient health and personal information. The rules require disclosure of health information policies and patient’s knowledge of and consent to them. HIPAA requires secure handling of information and standards for protecting electronic information against cyber risks.
COPPA and Child Protection
The Children’s Online Privacy Protection Act (15 U.S.C. §§6501-6506) limits taking and using personal information from children online. Child protection for online activity has a separate track in the U.S. and internationally. The focus on child protection involves parental or guardian consent and supervised participation.
State laws confront issues raised by citizens and demands for relief or protection from online intrusions and disclosure risks. California is a leader in the online protection of minors and consumers more generally. They passed the eraser bill which enables minors to remove information from online posts and files. It bars targeting minors for advertising products prohibited for sale to that age group.
Other areas of regulation include notices of information policy, opt-out of tracking, and protection of reader choices in online libraries. Other areas of state regulatory focus include notice of information processing policy and required disclosure of the use of that information. Specific public demands include disclosure of sale of personal information collected online by commercial enterprises including internet service providers. California Civil Code Division 3, Part 4 is a leading example of provisions that balance commercial information with consumer rights. Under Title 181, consumers have extensive powers to get details about the use of their personal information from businesses.
Information Processing in the European Union
The basic documents controlling EU law include the GDPR General Data Protection Regulation or (GDPR). The General Data Protection Regulation harmonizes data security laws across the EU membership. The rules become fully enforceable for U.S. companies in May 2018; the new law responds to the massive amounts of personal data that companies collect from consumers, social media, and government sources. The impetus is driven by security breaches and cyber intrusions that demonstrate the far-reaching effects of vulnerabilities that go undetected or uncorrected.
Highlights of the new GDPR include the following:
- Enforcement and Fines – The new rules permit fines up to four percent of the violator’s total global revenue. This amount can exceed $1 billion for large multinational firms.
- A Ban on preteen Social Media – The new rules ban preteen accounts on social media like Facebook.
- The Right to Be Forgotten – The new rules permit users to demand and get full deletion of certain files and information.
US Law Compared to the European Union
Private information practices in the EU have a documentary basis in EU rules and statutes. The rules in the EU are clear and precise; they result from a deliberate administrative process to carry out the consensus of EU nations.
Whereas U.S. law evolved over a long period, it has many sources including the English common law. U.S. law is evolving with the race of innovations in information and telecommunications technology. Some of the more important policies come from private hands and the public, such as net neutrality which has private sector advocates as well as popular support.
Online Information Protections
The internet and social media platforms offer severe challenges to information policies, and they expose billions of people around the globe to forms of malfeasance and exploitation. The EU has standards that restrict information transfer to countries that do not meet the requirements of EU law for safe handling or consumer data. The U.S. is one of the nations that does not meet the EU standards, and a special arrangement between the U.S. government and EU required U.S. companies to certify compliance with the EU protections when handling information. The prior agreements have been replaced by the GDPR final rules effective May 2018.
EU and US Cooperation on Privacy
The Privacy Shield agreement created a cooperation framework between U.S. and EU rules; it incorporated policy and best practices for fairness to consumers and access to files for resolutions of complaints. As of May 25, 2018, any U.S. form collecting data on EU persons must meet the requirements of the GDPR. The essence of the new rules is the impact on large firms that routinely collect data. They must reinforce the physical and cybersecurity of their servers and connections. Firms must also maintain increased vigilance and promptly report breaches and unintended disclosures.
EU law is stricter and more comprehensive than U.S. laws particularly if outside of California coverage. Large firms may find it more efficient to merge all privacy requirements into the portfolio including best practices for their industrial or commercial fields.