Previous article in series – Data Privacy: Australia and New Zealand Privacy Principles
The EU–U.S. Privacy Shield decision was adopted on July 12, 2016, and the Privacy Shield framework became operational on August 1, 2016. This framework protects the fundamental rights of anyone in the EU whose personal data is transferred to the United States for commercial purposes. It allows the free transfer of data to companies that are certified in the United States under the Privacy Shield.
The framework includes:
- Strong data protection obligations on companies receiving personal data from the EU
- Safeguards on U.S. government access to data
- Effective protection and redress for individuals
- An annual joint review by EU and U.S. to monitor the correct application of the arrangement
Health Insurance Portability and Accountability Act (HIPAA)
In the U.S., the Health Insurance Portability and Accountability Act of 1996 sets out the requirements of the U.S. Department of Health and Human Services (HHS) to adopt national standards for electronic health care transactions and national identifiers for providers, health plans, and employers. Protected health information can be stored via cloud computing under HIPAA.
The HHS issued the Privacy Rule to implement the requirements of HIPAA. The Privacy Rule standards address the use and disclosure of individuals’ health information by organizations subject to the Privacy Rule as well as standards for individuals’ rights to understand and control how their health information is used. The Privacy Rule strikes a balance that permits important uses of information, while protecting the privacy of people who seek care and healing. Given that the health care marketplace is diverse, the Privacy Rule is designed to be flexible and comprehensive enough to cover the variety of uses and disclosures that need to be addressed.
Gramm–Leach–Bliley Act (GLBA)
The Gramm–Leach–Bliley Act (also known as the Financial Modernization Act of 1999) is a federal law enacted in the United States to control the ways that financial institutions deal with the private information of individuals. The Act consists of three sections:
- The Financial Privacy Rule: Regulates the collection and disclosure of private financial information
- The Safeguards Rule: Stipulates that financial institutions must implement security programs to protect such information
- The Pretexting Provisions: Prohibit the practice of pretexting (accessing private information using false pretenses)
GLBA also requires financial institutions to give customers written privacy notices that explain their information-sharing practices.
Charter of Fundamental Rights of the European Union
In Article 8 under the heading Protection of personal data, the Charter of Fundamental Rights of the European Union states:
- Everyone has the right to the protection of personal data concerning him or her.
- Such data must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law. Everyone has the right of access to data which has been collected concerning him or her, and the right to have it rectified.
- Compliance with these rules shall be subject to control by an independent authority.
Next article in series – Data Privacy: Jurisdictional Differences