First, it helps ensure that your business complies with federal and state privacy laws and regulations. U.S. privacy law consists of various sectoral rules imposing obligations and standards on companies, based on the type of data they treat and the scope of their business. If your business handles personal health information, for example, you should make sure that you are processing information in compliance with the Health Insurance Portability and Accountability Act (HIPAA). The same holds true for many other types of sensitive information, such as financial data or information relating to children.
The New E.U. Requirements
This leads us to the most recent changes on privacy in the E.U. The system of protections afforded by the new E.U. GDPR establishes stricter requirements for businesses handling personal information of individuals in the E.U. The Regulation will codify the right to be forgotten set forth by the CJEU in the 2014 Costeja case, and it aims to reinforce the system of protections regarding the processing and free movement of personal data.
First, the GDPR will impose many substantial restrictions on data processing. Article 6 establishes the grounds for processing data, and generally provides that companies cannot process personal data unless they obtain consent from the individual, or unless processing such data is necessary for legitimate or vital purposes as delineated in the Regulation. Article 7 then sets the conditions for consent to data treatment, and it requires consent to be given as a written declaration that is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language. Further, under Article 9, it is expressly prohibited to process special categories of personal data—such as sensitive data including that revealing race or ethnicity, religion or beliefs, or genetic, health or sex life—unless specific and stringent exceptions apply.
After data has been processed, the Regulation provides individuals with additional rights. Article 15 creates a right of access for the data subject—made more effective by the provision of the right to data portability, which imposes a duty on businesses to keep data in a format that can be readily accessible for data subjects—and Article 16 affords individuals a right to rectification. Individuals can request correction of inaccuracies in personal data concerning them, and they may also request the completion of incomplete personal data.
These provisions are indicia of how privacy in the E.U. is seen as a general affirmative right to control personal information, rather than just as a shield to wield occasionally against companies dealing with particularly sensitive data in specific sectors, as in the U.S. The notion of right to protection of personal data as control over information about oneself has far-reaching implications and may be extensively interpreted by E.U. courts. As a result, your business should interpret data regulatory protections expansively from the point of view of E.U. individuals in order to avoid liability.