Practice Area
briefings
sponsored content graciously presented by Sullivan & Worcester LLP
Data Privacy Laws Around the World
Common Themes and Development of a Strategic Plan for Compliance
By Laura Stacey
The Complex Nature
of Data Privacy Laws
Collecting personal information
from individuals, whether they are
customers, employees, patients or
even children, has in many ways
never been easier. With 21st century
technology and the global reach of
the Internet, massive amounts of
data can be collected, stored and
transported around the globe with
immense speed. At the same time,
ensuring compliance with the myriad
data privacy laws currently in effect,
and keeping abreast of new legislation
and pending changes and revisions,
has never been more complicated.
Data privacy is such a complex
issue partly because the notion of
an individual’s right to privacy, what
that means and how it should be regulated and protected, varies around
the world. We only need to compare
the frameworks of the United States
and the European Union to gain a
quick understanding of how different these approaches can be.
The United States generally ad-
dresses data privacy in a patchwork
fashion, regulating by industry and
subject matter at both the federal
and state levels. The three major
federal privacy laws in the United
States govern the following types of
information: financial information
(regulated by the Gramm-Leach
Bliley Act), health information
(regulated by the Health Insur-
ance Portability and Accountability
Act or “HIPAA”) and information
related to children (regulated by the
Children’s Online Privacy Protec-
tion Act). State laws may also be
subject matter specific, such as those
governing consumer credit informa-
tion or school records, or they may
be comprehensive, such as Cali-
fornia’s Online Privacy Protection
Act, which applies to all operators
of commercial websites that collect
personal information from CA
residents. In contrast, the European
Union takes a comprehensive ap-
proach, establishing broad protec-
tions for residents of Member States.
In the European Union, the General
Directive guides all Member States,
and each Member State enacts
its own legislation. In both the
United States and the EU, revisions,
amendments and new legislation
are always on the horizon, as each
system struggles to remain relevant
with advances in technology and
cultural demands for greater and
greater privacy protection.
While the data privacy laws of
the United States and the European
Union may be the most significant
for many businesses, truly global
corporations cannot stop there. They
may also need to consider the data
privacy laws of Australia, Canada,
Latin America, the Caribbean, Asia,
Africa and the Middle East, to name
just a few. There may be as many as
100 data privacy laws applicable to
a global corporation in one form or
another at any given time.
However, within this complex
global framework there are many