Data Privacy in the US and Privacy Shield
Data privacy is of utmost importance to governments across the world; it is about protecting the rights of the citizens and their information, and how the same will be collected, stored, used, or managed. The information collected by many organizations as part of undertaking their business could be highly sensitive as well. Examples of such data are healthcare information, financial information like credit card details, etc. apart from the name, address, and contact details of citizens.
Protecting this data is important as it can be misused in many ways like identity thefts, frauds, stalking and harassment, and much more. A lot of such incidents have had serious repercussions, including huge financial losses to organizations and governments across the world. This led to stringent data privacy laws coming into place. While each country or region implements it using different mechanisms, the underlying common objective remains the same; to protect the citizens’ rights about how their data is collected, stored, used, and managed.
The GDPR which came into existence in the European Union is a good example of how the EU is ensuring this aspect. The GDPR law does not just cover the EU region but is also applicable to all entities that collect and deal with data of citizens of the EU. The US too has some stringent laws for data privacy; the only difference in the US is that there is not one federal law that is applicable across the spectrum like the GDPR. Instead, these are mostly at the state level and may differ in their definitions and application.
Also, there are federal laws linked to data privacy for specific industry verticals like:
- Patient information in healthcare – Health Insurance Portability and Accountability Act (HIPAA)
- Minor data protection -Children’s Online Privacy Protection Act (COPPA)
- Banking and finance – Gramm-Leach-Bliley Act (GLBA)
- Students personal information- Family Educational Rights and Privacy Act (FERPA)
- Consumer information – Fair Credit Reporting Act (FCRA)
- US Privacy Act of 1974
Apart from this, at the state level, most states have adopted laws for data breaches, data disposal, and data privacy in some form. The California Consumer Privacy Act (CCPA), New York Consumer Privacy Act (NYPA), Standards for The Protection of Personal Information of Residents of the Commonwealth (201 CMR 17.00) – Massachusetts, Minnesota Government Data Practices Act (Minn. Stat. § 13), etc. are examples of such data privacy laws at the state level.
US Privacy Act of 1974
This law decides how the federal agencies handle the citizens’ data; provision is given to the citizens to know, see, and request correction of information held by government agencies. Also, agencies are bound by certain principles while collecting information and also, only employees who ‘need to know’ are provided access to such information.
This law is further complemented by each of the specific laws mentioned above, as well as the state-level laws which cover most of the basic principles of data privacy in the form of:
- Personally Identifiable Information (PII) that includes identification and contact information like name, address, and social security number, etc.
- Personal Health Information (PHI) that covers personal health information, medical history, insurance details, and so on.
- Personally Identifiable Financial Information (PIFI) that includes citizens’ bank account, credit card, and such information.
- Student details that cover grades, transcripts, and other academic records.
The Privacy Shield program administered by the International Trade Administration (ITA) within the U.S. Department of Commerce, defines the program as:
The EU-U.S. and Swiss-U.S. Privacy Shield Frameworks were designed by the U.S. Department of Commerce and the European Commission and Swiss Administration to provide companies on both sides of the Atlantic with a mechanism to comply with data protection requirements when transferring personal data from the European Union and Switzerland to the United States in support of transatlantic commerce.
The audiences of this program include US businesses, European businesses, EU and Swiss individuals, and Data protection authorities. The program provides a framework for each of these entities to ensure that the data they transfer outside the EU are adequately protected, based on compliances laid out by the program. The EU and Swiss individuals can also understand how participating US entities are protecting and handling their data.
Additionally, the data protection authorities in the EU have access to a dedicated contact to act as a liaison with data protection authorities. This will easily help address any queries about the Privacy Shield program. There is a participation list available on the website, with information about each entity along with their certification details, data privacy coverage.
Participation in the Privacy Shield program is voluntary for the organizations, and they can opt-out of it at any time as well. However, once they opt-in, and make the public commitment to comply with the Framework requirements, the commitment will become enforceable under U.S. law. According to the details on their website, only U.S. legal entities subject to the jurisdiction of the Federal Trade Commission (FTC) or the Department of Transportation (DOT) are eligible to participate in Privacy Shield. This is done by going through the requirements provided and sending a self-certification submission to the Department of Commerce (DOT).
The Privacy Shield website has laid out a clear step-by-step process that organizations need to follow to self-certify. There is also a FAQ to assist the process at every step. Similarly, there is also a withdrawal process detailed that organizations can follow, in case, they choose to withdraw from the policy. The information on the website is comprehensive and they also provide assistance services for dispute resolution, outreach, and education, as well as participation.