• Sources of Privacy Law
• General Principles of Privacy Protection
• Protected Personal Information
• Companies with Privacy Responsibilities
• Legal Services on Privacy Law
• Pending U.S. Legislation
• Technology Resources
• Legal Resources

Privacy and Security Breach Portal: Sources of Privacy Law

Within the United States, privacy law is a mixture of local and national laws and common law principles of torts. Financial institutions, insurance companies, data brokers and healthcare providers and health “business associates” are subject to special laws. Commercial enterprises are governed by general principles of honesty and fairness in trade and, increasingly, civil and potentially criminal liability.

At the federal level, the Federal Trade Commission enforces federal law on unfair trade practices by bringing cases against companies for false security claims, the failure to maintain adequate security safeguards, and the failure to abide by privacy representations. The FTC has also brought cases challenging violations of the sector-specific laws that protect sensitive information.

At the state level, approximately 40 states have security breach notification laws. The California law is one of the most expansive, including a right of civil action against covered enterprises that fail to notify of a covered security breach.

Internationally, unlike the law on commercial transactions in goods and services, the law of privacy and data protection has no global treaty that sets the standards for businesses that must have commercial access to personal information, health information or other non-public information. The European Union has adopted a data privacy directive that is implemented by Data Protection Authorities (“DPA’s”) in each EU member state.

To avoid conflicts of law governing international data transfers, the U.S. and the EU have entered into an agreement for voluntary certification by U.S. businesses receiving EU personal information to submit to the EU requirements and become subject to U.S. enforcement. Such “safe harbor” compliance can provide substantial comfort to businesses that need to receive such EU personal information.

Because of the territorial nature of laws, some compliance problems can be avoided by not having data sent to a foreign jurisdiction for processing. In the case of U.S. data processed in the EU, the EU Data Protection Directive will generally apply to the US-origin EU-processed data, even though the data originated in the U.S.


© Copyright 2004-2008 Bierce & Kenerson, P.C.^SM.
Attorney Advertising.
Privacy Policy | Disclaimer | Copyright Notice | Site Map

Contact Us

SEARCH B&K.COM: