A Legal Guide to PRIVACY AND DATA SECURITY 2024

that the transfer of personal data from the EU to the United States is not permitted without the business taking extra steps to assure that it adheres to the same privacy principles that exist in Europe. The European Parliament and the Council of the European Union started from the principle that privacy is a fundamental right that must be protected whenever personal data is processed. In the United States, privacy rights are less clear and, as discussed in this Guide, are covered by a patchwork of federal and state laws. Information and data is considered more like a property right (e.g., who owns the data?) in the United States with the idea that a business can generally use the information or data as they desire unless otherwise prevented by a specific law or regulation. Specific informed consent from the individual who is the subject of the data is not always a legal requirement. In the United States, the primary method of obtaining consent to use personal information is for a person to “opt- out” by signifying that they are not interested in participating or receiving any further communications. In Europe personal consent is primarily obtained through an “opt in” by the individual and requires an affirmative acknowledgement and consent by the person for the information to be collected and used.

EU 1995 Data Directive/General Data Protection Regulation

The privacy model developed by the EU was formally expressed in the 1995 EU Data Directive (95/46/EC3) until it was replaced by the EU General Data Protection Regulation (GDPR) in 2018. Under the EU Data Directive, each EU member state established, implemented, and enforced its own regulatory structure consistent with the guidance provided by the EU Directive. The EU Data Directive was, however, not in itself a law applicable to all private citizens. Instead, it served only as a guide to the general content of the national laws adopted by each member state.

136

Made with FlippingBook - Online Brochure Maker