Other Privacy Laws to Consider
1. State Laws
Many states now include medical information in their definitions of personal information. Thus, when analyzing a security incident involving patient information, state law must also be considered to ensure that notification, if necessary, to affected individuals and state regulators is provided in compliance with applicable laws. The laws and regulations of the affected individual’s state of residence control when determining notification obligations.
2. California Consumer Protection Act
California enacted the Consumer Privacy Act of 2018 (CCPA), in part as a response to revelations that Facebook data were shared with the political data firm Cambridge Analytica without users’ knowledge or permission. The law, which will be effective starting Jan. 1, 2020, imposes obligations on businesses that collect and process personal information on California consumers to give those consumers rights to access, delete and restrict certain uses of personal information, among other rights.
Many of the rights afforded to California residents parallel data subject rights found in the European Union’s (EU’s) General Data Privacy Regulation (GDPR). Like the GDPR, CCPA has a delayed enforcement date to allow affected businesses more time to come into compliance. Under CCPA, businesses must determine whether they are subject to the law, and take all necessary steps to come into compliance. The law does not authorize the attorney general to bring enforcement action until July 1, 2020, or until six months after the publication of final regulations pertaining to the law, whichever occurs first.
3. General Data Privacy Regulation
The GDPR is an omnibus data protection regulation that replaced the European Data Protection Directive 95/46/EC. The GDPR relates to the processing of personal data. Personal data means any information related to a natural person (a “data subject” in GDPR parlance) that can be used to directly or indirectly identify the person. This includes names, photos, email addresses, bank details, posts on social networking websites, medical information and computer internet protocol (IP) addresses.
The GDPR also includes specific provisions for sensitive personal data, or “special categories of data,” including passwords for access to information technology (IT) systems and websites, credit card details, Social Security numbers, passport numbers, and genetic and biometric data.
Data processing includes collecting, using, storing, disclosing and discarding.
The GDPR applies to all companies processing personal data of subjects residing in the EU. Specifically, it applies to organizations located within the EU, as well as organizations located outside the EU if they offer goods or services to, or monitor the behavior of, EU data subjects.
The GDPR requires entities that suffer data security breaches to notify the relevant data protection authority within 72 hours of discovery and to notify the affected subjects without undue delay. Data breach notification in the EU is a new requirement.
In the U.S., there is no general federal data breach notification law. Instead, whether notification is necessary depends on the state of residence of the affected individual and/or what information was compromised. Forty-eight states have data breach notification laws. And HIPAA has notification requirements for the compromise of protected health information. The already onerous requirements in the U.S. are further complicated by this GDPR requirement.