The General Data Protection Regulation: What U.S.-Based Companies Need to Know

The General Data Protection Regulation: What U.S.-Based Companies Need to Know

The CJEU held that an IP address is personal data because it is information about an identifiable natural person.16 U.S. courts, to the extent they have addressed the issue, have generally not come to that conclusion unless a statute expressly includes IP addresses within the purview of its protecti...

Ausführliche Beschreibung

Gespeichert in:
Bibliographische Detailangaben
Veröffentlicht in:The Business Lawyer 2018-12, Vol.74 (1), p.205-216
Hauptverfasser: Ducich, Stefan, Fischer, Jordan L.
Format: Artikel
Sprache:eng
Schlagworte:
Amicus curiae
Commercial law
Compliance
Data integrity
Data security
Extraterritoriality
General Data Protection Regulation
Health Insurance Portability & Accountability Act 1996-US
Internet service providers
Law
Laws, regulations and rules
Management
Personal information
Privacy Act 1974-US
Right of privacy
Survey—Cyberspace Law
Online-Zugang:Volltext
Tags: Tag hinzufügen
Keine Tags, Fügen Sie den ersten Tag hinzu!
Beschreibung
Zusammenfassung:The CJEU held that an IP address is personal data because it is information about an identifiable natural person.16 U.S. courts, to the extent they have addressed the issue, have generally not come to that conclusion unless a statute expressly includes IP addresses within the purview of its protection-of which there are few examples.17 The Health Insurance Portability and Accountability Act of 1996 ("HIPAA")18 and the Children's Online Privacy Protection Act of 1998 ("COPPA")19 are perhaps two of the best known U.S. privacy statutes, both of which have implementing regulations that define IP addresses as protected PII;20 however, the Privacy Act of 1974 currently does not.21 Moreover, an IP address receives no protection under the Fourth Amendment because it is information inevitably shared with third parties.22 So, an IP address would be protected as personal data under the GDPR, but only situationally as PII under a U.S. statute like HIPAA or COPPA; in this way, U.S. privacy law represents a patchwork of protections, where GDPR is broadly more holistic. Because the onus is on data controllers and processors to demonstrate compliance, and the potential penalties that may be levied against them are established based on the relationship between harm and mitigation, the reasoning why a known risk was deemed acceptable should be well documented and included in the breach assessment. [...]the burden is on the controller or processor to demonstrate compliance with the GDPR, and not on the supervisory authorities to prove non-compliance-emphasizing the proactive nature of the GDPR.52 The supervisory authorities are empowered to assess fines that are "effective, proportionate and dissuasive. Any judgment of a court or tribunal and any decision of an administrative authority of a third country requiring a controller or processor to transfer or disclose personal data may only be recognised or enforceable . . . if based on an international agreement, such as a mutual legal assistance treaty, in force between the requesting third country and the Union or a Member State, without prejudice to other grounds for transfer pursuant to this Chapter.65 Thus, a U.S. company that complies with a warrant issued under the SCA, as amended by the CLOUD Act, by transferring personal data from a server in the EU to law enforcement authorities in the United States would be in violation of the GDPR unless grounds for the transfer exist under the GDPR or a mutual legal assistance treat
ISSN:0007-6899
2164-1838