The General Data Protection Regulation: What U.S.-Based Companies Need to Know
The CJEU held that an IP address is personal data because it is information about an identifiable natural person.16 U.S. courts, to the extent they have addressed the issue, have generally not come to that conclusion unless a statute expressly includes IP addresses within the purview of its protecti...
Gespeichert in:
| Veröffentlicht in: | The Business Lawyer 2018-12, Vol.74 (1), p.205-216 |
|---|---|
| Hauptverfasser: | , |
| Format: | Artikel |
| Sprache: | eng |
| Schlagworte: | |
| Online-Zugang: | Volltext |
| Tags: |
Tag hinzufügen
Keine Tags, Fügen Sie den ersten Tag hinzu!
|
| container_end_page | 216 |
|---|---|
| container_issue | 1 |
| container_start_page | 205 |
| container_title | The Business Lawyer |
| container_volume | 74 |
| creator | Ducich, Stefan Fischer, Jordan L. |
| description | The CJEU held that an IP address is personal data because it is information about an identifiable natural person.16 U.S. courts, to the extent they have addressed the issue, have generally not come to that conclusion unless a statute expressly includes IP addresses within the purview of its protection-of which there are few examples.17 The Health Insurance Portability and Accountability Act of 1996 ("HIPAA")18 and the Children's Online Privacy Protection Act of 1998 ("COPPA")19 are perhaps two of the best known U.S. privacy statutes, both of which have implementing regulations that define IP addresses as protected PII;20 however, the Privacy Act of 1974 currently does not.21 Moreover, an IP address receives no protection under the Fourth Amendment because it is information inevitably shared with third parties.22 So, an IP address would be protected as personal data under the GDPR, but only situationally as PII under a U.S. statute like HIPAA or COPPA; in this way, U.S. privacy law represents a patchwork of protections, where GDPR is broadly more holistic. Because the onus is on data controllers and processors to demonstrate compliance, and the potential penalties that may be levied against them are established based on the relationship between harm and mitigation, the reasoning why a known risk was deemed acceptable should be well documented and included in the breach assessment. [...]the burden is on the controller or processor to demonstrate compliance with the GDPR, and not on the supervisory authorities to prove non-compliance-emphasizing the proactive nature of the GDPR.52 The supervisory authorities are empowered to assess fines that are "effective, proportionate and dissuasive. Any judgment of a court or tribunal and any decision of an administrative authority of a third country requiring a controller or processor to transfer or disclose personal data may only be recognised or enforceable . . . if based on an international agreement, such as a mutual legal assistance treaty, in force between the requesting third country and the Union or a Member State, without prejudice to other grounds for transfer pursuant to this Chapter.65 Thus, a U.S. company that complies with a warrant issued under the SCA, as amended by the CLOUD Act, by transferring personal data from a server in the EU to law enforcement authorities in the United States would be in violation of the GDPR unless grounds for the transfer exist under the GDPR or a mutual legal assistance treat |
| format | Article |
| fullrecord | <record><control><sourceid>gale_proqu</sourceid><recordid>TN_cdi_proquest_reports_2199858559</recordid><sourceformat>XML</sourceformat><sourcesystem>PC</sourcesystem><galeid>A588342343</galeid><jstor_id>27171169</jstor_id><sourcerecordid>A588342343</sourcerecordid><originalsourceid>FETCH-LOGICAL-g261t-f3c103315287dda4e66a3f8d18acfc5ec17db6573d9eb5671193b18c1953f6193</originalsourceid><addsrcrecordid>eNptkFFLwzAQx4MoOKcfQSgKPllpkiZNHsecUxgoMp9Lml66jK6dSfrgtzejPjgYB3f3P37_g7szNCGY5ykWVJyjSZZlRcqFlJfoyvttlJgIOkEP6w0kS-jAqTZ5VkElH64PoIPtu-QTmqFVh_YaXRjVerj5q1P09bJYz1_T1fvybT5bpQ3hOKSGapxRihkRRV2rHDhX1IgaC6WNZqBxUVecFbSWUDFeYCxphYXGklHDo5iiu3Hv3vXfA_hQOtj3LviSYCkFE4wdoPsRalQLpe1MH5zSO-t1OWNC0JzQnEYqPUE146l9B8bG8RH_dIKPUcPO6pOGx3-GavC2Ax-Tt80m-EYN3h_jtyO-9aF35d7ZnXI_JSlwfAOX9Be1un9n</addsrcrecordid><sourcetype>Aggregation Database</sourcetype><iscdi>true</iscdi><recordtype>article</recordtype><pqid>2199858559</pqid></control><display><type>article</type><title>The General Data Protection Regulation: What U.S.-Based Companies Need to Know</title><source>Jstor Complete Legacy</source><source>HeinOnline Law Journal Library</source><source>EBSCOhost Business Source Complete</source><creator>Ducich, Stefan ; Fischer, Jordan L.</creator><creatorcontrib>Ducich, Stefan ; Fischer, Jordan L.</creatorcontrib><description>The CJEU held that an IP address is personal data because it is information about an identifiable natural person.16 U.S. courts, to the extent they have addressed the issue, have generally not come to that conclusion unless a statute expressly includes IP addresses within the purview of its protection-of which there are few examples.17 The Health Insurance Portability and Accountability Act of 1996 ("HIPAA")18 and the Children's Online Privacy Protection Act of 1998 ("COPPA")19 are perhaps two of the best known U.S. privacy statutes, both of which have implementing regulations that define IP addresses as protected PII;20 however, the Privacy Act of 1974 currently does not.21 Moreover, an IP address receives no protection under the Fourth Amendment because it is information inevitably shared with third parties.22 So, an IP address would be protected as personal data under the GDPR, but only situationally as PII under a U.S. statute like HIPAA or COPPA; in this way, U.S. privacy law represents a patchwork of protections, where GDPR is broadly more holistic. Because the onus is on data controllers and processors to demonstrate compliance, and the potential penalties that may be levied against them are established based on the relationship between harm and mitigation, the reasoning why a known risk was deemed acceptable should be well documented and included in the breach assessment. [...]the burden is on the controller or processor to demonstrate compliance with the GDPR, and not on the supervisory authorities to prove non-compliance-emphasizing the proactive nature of the GDPR.52 The supervisory authorities are empowered to assess fines that are "effective, proportionate and dissuasive. Any judgment of a court or tribunal and any decision of an administrative authority of a third country requiring a controller or processor to transfer or disclose personal data may only be recognised or enforceable . . . if based on an international agreement, such as a mutual legal assistance treaty, in force between the requesting third country and the Union or a Member State, without prejudice to other grounds for transfer pursuant to this Chapter.65 Thus, a U.S. company that complies with a warrant issued under the SCA, as amended by the CLOUD Act, by transferring personal data from a server in the EU to law enforcement authorities in the United States would be in violation of the GDPR unless grounds for the transfer exist under the GDPR or a mutual legal assistance treaty.</description><identifier>ISSN: 0007-6899</identifier><identifier>EISSN: 2164-1838</identifier><language>eng</language><publisher>Chicago: American Bar Association</publisher><subject>Amicus curiae ; Commercial law ; Compliance ; Data integrity ; Data security ; Extraterritoriality ; General Data Protection Regulation ; Health Insurance Portability & Accountability Act 1996-US ; Internet service providers ; Law ; Laws, regulations and rules ; Management ; Personal information ; Privacy Act 1974-US ; Right of privacy ; Survey—Cyberspace Law</subject><ispartof>The Business Lawyer, 2018-12, Vol.74 (1), p.205-216</ispartof><rights>COPYRIGHT 2018 American Bar Association</rights><rights>Copyright American Bar Association Winter 2018/2019</rights><lds50>peer_reviewed</lds50><woscitedreferencessubscribed>false</woscitedreferencessubscribed></display><links><openurl>$$Topenurl_article</openurl><openurlfulltext>$$Topenurlfull_article</openurlfulltext><thumbnail>$$Tsyndetics_thumb_exl</thumbnail><linktopdf>$$Uhttps://www.jstor.org/stable/pdf/27171169$$EPDF$$P50$$Gjstor$$H</linktopdf><linktohtml>$$Uhttps://www.jstor.org/stable/27171169$$EHTML$$P50$$Gjstor$$H</linktohtml><link.rule.ids>312,314,776,780,787,799,57992,58225</link.rule.ids></links><search><creatorcontrib>Ducich, Stefan</creatorcontrib><creatorcontrib>Fischer, Jordan L.</creatorcontrib><title>The General Data Protection Regulation: What U.S.-Based Companies Need to Know</title><title>The Business Lawyer</title><description>The CJEU held that an IP address is personal data because it is information about an identifiable natural person.16 U.S. courts, to the extent they have addressed the issue, have generally not come to that conclusion unless a statute expressly includes IP addresses within the purview of its protection-of which there are few examples.17 The Health Insurance Portability and Accountability Act of 1996 ("HIPAA")18 and the Children's Online Privacy Protection Act of 1998 ("COPPA")19 are perhaps two of the best known U.S. privacy statutes, both of which have implementing regulations that define IP addresses as protected PII;20 however, the Privacy Act of 1974 currently does not.21 Moreover, an IP address receives no protection under the Fourth Amendment because it is information inevitably shared with third parties.22 So, an IP address would be protected as personal data under the GDPR, but only situationally as PII under a U.S. statute like HIPAA or COPPA; in this way, U.S. privacy law represents a patchwork of protections, where GDPR is broadly more holistic. Because the onus is on data controllers and processors to demonstrate compliance, and the potential penalties that may be levied against them are established based on the relationship between harm and mitigation, the reasoning why a known risk was deemed acceptable should be well documented and included in the breach assessment. [...]the burden is on the controller or processor to demonstrate compliance with the GDPR, and not on the supervisory authorities to prove non-compliance-emphasizing the proactive nature of the GDPR.52 The supervisory authorities are empowered to assess fines that are "effective, proportionate and dissuasive. Any judgment of a court or tribunal and any decision of an administrative authority of a third country requiring a controller or processor to transfer or disclose personal data may only be recognised or enforceable . . . if based on an international agreement, such as a mutual legal assistance treaty, in force between the requesting third country and the Union or a Member State, without prejudice to other grounds for transfer pursuant to this Chapter.65 Thus, a U.S. company that complies with a warrant issued under the SCA, as amended by the CLOUD Act, by transferring personal data from a server in the EU to law enforcement authorities in the United States would be in violation of the GDPR unless grounds for the transfer exist under the GDPR or a mutual legal assistance treaty.</description><subject>Amicus curiae</subject><subject>Commercial law</subject><subject>Compliance</subject><subject>Data integrity</subject><subject>Data security</subject><subject>Extraterritoriality</subject><subject>General Data Protection Regulation</subject><subject>Health Insurance Portability & Accountability Act 1996-US</subject><subject>Internet service providers</subject><subject>Law</subject><subject>Laws, regulations and rules</subject><subject>Management</subject><subject>Personal information</subject><subject>Privacy Act 1974-US</subject><subject>Right of privacy</subject><subject>Survey—Cyberspace Law</subject><issn>0007-6899</issn><issn>2164-1838</issn><fulltext>true</fulltext><rsrctype>article</rsrctype><creationdate>2018</creationdate><recordtype>article</recordtype><sourceid>N95</sourceid><sourceid>8G5</sourceid><sourceid>BENPR</sourceid><sourceid>GUQSH</sourceid><sourceid>M2O</sourceid><recordid>eNptkFFLwzAQx4MoOKcfQSgKPllpkiZNHsecUxgoMp9Lml66jK6dSfrgtzejPjgYB3f3P37_g7szNCGY5ykWVJyjSZZlRcqFlJfoyvttlJgIOkEP6w0kS-jAqTZ5VkElH64PoIPtu-QTmqFVh_YaXRjVerj5q1P09bJYz1_T1fvybT5bpQ3hOKSGapxRihkRRV2rHDhX1IgaC6WNZqBxUVecFbSWUDFeYCxphYXGklHDo5iiu3Hv3vXfA_hQOtj3LviSYCkFE4wdoPsRalQLpe1MH5zSO-t1OWNC0JzQnEYqPUE146l9B8bG8RH_dIKPUcPO6pOGx3-GavC2Ax-Tt80m-EYN3h_jtyO-9aF35d7ZnXI_JSlwfAOX9Be1un9n</recordid><startdate>20181222</startdate><enddate>20181222</enddate><creator>Ducich, Stefan</creator><creator>Fischer, Jordan L.</creator><general>American Bar Association</general><scope>N95</scope><scope>XI7</scope><scope>ILT</scope><scope>0U~</scope><scope>1-H</scope><scope>3V.</scope><scope>7WY</scope><scope>7WZ</scope><scope>7XB</scope><scope>87Z</scope><scope>885</scope><scope>8AO</scope><scope>8BJ</scope><scope>8FK</scope><scope>8FL</scope><scope>8G5</scope><scope>ABUWG</scope><scope>AFKRA</scope><scope>ANIOZ</scope><scope>AZQEC</scope><scope>BENPR</scope><scope>BEZIV</scope><scope>CCPQU</scope><scope>DWQXO</scope><scope>FQK</scope><scope>FRAZJ</scope><scope>FRNLG</scope><scope>F~G</scope><scope>GNUQQ</scope><scope>GUQSH</scope><scope>JBE</scope><scope>K60</scope><scope>K6~</scope><scope>L.-</scope><scope>L.0</scope><scope>M0C</scope><scope>M1F</scope><scope>M2O</scope><scope>MBDVC</scope><scope>PQBIZ</scope><scope>PQBZA</scope><scope>PQEST</scope><scope>PQQKQ</scope><scope>PQUKI</scope><scope>PRINS</scope><scope>Q9U</scope><scope>S0X</scope></search><sort><creationdate>20181222</creationdate><title>The General Data Protection Regulation</title><author>Ducich, Stefan ; Fischer, Jordan L.</author></sort><facets><frbrtype>5</frbrtype><frbrgroupid>cdi_FETCH-LOGICAL-g261t-f3c103315287dda4e66a3f8d18acfc5ec17db6573d9eb5671193b18c1953f6193</frbrgroupid><rsrctype>articles</rsrctype><prefilter>articles</prefilter><language>eng</language><creationdate>2018</creationdate><topic>Amicus curiae</topic><topic>Commercial law</topic><topic>Compliance</topic><topic>Data integrity</topic><topic>Data security</topic><topic>Extraterritoriality</topic><topic>General Data Protection Regulation</topic><topic>Health Insurance Portability & Accountability Act 1996-US</topic><topic>Internet service providers</topic><topic>Law</topic><topic>Laws, regulations and rules</topic><topic>Management</topic><topic>Personal information</topic><topic>Privacy Act 1974-US</topic><topic>Right of privacy</topic><topic>Survey—Cyberspace Law</topic><toplevel>peer_reviewed</toplevel><toplevel>online_resources</toplevel><creatorcontrib>Ducich, Stefan</creatorcontrib><creatorcontrib>Fischer, Jordan L.</creatorcontrib><collection>Gale Business: Insights</collection><collection>Business Insights: Essentials</collection><collection>Gale OneFile: LegalTrac</collection><collection>Global News & ABI/Inform Professional</collection><collection>Trade PRO</collection><collection>ProQuest Central (Corporate)</collection><collection>ABI/INFORM Collection</collection><collection>ABI/INFORM Global (PDF only)</collection><collection>ProQuest Central (purchase pre-March 2016)</collection><collection>ABI/INFORM Global (Alumni Edition)</collection><collection>Banking Information Database (Alumni Edition)</collection><collection>ProQuest Pharma Collection</collection><collection>International Bibliography of the Social Sciences (IBSS)</collection><collection>ProQuest Central (Alumni) (purchase pre-March 2016)</collection><collection>ABI/INFORM Collection (Alumni Edition)</collection><collection>Research Library (Alumni Edition)</collection><collection>ProQuest Central (Alumni Edition)</collection><collection>ProQuest Central UK/Ireland</collection><collection>Accounting, Tax & Banking Collection</collection><collection>ProQuest Central Essentials</collection><collection>ProQuest Central</collection><collection>Business Premium Collection</collection><collection>ProQuest One Community College</collection><collection>ProQuest Central Korea</collection><collection>International Bibliography of the Social Sciences</collection><collection>Accounting, Tax & Banking Collection (Alumni)</collection><collection>Business Premium Collection (Alumni)</collection><collection>ABI/INFORM Global (Corporate)</collection><collection>ProQuest Central Student</collection><collection>Research Library Prep</collection><collection>International Bibliography of the Social Sciences</collection><collection>ProQuest Business Collection (Alumni Edition)</collection><collection>ProQuest Business Collection</collection><collection>ABI/INFORM Professional Advanced</collection><collection>ABI/INFORM Professional Standard</collection><collection>ABI/INFORM Global</collection><collection>Banking Information Database</collection><collection>Research Library</collection><collection>Research Library (Corporate)</collection><collection>One Business (ProQuest)</collection><collection>ProQuest One Business (Alumni)</collection><collection>ProQuest One Academic Eastern Edition (DO NOT USE)</collection><collection>ProQuest One Academic</collection><collection>ProQuest One Academic UKI Edition</collection><collection>ProQuest Central China</collection><collection>ProQuest Central Basic</collection><collection>SIRS Editorial</collection><jtitle>The Business Lawyer</jtitle></facets><delivery><delcategory>Remote Search Resource</delcategory><fulltext>fulltext</fulltext></delivery><addata><au>Ducich, Stefan</au><au>Fischer, Jordan L.</au><format>journal</format><genre>article</genre><ristype>JOUR</ristype><atitle>The General Data Protection Regulation: What U.S.-Based Companies Need to Know</atitle><jtitle>The Business Lawyer</jtitle><date>2018-12-22</date><risdate>2018</risdate><volume>74</volume><issue>1</issue><spage>205</spage><epage>216</epage><pages>205-216</pages><issn>0007-6899</issn><eissn>2164-1838</eissn><abstract>The CJEU held that an IP address is personal data because it is information about an identifiable natural person.16 U.S. courts, to the extent they have addressed the issue, have generally not come to that conclusion unless a statute expressly includes IP addresses within the purview of its protection-of which there are few examples.17 The Health Insurance Portability and Accountability Act of 1996 ("HIPAA")18 and the Children's Online Privacy Protection Act of 1998 ("COPPA")19 are perhaps two of the best known U.S. privacy statutes, both of which have implementing regulations that define IP addresses as protected PII;20 however, the Privacy Act of 1974 currently does not.21 Moreover, an IP address receives no protection under the Fourth Amendment because it is information inevitably shared with third parties.22 So, an IP address would be protected as personal data under the GDPR, but only situationally as PII under a U.S. statute like HIPAA or COPPA; in this way, U.S. privacy law represents a patchwork of protections, where GDPR is broadly more holistic. Because the onus is on data controllers and processors to demonstrate compliance, and the potential penalties that may be levied against them are established based on the relationship between harm and mitigation, the reasoning why a known risk was deemed acceptable should be well documented and included in the breach assessment. [...]the burden is on the controller or processor to demonstrate compliance with the GDPR, and not on the supervisory authorities to prove non-compliance-emphasizing the proactive nature of the GDPR.52 The supervisory authorities are empowered to assess fines that are "effective, proportionate and dissuasive. Any judgment of a court or tribunal and any decision of an administrative authority of a third country requiring a controller or processor to transfer or disclose personal data may only be recognised or enforceable . . . if based on an international agreement, such as a mutual legal assistance treaty, in force between the requesting third country and the Union or a Member State, without prejudice to other grounds for transfer pursuant to this Chapter.65 Thus, a U.S. company that complies with a warrant issued under the SCA, as amended by the CLOUD Act, by transferring personal data from a server in the EU to law enforcement authorities in the United States would be in violation of the GDPR unless grounds for the transfer exist under the GDPR or a mutual legal assistance treaty.</abstract><cop>Chicago</cop><pub>American Bar Association</pub><tpages>12</tpages></addata></record> |
| fulltext | fulltext |
| identifier | ISSN: 0007-6899 |
| ispartof | The Business Lawyer, 2018-12, Vol.74 (1), p.205-216 |
| issn | 0007-6899 2164-1838 |
| language | eng |
| recordid | cdi_proquest_reports_2199858559 |
| source | Jstor Complete Legacy; HeinOnline Law Journal Library; EBSCOhost Business Source Complete |
| subjects | Amicus curiae Commercial law Compliance Data integrity Data security Extraterritoriality General Data Protection Regulation Health Insurance Portability & Accountability Act 1996-US Internet service providers Law Laws, regulations and rules Management Personal information Privacy Act 1974-US Right of privacy Survey—Cyberspace Law |
| title | The General Data Protection Regulation: What U.S.-Based Companies Need to Know |
| url | https://sfx.bib-bvb.de/sfx_tum?ctx_ver=Z39.88-2004&ctx_enc=info:ofi/enc:UTF-8&ctx_tim=2025-01-30T14%3A41%3A32IST&url_ver=Z39.88-2004&url_ctx_fmt=infofi/fmt:kev:mtx:ctx&rfr_id=info:sid/primo.exlibrisgroup.com:primo3-Article-gale_proqu&rft_val_fmt=info:ofi/fmt:kev:mtx:journal&rft.genre=article&rft.atitle=The%20General%20Data%20Protection%20Regulation:%20What%20U.S.-Based%20Companies%20Need%20to%20Know&rft.jtitle=The%20Business%20Lawyer&rft.au=Ducich,%20Stefan&rft.date=2018-12-22&rft.volume=74&rft.issue=1&rft.spage=205&rft.epage=216&rft.pages=205-216&rft.issn=0007-6899&rft.eissn=2164-1838&rft_id=info:doi/&rft_dat=%3Cgale_proqu%3EA588342343%3C/gale_proqu%3E%3Curl%3E%3C/url%3E&disable_directlink=true&sfx.directlink=off&sfx.report_link=0&rft_id=info:oai/&rft_pqid=2199858559&rft_id=info:pmid/&rft_galeid=A588342343&rft_jstor_id=27171169&rfr_iscdi=true |