Information privacy involves the establishment of rules that govern the collection, use and handling of personal data. However, what is meant by personal data, and how it is protected, can vary drastically from law to law and county to country. What constitutes personal data often directly correlates with the scope of the law that protects the information in question.
Most privacy laws outside the United States are “omnibus privacy laws” that protect all types of personal data. These laws specify permitted uses of personal data and establish the conditions under which it is legitimate and lawful to process it. They are often supplemented by sectoral laws, for example for the protection of health care data.
The United States, on the other hand, does not yet have a national law that protects all categories of personal data, and instead has opted for a sectoral approach. It relies on a patchwork of state and federal laws that regulate some – but not all – categories of personal data. These laws tend to create limits on what can be done with the personal data collected, but there is little limitation on what can be collected. In most cases, all uses of personal data are permitted unless a law or regulation specifically prohibits them. In addition, the Federal Trade Commission and State Attorneys General play a significant role in defining acceptable practices.
Data privacy cannot exist without keeping data secure. Adequate security measures are necessary to protect the authenticity, confidentiality and integrity of information. Measures designed to provide data security are generally grouped in three categories: physical security measures, administrative security measures, and technical security measures. Data security laws tend to require companies to implement appropriate security safeguards. In addition, an increasing number of countries are adopting security breach disclosure laws that require entities to notify government agencies and the affected individuals, when a breach of security has caused the theft or unauthorized disclosure of personal data.
Attorneys working in the field of privacy and data security law help companies navigate the often-complex requirements of privacy and data security laws. They advise companies on a wide range of privacy and data security measures, assisting companies in ensuring that their data collection and processing practices, data transfer procedures, privacy policies, and marketing activities are compliant with the relevant domestic, international, privacy, and data security regulations and laws.