KEYWORDS: data protection, security, America.
ABSTRACT: In the United States of America, regarding Data Protection and management, there are no particular laws. There are different regulations, but not such as the General Protection Law of Europe. In the U.S. Data Regulation history, there are different advances and State Laws but never was defined as a general Law that covers all the legal needed aspects.
In the United States of America, regarding Data Protection and management, there are no particular laws.
There are different regulations, but not such as the General Protection Law of Europe. In the U.S. Data Regulation history, there are different advances and State Laws but never was defined as a general Law that covers all the legal needed aspects.
Nowadays, in the field of Data Privacy regulation, there are 4 state-enacted regulations (Florida, Louisiana, Maine, North Dakota,) 2 state-passed regulations (California and Nevada) and 25 state regulations pending of approval or development. Nevertheless, in the field of data disposal laws, there are 35 approved state laws and a Puerto Rico regulation.
According to that, this short analysis with different regulations will be useful to compare some of the laws with the European Law as a conclusion.
Nonpublic Individual Data (NPI): This is the data gathered about a person regarding giving a budgetary item or administration, except if that data is freely accessible.
Personally identifiable information (PII): This is the information used to identify, allocate or contact with aims of making differentiation between individuals
Personal Health Information (PHI): This is the information used in medical and health history as well as insurance information to collect details.
Personally Identifiable Financial Information (PIFI): This is the information used in terms of bank and finance industries in aspects such as credit card numbers or bank account details, between others.
U.S. National Privacy Act of 1974: Established at the age of P.C. database innovation, the main political issue was the potential abuse of individual data collected by the administration, a fact that was a big topic of discussion in the U.S. Congress.
The U.S. Privacy Act of 1974 was a milestone in terms of recording significant rights and limitations on data to be held by U.S. government agencies. Between various viewpoints, we can discover such as Access to data recorded to know the premise; Organizations should follow data minimization standards when gathering data, the least data essential, and vital to achieving their motivations; Right of American residents to get to any kind of data collected or recuited by government organizations and an option to duplicate data; Right of residents to address any data blunders; or the sharing of data between other government and non-bureaucratic offices is limited and just permitted under specific conditions, between others.
Many experts considered that the primary intention of the Regulation is to secure buyer information in the U.S.; nevertheless, it was an original enactment, which helped to consolidate thoughts such as information minimization, option to access, and option to address it is constrained to information gathered by the U.S. government from its residents.
Regarding recorded internet information, this Regulation does not affect organizations.
In conclusion, the law regulates how federal agencies need to manage government records regarding individuals. That is why the Regulation needs to follow different strict proceedings to guarantee the maximum protection of the records. The law also guarantees the access of individuals to search their records regarding disclosure or modification. Nevertheless, the conflict can also come if the records could be legally exempt because of their policy.
Health Insurance Portability and Accountability Act (HIPAA): The Regulation was a landmark in the field of managing health insurance.
This Regulation is considered an exceptionally intricate law with bunches of legal combinations yet included the two data protection and security areas. This Regulation helps in terms of data secrecy prerequisites that are available in general protection regulations (The Privacy Rule).
Regarding Health associations, they should assess their data and practices and set up shields to restrict pointless or wrong access, which is traduced mainly in job-based access for protected health information.
Basically, the health information is protected and sensitive health details, as defined in the Privacy Law. Then only the patient and the practitioners can manage the health information data. This can be translated in the full protection of Personal Health Information (PHI).
The Regulation contains a collection of rules where is defined as the chance to see protected health information. In any case, a healthcare supplier or issuance agency has the consent to utilize patients’ health data in the case that it is identified in terms of treatment, installment, and healthcare activities.
Nevertheless, utilizing data with advertising or commercial purposes, protected health information requires explicit approval.
Gramm-Leach-Bliley Act (GLBA):
This Regulation from the 1990s sets up the collection of bank and finance industries related laws covered in its significant information protection and security prerequisites. Here is where is important to note regarding to Personally Identifiable Financial Information (PIFI).
This Regulation basically rules all the “information collected about an individual in connection with providing a financial product or service, unless that information is otherwise publicly available”.
Its insurances of individual data are a significant improvement over past purchaser financial information laws, regarding that, it is essential to analyze the Fair Credit Reporting Act (FCRA).
The FCRA is the 1970s, a federal law that regulated the different information regarding customer’s credit information and access to credit reports. The law intended to address the fairness, accuracy, and privacy of the personal information saved in databases of credit reporting companies.
The GLBA also mainly secures all Nonpublic Individual Data (NPI) and Personally identifiable information (PII). Nevertheless, there it is exempted in the field of any kind broadly accessible monetary data.
It is remarkable to note that banks occasionally mail out information protection warnings, clarifying the classes of NPI which are recorded and shared alongside uncommon quit guidelines.
This fact means that the Regulation defines some restricted security insurances according to that the customers can erase their details if they don't want that data to share in terms of a "non-associated" third party.
Nevertheless, in the case of outsider organizations associated with insurance agencies or banking companies, shoppers have no legitimate security controls under the Regulation in terms of limiting the NPI sharing. This fact is a big issue because the Regulation has not any possibility in legal terms to define a model on internet-period protection law.
Children's Online Privacy Protection Act (COPPA):
The Regulation, established in the early XXI century, established the direction of individual data gathered from minors.
The Regulation establishes a restricted policy for online organizations from requesting PII from youngsters 12-and-under except if there is an absolute parental assent.
Many years ago, it was extended the law range and expanded the kind of close to home data to be ensured. In that terms were included aspects such as email addresses, screen names, photos, sound recordings, or video talk names, between others. Regarding that, the sites should take sensible strides to discharge youngsters to have mechanisms for keeping information secure and completely secret.
These new recorded aspects helped to develop protection in terms of inclusion to outsiders in youngers’ treatment information.
ISSUES IN DATA MANAGEMENT LEGISLATION IN COMPARATION WITH UE LAW:
The Data Protection and Management it is ruled by the Regulation (E.U.) 2016/679 of the European Parliament and of the Council of April 27, 2016, on the protection of natural persons concerning the processing of personal data and the free movement of these data "General Data Protection Regulation "(GDPR). This law is applied since May 25, 2018.
The Legislation establishes the Regulatory Development for the different European Countries.
The General Regulation defines that "personal data is information that relates to an identified or identifiable individual. If someone cannot directly identify an individual from that information, someone needs to consider whether the individual is still identifiable. You should take into account the information you are processing together with all the means reasonably likely to be used by either you or any other person to identify that individual."
The GDPR has eleven chapters concerning general provisions, general principles, rights of the data subject, duties of data controllers, transfers of personal data, supervisory authorities, cooperation among member states, remedies, liability and penalties for breach of rights well as final provisions.
The Regulation of the data protection in the European Legal System through the Regulation (E.U.) 2016/679 of the European Parliament and of the Council of April 27, 2016, on the protection of natural persons concerning the processing of personal data and the free movement of these data "General Data Protection Regulation" is useful in the industry application. Nowadays, data is introduced as one of the essential resources organizations have. The administration of the data, its right perusing, and use produces significant points of interest for business and activities choices.
Having a diagnostic preferred position is basic. Furthermore, organizations go looking for it. Study results uncover what the primary concern is: 58% of driving investigation organizations saw an immediate relationship between's data examination activities and a "noteworthy improvement" in their serious positions. Truth be told, 60% of these associations revealed income development of over 7%, while in excess of a fourth of the explanatory first class announced income development of over 15%. Despite what might be expected, 18% of the organizations called "adherents" enrolled salary increments underneath 5%.
In terms of U.S. Regulation, outside of the business based in the U.S., the Internet is a deregulated place in which the U.S. Government can not work because of international policy laws. According to that, U.S. states are at last stepping in with their information protection laws.
That is why, in case that there are no broad shopper protection and/or security laws, the U.S. government has not to option with companies or individuals who held confidential information in their private servers based on private components that are private property with any kind of control or access.
To the degree that remote organizations consolidate auxiliaries in the U.S., they would be under all U.S. laws such as information security or protection laws.
The U.S. is focused on information federal security laws related to banking, customers, or children, between others. That is why many states started to help in the creation of new content.
Nowadays, only three states have an information assurance law. Regulations in which are important to attend to information access and data management. About that, only California, Nevada, and Maine have effectively developed protection laws.
On the field, also it is very important to read in detail also different state laws such as Californians for Consumer Privacy, New York Data Privacy Law. Senate Assembly Acts of Consumer Protection, Massachusetts Data Privacy Law, or Minnesota Data Privacy Act, between others.
To remind, in the field of Data Privacy regulation, there are 4 state-enacted regulations (Florida, Louisiana, Maine, North Dakota,) 2 state-passed regulations (California and Nevada) and 25 state regulations pending of approval or development. Nevertheless, in the field of data disposal laws, there are 35 approved state laws and a Puerto Rico regulation.
This regulation not only helps in the definition of different aspects already included in other States and General Laws but also reflects different rights from the GDPR and new own concepts that can solve many issues in US jurisdictions and new technologies.
In conclusion, the GDPR with just one regulation helps other countries to define a common regulation. Also ensures the option to demand own data to be expelled from different records through aspects such as the right to object and data processing. Even also only a few laws in the U.S. offer some options to be overlooked. Such as COPPA (erasing children’s data). Important to note that also the Californians for Consumer Privacy Act (CCPA) allow the consumer to demand the cancellation of the records with specific confinements.
In the field of punishments, in the field of the GDPR, the punishments are almost the same in each country that subscribed to the regulation. Nevertheless, in the U.S. there are different punishments regarding the different applications and laws.
For instance, the CCPA The law gives companies 30 days to “cure” violations, and in the case of failure addressing a violation, this "leads to a civil penalty of up to US$7,500 for each intentional violation and US$2,500 for each unintentional violation". Nevertheless, New York data privacy law (NYPA) has not any kind of scop of penalties, giving all the decisions up to the Court. According to that, the Court considers how many people were affected, the severity, and the punishment.
In the United States of America, the state regulations regarding data management and protection are increasing potentially. Nowadays, in the field of Data Privacy regulation, there are 4 state-enacted regulations (Florida, Louisiana, Maine, North Dakota,) 2 state-passed regulations (California and Nevada) and 25 state regulations pending of approval or development. Nevertheless, in the field of data disposal laws, there are 35 approved state laws and a Puerto Rico regulation. As well as helping to adapt new cybersecurity issues, the regulations are helping to address a development of comprehensive knowledge of data which helps from small to big organizations, even in the field to learn how organizations should stay abreast of those laws regarding possible punishments and penalties in terms of foreign-based laws and compliance violations.
https://www.justice.gov/opcl/privacy-act-1974 (Last time reached on August 6, 2020).
https://www.kent.edu/compliance/hipaa (Last time reached on August 6, 2020).
https://www.ftc.gov/es/tips-advice/business-center/privacy-and-security/gramm-leach-bliley-act (Last time reached on August 6, 2020).
https://www.varonis.com/blog/us-privacy-laws/ (Last time reached on August 6, 2020).
https://blog.netwrix.com/2019/08/27/data-privacy-laws-by-state-the-u-s-approach-to-privacy-protection/ (Last time reached on August 6, 2020).
https://blog.netwrix.com/2019/11/05/data-privacy-trends-issues-and-concerns-for-2020/ (Last time reached on August 6, 2020).
Ebook "10 Questions for Assessing Data Security in the Enterprise". Available on: https://www.netwrix.com/maintain_security_in_nas.html?itm_source=blog&itm_medium=context&itm_campaign=data-privacy&itm_content=none&_ga=2.154812027.211344697.1596969023-1036235742.1596969023
Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016, on the protection of natural persons with regard to the processing of personal data and the free movement of these data “General Data Protection Regulation".
Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offenses or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA.
"Age of consent in the GDPR: updated mapping". Available on https://iapp.org/resources/article/age-of-consent-in-the-gdpr-updated-mapping/. Reviewed on 27th May 2020.
European Commission, “Guidelines on the right to data portability”, 2017.
"European Parliament legislative resolution of 12 March 2014 on the proposal for a regulation of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation)".