Data Protection Directive

Last updated

Directive 95/46/EC
European Union directive
Flag of Europe.svg
TitleDirective on the protection of individuals with regard to the processing of personal data and on the free movement of such data
Made by European Parliament and Council
Journal reference L281, 23 November 1995, p. 31–50
History
Date made24 October 1995
Entry into force13 December 1995
Implementation date24 October 1998
Replaced25 May 2018
Preparative texts
Commission proposalC311, 27 November 1992, p. 30–61
Other legislation
Amended byRegulation (EC) No 1882/2003
Repealed

The Data Protection Directive, officially Directive 95/46/EC, enacted in October 1995, was a European Union directive which regulated the processing of personal data within the European Union (EU) and the free movement of such data. The Data Protection Directive was an important component of EU privacy and human rights law.

Contents

The principles set out in the Data Protection Directive were aimed at the protection of fundamental rights and freedoms in the processing of personal data. [1] The General Data Protection Regulation, adopted in April 2016, superseded the Data Protection Directive and became enforceable on 25 May 2018. [2]

Context

The right to privacy is a highly developed area of law in Europe. All the member states of the Council of Europe (CoE) are also signatories of the European Convention on Human Rights (ECHR). [3] Article 8 of the ECHR provides a right to respect for one's "private and family life, his home and his correspondence", subject to certain restrictions. The European Court of Human Rights has given this article a very broad interpretation in its jurisprudence.

In 1973, American scholar Willis Ware published Records, Computers, and the Rights of Citizens, a report that was to be influential on the directions these laws would take. [4] [5]

In 1980, in an effort to create a comprehensive data protection system throughout Europe, the Organisation for Economic Co-operation and Development (OECD) issued its "Recommendations of the Council Concerning Guidelines Governing the Protection of Privacy and Trans-Border Flows of Personal Data". [6] The seven principles governing the OECD's recommendations for protection of personal data were:

  1. Notice—data subjects should be given notice when their data is being collected;
  2. Purpose—data should only be used for the purpose stated and not for any other purposes;
  3. Consent—data should not be disclosed without the data subject's consent;
  4. Security—collected data should be kept secure from any potential abuses;
  5. Disclosure—data subjects should be informed as to who is collecting their data;
  6. Access—data subjects should be allowed to access their data and make corrections to any inaccurate data
  7. Accountability—data subjects should have a method available to them to hold data collectors accountable for not following the above principles. [7]

The OECD Guidelines, however, were non-binding, and data privacy laws still varied widely across Europe. The United States, meanwhile, while endorsing the OECD's recommendations, did nothing to implement them within the United States. [7] However, the first six principles were incorporated into the EU Directive. [7]

In 1981, the Members States of the Council of Europe adopted the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (Convention 108) to implement Article 8 of the ECHR. Convention 108 obliges the signatories to enact legislation concerning the automatic processing of personal data, and was modernised and reinforced in 2018 to become "Convention 108+". [8]

In 1989 with German reunification, the data the East German secret police (Stasi) collected became well known, increasing the demand for privacy in Germany. At the time West Germany already had privacy laws since 1977 ( Bundesdatenschutzgesetz ). The European Commission realized that diverging data protection legislation amongst EU member states impeded the free flow of data within the EU and accordingly proposed the Data Protection Directive.[ citation needed ]

Content

The directive regulates the processing of personal data regardless of whether such processing is automated or not.

Scope

Personal data are defined as "any information relating to an identified or identifiable natural person ('data subject'); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity" (art. 2 a).

This definition is meant to be very broad. Data are "personal data" when someone is able to link the information to a person, even if the person holding the data cannot make this link. Some examples of "personal data" are: address, credit card number, bank statements, criminal record, etc.

The notion processing means "any operation or set of operations which is performed upon personal data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction" (art. 2 b).

The responsibility for compliance rests on the shoulders of the "controller", meaning the natural or artificial person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data (art. 2 d).

The data protection rules are applicable not only when the controller is established within the EU, but whenever the controller uses equipment situated within the EU in order to process data. (art. 4) Controllers from outside the EU, processing data in the EU, will have to follow data protection regulation. In principle, any online business trading with EU residents would process some personal data and would be using equipment in the EU to process the data (i.e. the customer's computer). As a consequence, the website operator would have to comply with the European data protection rules. The directive was written before the breakthrough of the Internet, and to date there is little jurisprudence on this subject.

Principles

Personal data should not be processed at all, except when certain conditions are met. These conditions fall into three categories: transparency, legitimate purpose, and proportionality.

Transparency

The data subject has the right to be informed when his personal data is being processed. The controller must provide his name and address, the purpose of processing, the recipients of the data and all other information required to ensure the processing is fair. (art. 10 and 11)

Data may be processed only if at least one of the following is true (art. 7):

  • when the data subject has given his consent.
  • when the processing is necessary for the performance of or the entering into a contract.
  • when processing is necessary for compliance with a legal obligation.
  • when processing is necessary in order to protect the vital interests of the data subject.
  • processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller or in a third party to whom the data are disclosed.
  • processing is necessary for the purposes of the legitimate interests pursued by the controller or by the third party or parties to whom the data are disclosed, except where such interests are over-ridden by the interests for fundamental rights and freedoms of the data subject. The data subject has the right to access all data processed about him. The data subject even has the right to demand the rectification, deletion or blocking of data that is incomplete, inaccurate or not being processed in compliance with the data protection rules. (art. 12)

Legitimate purpose

Personal data can only be processed for specified explicit and legitimate purposes and may not be processed further in a way incompatible with those purposes. (art. 6 b) The personal data must have protection from misuse and respect for the "certain rights of the data owners which are guaranteed by EU law". [9]

Proportionality

Personal data may be processed only insofar as it is adequate, relevant and not excessive in relation to the purposes for which they are collected and/or further processed. The data must be accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that data which are inaccurate or incomplete, having regard to the purposes for which they were collected or for which they are further processed, are erased or rectified; The data shouldn't be kept in a form which permits identification of data subjects for longer than is necessary for the purposes for which the data were collected or for which they are further processed. Member States shall lay down appropriate safeguards for personal data stored for longer periods for historical, statistical or scientific use. (art. 6).

When sensitive personal data (can be: religious beliefs, political opinions, health, sexual orientation, race, membership of past organisations) are being processed, extra restrictions apply. (art. 8).

The data subject may object at any time to the processing of personal data for the purpose of direct marketing. (art. 14)

An algorithmic-based decision which produces legal effects or significantly affects the data subject may not be based solely on automated processing of data. (art. 15) A form of appeal should be provided when automatic decision making processes are used.

Supervisory authority and the public register of processing operations

Each member state must set up a supervisory authority, an independent body that will monitor the data protection level in that member state, give advice to the government about administrative measures and regulations, and start legal proceedings when data protection regulation has been violated. (art. 28) Individuals may lodge complaints about violations to the supervisory authority or in a court of law.

The controller must notify the supervisory authority before he starts to process data. The notification contains at least the following information (art. 19):

This information is kept in a public register.

Transfer of personal data to third countries

Third countries is the term used in legislation to designate countries outside the European Union. Personal data may only be transferred to a third country if that country provides an adequate level of protection of the data. Some exceptions to this rule are provided, for instance when the controller himself can guarantee that the recipient will comply with the data protection rules.

The Directive's Article 29 created the "Working party on the Protection of Individuals with regard to the Processing of Personal Data", commonly known as the "Article 29 Working Party". The Working Party gives advice about the level of protection in the European Union and third countries.

The Working Party negotiated with United States representatives about the protection of personal data, the Safe Harbour Principles were the result. According to critics the Safe Harbour Principles do not provide for an adequate level of protection, because they contain fewer obligations for the controller and allow the contractual waiver of certain rights.

In October 2015 the European Court of Justice ruled that the Safe Harbour regime was invalid as a result of an action brought by an Austrian privacy campaigner in relation to the export of subscribers' data by Facebook's European business to Facebook in the United States. [10] The US and European Authorities worked on a replacement for Safe Harbour and an agreement was reached in February 2016, leading to the European Commission adopting the EU–US Privacy Shield framework on 12 July 2016. This was likewise found invalid in 2020 and replaced with the EU–US Data Privacy Framework in 2023.

In July 2007, a new, controversial, [11] passenger name record (PNR) agreement between the US and the EU was undersigned. [12]

In February 2008, Jonathan Faull, the head of the EU's Commission of Home Affairs, complained about the United States bilateral policy concerning PNR. [13] [14] [ not specific enough to verify ] The US had signed in February 2008 a memorandum of understanding [15] (MOU) with the Czech Republic in exchange of a visa waiver scheme, without first consulting Brussels. [11] The tensions between Washington and Brussels are mainly caused by the lower level of data protection in the US, especially since foreigners do not benefit from the US Privacy Act of 1974. Other countries approached for bilateral Memoranda of Understanding included the United Kingdom, Estonia, (Germany) and Greece. [16] [ not specific enough to verify ]

Implementation by the member states

EU directives are addressed to the member states, and are not legally binding for individuals in principle. The member states must transpose the directive into internal law. Directive 95/46/EC on the protection of personal data had to be transposed by the end of 1998. All member states had enacted their own data protection legislation.

Replacement by the General Data Protection Regulation

On 25 January 2012, the European Commission (EC) announced it would be unifying data protection law across a unified European Union via legislation called the "General Data Protection Regulation." The EC's objectives with this legislation included: [17]

The original proposal also dictated that the legislation would in theory "apply for all non-EU companies without any establishment in the EU, provided that the processing of data is directed at EU residents," one of the biggest changes with the new legislation. [17] This change carried on through to the legislation's final approval on 14 April 2016, affecting entities around the world. "The Regulation applies to processing outside the EU that relates to the offering of goods or services to data subjects (individuals) in the EU or the monitoring of their behavior," according to W. Scott Blackmer of the InfoLawGroup, though he added "[i]t is questionable whether European supervisory authorities or consumers would actually try to sue US-based operators over violations of the Regulation." [2] Additional changes include stricter conditions for consent, broader definition of sensitive data, new provisions on protecting children's privacy, and the inclusion of "rights to be forgotten." [2]

The EC then set a compliance date of 25 May 2018, giving businesses around the world a chance to prepare for compliance, review data protection language in contracts, consider transition to international standards, update privacy policies, and review marketing plans.

Comparison with other jurisdictions

Comparison with United States data protection law

As of 2003, the United States has no single data protection law comparable to the EU's Data Protection Directive. [18]

United States privacy legislation tends to be adopted on an ad hoc basis, with legislation arising when certain sectors and circumstances require (e.g., the Video Privacy Protection Act of 1988, the Cable Television Protection and Competition Act of 1992, [19] the Fair Credit Reporting Act, and the 1996 Health Insurance Portability and Accountability Act, HIPAA (US)). Therefore, while certain sectors may already satisfy parts of the EU Directive most do not. [20] The United States prefers what it calls a 'sectoral' approach [21] to data protection legislation, which relies on a combination of legislation, regulation, and self-regulation, rather than governmental regulation alone. [22] [23] Former US President Bill Clinton and former Vice-President Al Gore explicitly recommended in their "Framework for Global Electronic Commerce" that the private sector should lead, and companies should implement self-regulation in reaction to issues brought on by Internet technology. [24]

The reasoning behind this approach has as much to do with American laissez-faire economics as with different social perspectives. [25] The First Amendment of the United States Constitution guarantees the right to free speech. [26] While free speech is an explicit right guaranteed by the United States Constitution, privacy is an implicit right guaranteed by the Constitution as interpreted by the United States Supreme Court, [27] although it is often an explicit right in many state constitutions. [28]

Europe's extensive privacy regulation is justified with reference to experiences under World War II-era fascist governments and post-War Communist regimes, where there was widespread unchecked use of personal information. [29] [30] [31] World War II and the post-War period was a time in Europe when disclosure of race or ethnicity led to secret denunciations and seizures that sent friends and neighbours to work camps and concentration camps. [7] In the age of computers, Europeans' guardedness of secret government files has translated into a distrust of corporate databases, and governments in Europe took decided steps to protect personal information from abuses in the years following World War II. [32] (Germany) and France, in particular, set forth comprehensive data protection laws. [33]

Critics of Europe's data policies, however, have said that they have impeded Europe's ability to monetize the data of users on the internet and are the primary reason why there are no Big Tech companies in Europe, with most of them instead being in the United States. [34] Furthermore, with Alibaba and Tencent joining the ranks of the world's 10 most valuable tech companies in recent years, [35] even China is moving ahead of Europe in the performance of its digital economy, [36] which was valued at $5.09 trillion in 2019 (35.8 trillion yuan). [37]

Meanwhile, Europe's preoccupation with the US is likely misplaced in the first place, as China and Russia are increasingly identified by European policymakers as "hybrid threat" aggressors, using a combination of propaganda on social media and hacking to intentionally undermine the functioning of European institutions. [38]

See also

Related Research Articles

Information privacy is the relationship between the collection and dissemination of data, technology, the public expectation of privacy, contextual information norms, and the legal and political issues surrounding them. It is also known as data privacy or data protection.

<span class="mw-page-title-main">Data Protection Act 1998</span> United Kingdom legislation

The Data Protection Act 1998 (DPA) was an Act of Parliament of the United Kingdom designed to protect personal data stored on computers or in an organised paper filing system. It enacted provisions from the European Union (EU) Data Protection Directive 1995 on the protection, processing, and movement of data.

<span class="mw-page-title-main">Information Commissioner's Office</span> Non-departmental public body

The Information Commissioner's Office (ICO) is a non-departmental public body which reports directly to the Parliament of the United Kingdom and is sponsored by the Department for Science, Innovation and Technology. It is the independent regulatory office dealing with the Data Protection Act 2018 and the General Data Protection Regulation, the Privacy and Electronic Communications Regulations 2003 across the UK; and the Freedom of Information Act 2000 and the Environmental Information Regulations 2004 in England, Wales and Northern Ireland and, to a limited extent, in Scotland. When they audit an organisation they use Symbiant's audit software.

A privacy policy is a statement or legal document that discloses some or all of the ways a party gathers, uses, discloses, and manages a customer or client's data. Personal information can be anything that can be used to identify an individual, not limited to the person's name, address, date of birth, marital status, contact information, ID issue, and expiry date, financial records, credit information, medical history, where one travels, and intentions to acquire goods and services. In the case of a business, it is often a statement that declares a party's policy on how it collects, stores, and releases personal information it collects. It informs the client what specific information is collected, and whether it is kept confidential, shared with partners, or sold to other firms or enterprises. Privacy policies typically represent a broader, more generalized treatment, as opposed to data use statements, which tend to be more detailed and specific.

Personal data, also known as personal information or personally identifiable information (PII), is any information related to an identifiable person.

Information privacy, data privacy or data protection laws provide a legal framework on how to obtain, use and store data of natural persons. The various laws around the world describe the rights of natural persons to control who is using its data. This includes usually the right to get details on which data is stored, for what purpose and to request the deletion in case the purpose is not given anymore.

The International Safe Harbor Privacy Principles or Safe Harbour Privacy Principles were principles developed between 1998 and 2000 in order to prevent private organizations within the European Union or United States which store customer data from accidentally disclosing or losing personal information. They were overturned on October 6, 2015, by the European Court of Justice (ECJ), which enabled some US companies to comply with privacy laws protecting European Union and Swiss citizens. US companies storing customer data could self-certify that they adhered to 7 principles, to comply with the EU Data Protection Directive and with Swiss requirements. The US Department of Commerce developed privacy frameworks in conjunction with both the European Union and the Federal Data Protection and Information Commissioner of Switzerland.

Privacy law is a set of regulations that govern the collection, storage, and utilization of personal information from healthcare, governments, companies, public or private entities, or individuals.

<span class="mw-page-title-main">European Data Protection Supervisor</span> Independent supervisory authority

The European Data Protection Supervisor (EDPS) is an independent supervisory authority whose primary objective is to monitor and ensure that European institutions and bodies respect the right to privacy and data protection when they process personal data and develop new policies.

The United States Commission's fair information practice principles (FIPPs) are guidelines that represent widely accepted concepts concerning fair information practice in an electronic marketplace.

The Telecoms Package was the review of the European Union Telecommunications Framework from 2007 – 2009. The objective of the review was to update the EU Telecoms Framework of 2002 and to create a common set of regulations for the telecoms industry across all 27 EU member states. The review consisted of a package of directives addressing the regulation of service provision, access, interconnection, users' contractual rights and users' privacy, as well as a regulation creating a new European regulatory body (BEREC).

The German Bundesdatenschutzgesetz (BDSG) is a federal data protection act, that together with the data protection acts of the German federated states and other area-specific regulations, governs the exposure of personal data, which are manually processed or stored in IT systems.

The Agreement between the United States of America and the European Union on the use and transfer of Passenger Name Records to the United States Department of Homeland Security is an international agreement between the United States of America and the European Union that was signed on 14 December 2011 for the purpose of providing passenger name records (PNR) from air carriers operating passenger flights to the United States Department of Homeland Security to "ensure security and to protect the life and safety of the public".

<span class="mw-page-title-main">General Data Protection Regulation</span> EU regulation on the processing of personal data

The General Data Protection Regulation, abbreviated GDPR, or French RGPD for Règlement général sur la protection des données) is a European Union regulation on information privacy in the European Union (EU) and the European Economic Area (EEA). The GDPR is an important component of EU privacy law and human rights law, in particular Article 8(1) of the Charter of Fundamental Rights of the European Union. It also governs the transfer of personal data outside the EU and EEA. The GDPR's goals are to enhance individuals' control and rights over their personal information and to simplify the regulations for international business. It supersedes the Data Protection Directive 95/46/EC and, among other things, simplifies the terminology.

The right to be forgotten (RTBF) is the right to have private information about a person be removed from Internet searches and other directories in some circumstances. The issue has arisen from desires of individuals to "determine the development of their life in an autonomous way, without being perpetually or periodically stigmatized as a consequence of a specific action performed in the past". The right entitles a person to have data about them deleted so that it can no longer be discovered by third parties, particularly through search engines.

Google Spain SL, Google Inc. v Agencia Española de Protección de Datos, Mario Costeja González (2014) is a decision by the Court of Justice of the European Union (CJEU). It held that an Internet search engine operator is responsible for the processing that it carries out of personal information which appears on web pages published by third parties.

<span class="mw-page-title-main">Data Protection Act, 2012</span> Legislation by the Parliament of Ghana

The Data Protection Act, 2012 is legislation enacted by the Parliament of the Republic of Ghana to protect the privacy and personal data of individuals. It regulates the process personal information is acquired, kept, used or disclosed by data controllers and data processors by requiring compliance with certain data protection principles. Non compliance with provisions of the Act may attract either civil liability, or criminal sanctions, or both, depending on the nature of the infraction. The Act also establishes a Data Protection Commission, which is mandated to ensure compliance with its provisions, as well as maintain the Data Protection Register.

The EU–US Privacy Shield was a legal framework for regulating transatlantic exchanges of personal data for commercial purposes between the European Union and the United States. One of its purposes was to enable US companies to more easily receive personal data from EU entities under EU privacy laws meant to protect European Union citizens. The EU–US Privacy Shield went into effect on 12 July 2016 following its approval by the European Commission. It was put in place to replace the International Safe Harbor Privacy Principles, which were declared invalid by the European Court of Justice in October 2015. The ECJ declared the EU–US Privacy Shield invalid on 16 July 2020, in the case known as Schrems II. In 2022, leaders of the US and EU announced that a new data transfer framework called the Trans-Atlantic Data Privacy Framework had been agreed to in principle, replacing Privacy Shield. However, it is uncertain what changes will be necessary or adequate for this to succeed without facing additional legal challenges.

The gathering of personally identifiable information (PII) is the practice of collecting public and private personal data that can be used to identify an individual for both legal and illegal applications. PII owners often view PII gathering as a threat and violation of their privacy. Meanwhile, entities such as information technology companies, governments, and organizations use PII for data analysis of consumer shopping behaviors, political preference, and personal interests.

The right of access, also referred to as right to access and (data) subject access, is one of the most fundamental rights in data protection laws around the world. For instance, the United States, Singapore, Brazil, and countries in Europe have all developed laws that regulate access to personal data as privacy protection. The European Union states that: "The right of access occupies a central role in EU data protection law's arsenal of data subject empowerment measures." This right is often implemented as a Subject Access Request (SAR) or Data Subject Access Request (DSAR).

References

  1. Kennedy, Wendy (2020). Data Privacy Law: A Practical Guide (Third ed.). G. E. Kennedy & L. S. P. Prabhu. p. 45. ISBN   978-0-9995127-4-6.
  2. 1 2 3 Blackmer, W.S. (5 May 2016). "GDPR: Getting Ready for the New EU General Data Protection Regulation". Information Law Group. InfoLawGroup LLP. Archived from the original on 14 May 2018. Retrieved 22 June 2016.
  3. European External Action Service. "EU accession to the European Convention on Human Rights". European Commission. Retrieved 1 May 2021.
  4. Pfleeger, Charles P.; Pfleeger, Shari Lawrence; Margulies, Jonathan (2015). Security in Computing (PDF). Pearson Education. ISBN   978-0-13-408504-3. Archived from the original (PDF) on 14 July 2015. Retrieved 19 December 2020. Few people recognize Willis [Ware]'s name today; more people are familiar with the European Union Data Protection Directive that is a direct descendant of the report from his committee for the U.S. Department of Human Services. Willis would have wanted it that way: the emphasis on the ideas and not on his name.
  5. Ware, Willis H. (2008). RAND and the information evolution: a history in essays and vignettes (PDF). RAND Corporation. ISBN   978-0-8330-4513-3. Secretary of Health, Education, and Welfare Elliot Richardson had become concerned about the vast amount of personal data that the government held about its citizens. ... He impaneled the Secretary's Advisory Committee on Automated Personal Data Systems to examine the issue and solicited the participation of Willis Ware (who had just completed his tenure with the DSB security activity) as an individual knowledgeable about system security... Ware became chair of the committee that he described to a colleague as 'the most politically balanced group I've worked with. We had young v. mature people, ethnicities of all kinds, lawyers v. non-lawyers, experts v. lay persons, male v. female, politically active individuals v. politically passive ones.' [In] 1972, the committee report was delivered... [It] achieved several significant goals:
    • It conceived and defined the Code of Fair Information Practices, which has become the foundation for personal-information privacy law and privacy doctrine in the United States and worldwide (e.g., the European Union position).
    • The Code set the relationship—one might call it the rules of engagement—between (1) the organizations collecting personal information and the data systems that held it and (2) the individual citizen about whom the personal data had been assembled.
    • It provided the intellectual basis for the Privacy Act of 1974, which, in turn, set the framework for other law.; It created the Privacy Protection Study Commission (PPSC).
    [emphasis added]
  6. Guidelines on the Protection of Privacy and Transborder Flows of Personal Data The Organization for Economic Co-Operation and Development, last modified 5 January 1999.
  7. 1 2 3 4 Shimanek, Anna E. (2001). "Do you Want Milk with those Cookies?: Complying with Safe Harbor Privacy Principles". Journal of Corporation Law. 26 (2): 455, 462–463.
  8. "Modernisation of the Data Protection 'Convention 108'". Council of Europe. Retrieved 9 December 2021.
  9. "Protection of personal data". European Commission.
  10. "Judgement of the Court (Grand Chamber) – 6 October 2015". InfoCuria. 6 October 2015. Retrieved 22 June 2016.
  11. 1 2 "A divided Europe wants to protect its personal data wanted by the U.S." Rue 89 . 4 March 2008.
  12. "New EU-US PNR Agreement on the processing and transfer of Passenger Name Record (PNR) data". Liberty & Security. Archived from the original on 12 January 2012.{{cite web}}: CS1 maint: unfit URL (link)
  13. Renata Goldirova (14 February 2008). "Brussels attacks new U.S. security demands". EUobserver .
  14. Statewatch newsletter, February 2008
  15. "Memorandum of Understanding Between the Ministry of the Interior of the Czech Republic and the Department of Homeland Security of the United States of America Regarding the United States Visa Waiver Program and Related Enhanced Security Measures" (PDF). State Watch. Retrieved 10 April 2022.
  16. Statewatch , March 2008
  17. 1 2 "New draft European data protection regime". m law group. 2 February 2012. Archived from the original on 25 March 2016. Retrieved 22 June 2016.
  18. See Julia M. Fromholz, The European Union Data Privacy Directive, 15 Berkeley Tech. L.J. 471, 472 (2000); Dean William Harvey & Amy White, The Impact of Computer Security Regulation on American Companies, 8 Tex. Wesleyan L. Rev. 505 (2002); Kamaal Zaidi, Harmonizing U.S.-EU Online Privacy Law: Toward a U.S. Comprehensive Regime For the Protection of Personal Data, 12 Mich.St. J. Int'l L. 169 (2003).
  19. Legislation, USA (1992). "CABLE TELEVISION CONSUMER PROTECTION AND COMPETITION ACT OF 1992" (PDF). Retrieved 18 March 2010.
  20. Fromholz, supra
  21. Lloyd, Ian J. (2011). Information technology law (6th ed.). Oxford [etc.]: Oxford University Press. p. 26. ISBN   978-0199588749.
  22. Clinton, William J.; Gore Jr., Albert (1 July 1997). "A Framework for Global Electronic Commerce". technology.gov. Archived from the original on 21 December 2006. Retrieved 18 December 2006.
  23. R., Schriver, Robert (20 February 2018). "You Cheated, You Lied: The Safe Harbor Agreement and its Enforcement by the Federal Trade Commission". Fordham Law Review. 70 (6).{{cite journal}}: CS1 maint: multiple names: authors list (link)
  24. Clinton & Gore, supra
  25. Fatema, K. (2016). "A Semi-Automated Methodology for Extracting Access Control Rules from the European Data Protection Directive". 2016 IEEE Security and Privacy Workshops. IEEE Computer Society. Archived from the original on 10 April 2019.
  26. United States Const. amend. I.
  27. See, for example, Roe v. Wade, 410 US 113 (1973)
  28. See, for example, Article 1 of the California Constitution: "All people are by nature free and independent and have inalienable rights. Among these are … privacy."
  29. Ryan Moshell, ...And Then There was one: The Outlook for a Self-Regulatory United States Amidst a Global Trend Toward Comprehensive Data Protection, 37 Tex. Tech. L. Rev. 357, 358
  30. "The History Place – World War II in Europe Timeline: November 9/10 1938 – Kristallnacht, the Night of Broken Glass". historyplace.com.
  31. Kotzker, Jason A. "The Great Cookie Caper: Internet Privacy and Target Marketing at Home and Abroad Notes & Comments 15". St. Thomas Law Review. 15. St. Thomas Law Review 2002–2003: 727.
  32. Marsha Cope Huie, Stephen F. Laribee & Stephen D. Hogan, The Right to Privacy and Person Data: The EU Prods the U.S. and Controversy Continues, 9 Tulsa J. Comp. & Int'l L. 391, 441 (2002)
  33. Id. at footnote 4.[ clarification needed ]
  34. "Fuzzy Anonymity Rules Could Stymie EU's Big Data Sharing Ideas". CPO Magazine. 1 May 2020.
  35. "Beijing's battle to control its homegrown tech giants". TODAYonline.
  36. "DIGITAL ECONOMY REPORT 2019: VALUE CREATION AND CAPTURE: IMPLICATIONS FOR DEVELOPING COUNTRIES" (PDF). unctad.org. 4 September 2019. Retrieved 10 April 2022.
  37. "Value-added of China's digital economy totals 5 trillion USD in 2019: white paper - Xinhua | English.news.cn". www.xinhuanet.com. Archived from the original on 27 October 2020. Retrieved 23 October 2020.
  38. "EU vows tougher response on hybrid threats". POLITICO. 24 July 2020.