United States - Data Protection
History of Data Protection in the UNITED STATES
The USA has no comprehensive data protection legislation. Although a signatory to the 1981 OECD Guidelines, the USA has not implemented them domestically. Instead, a sectoral approach, with a mix of legislation, regulation and self-regulation, is utilised. The introduction of Directive 95/46/EC could have therefore restricted the ability of US organisations to engage in transactions with their European counterparts, for it prohibited the transfer of personal data to non EU states that do not meet the "adequacy" standard for the protection of privacy.
As a result of this, the US Department of Commerce developed the "safe harbour" system in consultation with the European Commission. This offers a method by which US organisation can comply with the Directive. The EU approved "Safe harbour" in July 2000. Organisations who sign up to the scheme are certified as offering 'adequate' protection under the terms of the Directive, thus enabling transactions between those organisations and European organisations to proceed smoothly and within the law.
Summary of Data Protection in the UNITED STATES
| Title of Data Protection Legislation | N/A |
| Name of supervisory authority | N/A |
| General Powers of supervisory authority | From the US Department of Commerce Safe Harbor Website: "The decision by U.S. organizations to enter the safe harbor is entirely voluntary. Organizations that decide to participate in the safe harbor must comply with the safe harbor's requirements and publicly declare that they do so. To be assured of safe harbor benefits, an organization needs to self certify annually to the Department of Commerce in writing that it agrees to adhere to the safe harbor's requirements, which includes elements such as notice, choice, access, and enforcement. It must also state in its published privacy policy statement that it adheres to the safe harbor. The Department of Commerce will maintain a list of all organizations that file self certification letters and make both the list and the self certification letters publicly available. To qualify for the safe harbor, an organization can (1) join a self-regulatory privacy program that adheres to the safe harbor's requirements; or (2) develop its own self regulatory privacy policy that conforms to the safe harbor." Organizations who want to adhere to the safe harbor requirements must comply with seven safe harbor principles: Notice, choice, onward transfer, access, security, data integrity and enforcement (see Safe Harbor website for details). Enforcement of safe harbor is carried out primarily by the private sector. Private sector self regulation and enforcement is backed up as required by government enforcement of the federal and state unfair and deceptive statutes. This ensures that safe harbor is backed by the force of law. |
| Who has standing to notify the supervisory authority of breaches? | N/A |
| What are the penalties for data controllers if they breach the law? | N/A |
| Have any provisions been made for the processing of a national identification number or a general identifier, as per Article 8(7)? | There is no general identifier in the USA. |
| Is it necessary to obtain consent before processing personal data, or are alternatives available even when obtaining consent would not be impracticable or inappropriate? | N/A |
| Does the Data Protection Legislation cover the deceased? | N/A |
| Who is able to indirectly identify the data subject? | N/A |
Laws and Regulations
- Standards
for Privacy of Individually Identifiable Health Information - February 2000
- Standards for Privacy of Individually Identifiable Health Information (the Privacy Rule) under the Health Insurance Portability and Accountability Act of 1996 (HIPAA)
- Commission Decision 2000/520/EC of 26.7.2000 on the adequacy of the protection provided by the safe harbour privacy principles