So in privacy, there are two approaches in law - the U.S. way and the rest of the world. The U.S. approaches privacy from a sectoral basis - you get a right to privacy of your information depending on the sector. Patients have HIPAA. Students have FERPA. Financial/banking/credit card customers have FCRA, GLBA, etc. A lot of acronyms - but the acronyms are not important. The key is that there is not a general right to privacy of your personal information. Almost all states, however, have data breach laws. So they are not privacy laws per se, but rather if certain protections are in place, a breach may not require notification to individuals, state authorities, regulators, etc. Therefore, many companies put in these protections which results in some privacy protections.
The rest of the world, which is not all countries, but a whole lot of them, protect personal information on all people. In Europe, privacy is a fundamental right. Health information may be subject to more stringent protection, but not because of a law like HIPAA, but because health information is more sensitive - but so is ethnicity, banking information, etc. The European Economic Area has data transfer requirements, which mean that personal information is not permitted to cross the European borders unless certain protections are in place. EU assesses other countries' laws to see if their data protection laws meet the EU standards - if so, the country is deemed adequate and data can be transferred from the EU to that country. Only 14 countries have received an adequacy determination, meaning all other countries have to use a data transfer mechanism. Moving data across the borders does not just mean physically, it also means electronically. So a European accessing their email while outside Europe is actually transferring data across the borders. When you consider that many companies operate across EU borders (facebook, google, yahoo, linkedin, microsoft, etc.) then you understand how significant this is. So the US worked with the EU to create the EU-US safe harbor. US companies can self-certify to a set of standards and be deemed adequate like a country would be. The EU regulators are starting not to like this process, especially in light of the Snowden and NSA scandals last year. But - over 3000 US companies follow this. If you follow the news, you will see a lot about EU data issues involving the "Silicon Valley" companies - it comes down to a difference in philosophy about how personal data is handled. So it would hurt commerce between the US and EU if the safe harbor was eliminated.
The other transfer mechanisms are traditional ways (model contract clauses, consent, etc.) which are burdensome to manage, track, review, and actually use on a practical level. The mechanism we went with is the BCRs: Binding Corporate Rules. This mechanism is like the gold standard for data transfers, because a company must develop policies to protect personal data on many different aspects - only collecting what is strictly needed, protecting individuals' rights to access and correct their data, deleting data when no longer needed, training personnel, etc. The data protection authorities in Europe have to review your application and approve it. It is quite lengthy and time-consuming - not to mention what it takes to put all the policies in place to begin with. When we started the process in 2012, there were only 19 companies in the world who had taken this step. We were approved (EU calls the success as a closed application) this year and there are 60 companies approved now.
Many other countries have data protection laws, but they differ in many aspects - even though there are foundational similarities. The EU is considered the most stringent multinational privacy laws. The Asia Pacific countries are currently very active in creating and improving their privacy laws and South America is also really building some impactful laws, too. Canada and Mexico have really strong privacy laws - and I mention them because they border the US. What companies do in the US, they usually also roll out to Canada and sometimes Mexico. But the privacy requirements are quite different between US and Canada - and US and Mexico.
... and that is a primer in global privacy law. :)
And yes, I have people that ask exactly what do I do that occupies me 40 hours a week. It's so funny if it weren't so sad. I have plenty to keep me busy!
