In addition to U.S. states like California, some foreign nations have enacted comprehensive data protection legislation. The EU, in particular, has long applied a more wide-ranging data protection regulatory scheme. Whereas privacy principles in the U.S. Constitution focus on government intrusions into private life and U.S. data privacy statutes generally are sector-specific, European privacy regulations have generally concerned any entity’s accumulation of large amounts of data. As a result, foundational EU treaties provide individuals with a general right to “protection of personal data” from all potential interferences. The objective of the EU’s most recent data privacy legislation—the GDPR—is to safeguard this right to personal data protection, while ensuring that data moves freely within the EU.
The GDPR lays out seven guiding principles for the processing of personal data. While these principles are not “hard and fast rules” themselves, they inform the interpretation of the GDPR and its more concrete requirements, discussed below.
1. Lawfulness, fairness, and transparency Personal data must be processed lawfully, fairly, and in a transparent manner in relation to individuals.
2. Purpose limitation Personal data should be collected only for specified, explicit, and legitimate purposes, but processing for archiving purposes in the public interest, scientific or historical research or statistical purposes may comply with this principle.
3. Data minimization Personal data must be adequate, relevant, and limited to what is necessary for relation to the purposes for which the data is processed.
4. Accuracy Personal data held by processors and controllers should be accurate, up-to-date, and erased or rectified without delay.
5. Storage limitation Personal data must be kept in a form that permits the identification of the data subjects for no longer than is necessary, but it may be archived when in the public interest or for scientific and historical research or statistical purposes. 6. Integrity and confidentiality (i.e., data security) Personal data must be processed in a manner that ensures security and protects against unauthorized processing, accidental loss, destruction, or damage.
7. Accountability Data controllers must be responsible for and able to demonstrate compliance with the GDPR’s principles.