NEW GLOBAL DEVELOPMENTS IN DATA PROTECTION AND PRIVACY REGULATIONS: COMPARATIVE ANALYSIS OF EUROPEAN UNION, UNITED STATES, AND RUSSIAN LEGISLATION.

• Author: Fiero, Anne Wright

1. Introduction 152 II. EU Regulations 153 A Overview of the GDPR 154 B.Other Novel Concepts Introduced in the GDPR 155 C.GDPR Fines and Their Significance for Global Business 157 D.Other EU Industry Specific Data Privacy Regulations 160 1. Healthcare 160 2 Artificial Intelligence 161 111. United States Regulations 162 A US Constitution... 163 B Federal Laws 163 1. Overview 163 2. Government Access, Use, and Storage of Personal Data 165 3. Private Access, Use, Sale, and Storage of Personal Data 166 4. Children's Personal Data 166 5. Artificial Intelligence 167 6. Big Data 169 C State Regulations 171 IV. Russian Data Privacy Regulations 173 A. Russian Constitution 173 B. General Privacy Regulation 174 C. Industry-Specific Laws 177 1. Healthcare 177 2. Artificial Intelligence 178 3. Big Data 179 D. Liability 180 V.Global Cross-Border Transmission of Personal Data 183 VI.International Treaties 188 VII. Conclusion 191 I. INTRODUCTION

   Privacy is a fundamental human right recognized in constitutions, international treaties, and national legislation around the globe. The era of globalization and rapid technology development highlights multiple risks to privacy rights. Such developments make it more important than ever to enact legal frameworks for data protection on a national and global scale. Fully applicable across the European Union (EU) as of May 2018, the General Data Protection Regulation (GDPR) is the most comprehensive and progressive piece of data protection legislation in the world. (1)

   The intent of this Article is to provide an overview of EU, U.S., and Russian data privacy regulations, as influenced by the GDPR and the countries' respective cultural and business traditions of privacy. (2) More specifically, we explore how the historical, cultural, legal, business, and political traditions in each country have shaped the laws and regulations in their respective jurisdictions. As described in Part III, the U.S. approach tends to be ad hoc and focused on concepts like personal freedom and non-interference by the state. Explored in Parts II and IV, the more uniform European approach tends to focus on the dignity of individuals and their protection--not only against the state but also against private companies and other individuals. In the last few years, U.S. society has focused more closely on data privacy concepts, with recent scrutiny on credit history checks, social media networks, and sharing other attributes of everyday American life, concepts that have long been considered invasive for many Europeans. The European privacy mentality has also been largely influenced by its historical and political systems, such as European monarchies, the Nazi regime in Germany, and the totalitarian regime in the Soviet Union, under all of which disclosure of personal information could lead to severe consequences and prosecutions. Thus, protection of private information is ingrained in European society.

   In Part V, we touch on specific areas of privacy regulations, such as the cross-border transmission of data which presents multiple unique privacy-related challenges. Finally, we conclude by inviting the adoption of a more consistent, globalized regulatory approach to data protection.

2. EU REGULATIONS

   For several decades, the EU has been a pioneer in privacy and data protection. The right to data protection and the right to privacy are two distinct human rights recognized in the Charter of Fundamental Rights of the European Union, the Treaty on the Functioning of the EU (TFEU), and other EU regulations. Article 8 of the Charter of Fundamental Rights of the European Union declares:

   [E]veryone has the right to the protection of personal data concerning him or her. Such data must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law. Everyone has the right of access to data which has been collected concerning him or her, and the right to have it rectified. Compliance with these rules shall be subject to control by an independent authority. (3)

   TFEU, Article 16 declares:

   1. Everyone has the right to the protection of personal data concerning them.

   2. The European Parliament and the Council, acting in accordance with the ordinary legislative procedure, shall lay down the rules relating to the protection of individuals with regard to the processing of personal data by Union institutions, bodies, offices and agencies, and by the Member States when carrying out activities which fall within the scope of Union law, and the rules relating to the free movement of such data. Compliance with these rules shall be subject to the control of independent authorities. (4)

      Likewise, the EU Data Protection Directive of 1995 (Directive 95/46/EC) was the first European document to declare the necessity of balancing the free circulation of information in EU countries and guarantees of human rights protection, including the protection of personal data. (5) This Directive (which required implementation in national legislation) satisfied the needs of the economy and technology in 1995. (6) However, the rapid technological changes of recent years has demanded a heightened level of protection.

      On May 25, 2018, the European Parliament's regulation on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, known as the GDPR, became effective, changing the former legislation of the European Union on personal data. (7) On account of the global nature of business, including the Internet-based and cloud-computing businesses, the effects of the GDPR have been felt far beyond the borders of the EU.

      1. Overview of the GDPR

         The GDPR, unlike former Directive 95/46/EC, was directly effective in all member states." "Direct effect" is the core principle of application of the EU law." According to this principle, private individuals in addition to legal entities can protect their rights by referring to community standards in national courts. (10) The main objective of the GDPR is privacy protection in the processing of data, free moving of personal data, (11) and the unification of European law surrounding the processing of personal data. (12) The GDPR applies to organizations engaged in "professional or commercial activity." (13)

         Article 4(1) of the GDPR defines personal data as:

         [A]ny information relating to an identified or identifiable natural person ('data subject'); identifiable individual is a person who can be identified directly or indirectly, in particular, by reference to such an identifier as a name, identification number, location data, network identifier or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. (14) Article 4(2) introduces the concept of processing, which can be "any operation or set of operations which is performed on personal data or on sets of personal data, whether or not they are performed by automatic means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction." (15) The controller in accordance with Article 4(7) is an individual or legal entity, state body, agency, or other body that independently or together with others determines the goals and means of processing personal data; if the goals and means of such processing are determined by the legislation of the Union or a member state, the controller or specific criteria for its appointment may be provided for by the legislation of the Union or a member state. (16) The processor in accordance with Article 4(8) is an individual or legal entity, a state body, agency, or other body that processes personal data on behalf of the controller. (17)

         Apart from these new definitions, the GDPR introduces new principles of processing personal data such as fairness; (18) lawfulness of processing; (19) transparency; (20) collection for specified, explicit and legitimate purposes; (21) data minimization: adequate, relevant, and limited to what is necessary; (22) accuracy of data: where necessary and kept up to date; (21) and processing in a manner that ensures appropriate security of the personal data. (24)

      2. Other Novel Concepts Introduced in the GDPR

         Significant novel concepts introduced in the GDPR include extraterritorial jurisdiction, (25) the right to be forgotten, (26) and stricter rules for obtaining consent. (27) According to the GDPR, the territorial application of the law applies to:

         [T]he processing of personal data in the context of the activities of the institution of the controller or processor in the Union, regardless of whether processing occurs in the Union or not. This Regulation applies to the processing of personal data of data subjects located in the Union, by a controller or processor not established in the Union, where the processing activities arc related to: the offer of goods or services, regardless of whether the payment of the data subject is required to such data subjects in the Union; or control over their behavior to the extent that this happens in the Union. This Regulation applies to the processing of personal data by a controller not established in the Union, but in a place where the laws of the Member States arc applied on the basis of public international law. (28)

         Based on the above, the GDPR affects not only companies present within the territory of the EU, but also non-residents selling goods or services in the EU or companies monitoring the data of EU citizens. Recital 23 of the GDPR mentions such factors as the "use of a language or a currency generally used in one or more Member States with the possibility of ordering goods and services in that other language, or the mentioning of customers or...