European Union General Data Protection Regulation (GDPR)

The General Data Protection Regulation (GDPR) is a set of European Union (EU) laws that provides EU citizens with greater control over their personal data. The GDPR regulates the way organizations collect, store, and transmit the personal data of EU citizens and residents. GDPR and the GDPR right to be forgotten are discussed below.

The HIPAA Privacy Rule protects individually identifying health information. The individually identifying information that receives protection is known as protected health information, or PHI. Under the HIPAA Privacy Rule, covered entities must implement safeguards to protect PHI from unauthorized use or disclosure. A separate rule known as the HIPAA Security Rule, requires covered entities to implement safeguards to ensure the confidentiality of ePHI (electronic protected health information).

The GDPR contains its own set of rules. These rules also regulate particular entities and protect certain information. The entities regulated and the information that must be protected, differ from those entities regulated and the information protected by HIPAA. Generally, the GDPR is broader in scope than HIPAA; that is to say, the GDPR provides greater protection to EU citizens over their personal data, than HIPAA provides to patients with respect to their PHI.

What is “Personal Data” Under the GDPR?

Under the GDPR, personal data is any information that is related to an identified or identifiable natural person, or subject.  A data subject is any person whose personal data is being collected, held, or processed. Personal data can refer to anything from your name, home address, or your posts on social media. 

Data subjects are identifiable if they can be directly or indirectly identified. Names, identification numbers, and location data all constitute “personal data.” In addition, personal data includes:

  • Telephone numbers
  • Credit card numbers
  • Addresses
  • License plate numbers
  • Customer numbers

Characteristics that express the physical, physiological, genetic, mental, commercial, cultural, or social identity of a natural person, are also regarded as “personal data.”

What Entities Does the GDPR Regulate?

The entities regulated by the GDPR – the entities subject to the GDPR privacy requirements – include organizations located within the EU that process and hold the personal data of individuals (subjects) residing in the European Union. Organizations that are located outside of the EU, that process and hold personal data of EU residents are also subject to the GDPR.

The GDPR applies to organizations both within the EU and outside of the EU, if those organizations offer goods or services to, or monitor the behavior of, EU data subjects. 

Broadly speaking, the GDPR enforces data subjects’ rights against what the law considers abusive data processing. Under the GDPR, data subjects must give their consent for their data to be processed. 

The GDPR Right to be Forgotten

Article 17 of the GDPR provides for what is known as the right to erasure. This right is also known as the GDPR right to be forgotten. Under the right to be forgotten, EU citizens have the right to have their personal data erased under certain circumstances.

When Does the GDPR Right to be Forgotten Apply?

The GDPR regulates data controllers and data processors. A data controller determines the purpose and means of processing personal data, whereas a data processor is responsible for processing data on behalf of the controller. EU citizens have a GPPR right to be forgotten – to have their personal data erased – if:

  • The personal data is no longer necessary for the purpose an organization originally collected or processed it.
  • An organization is relying on an individual’s consent as the lawful basis for processing the data and that individual withdraws their consent.
  • An organization is relying on legitimate interests as its justification for processing an individual’s data, the individual objects to this processing, and there is no overriding legitimate interest for the organization to continue with the processing.
  • An organization is processing personal data for direct marketing purposes and the individual objects to this processing.
  • An organization processed an individual’s personal data unlawfully.
  • An organization must erase personal data in order to comply with a legal ruling or obligation.
  • An organization has processed a child’s personal data to offer their information society services.

Under the right to be forgotten, healthcare providers may no longer hold patient data indefinitely, and must delete this information upon request.

Is the Right to be Forgotten Similar to Any Provisions of HIPAA?

The right to erasure (in other words, the right to be forgotten) is a concept that is not addressed by the HIPAA regulations. Neither the HIPAA Privacy Rule nor the HIPAA Security Rule, nor any other provision of HIPAA contain a right to be forgotten provision with respect to the PHI or ePHI of an individual. As such, patient records stored by hospitals, medical offices, or other covered entities, cannot be erased simply because the patient wants the information erased. This is so even if a patient provides written authorization consenting to the erasure.