The German Federal Court of Justice recently clarified online platforms' liability for user-generated content, ruling platforms aren't directly liable without knowledge but must act swiftly upon notification, significantly impacting digital service providers across Europe.
Australia’s eSafety Commissioner ordered Telegram to pay AUD 1 million for ignoring transparency obligations. Officials requested details on terrorist and child sexual content steps, but Telegram delayed months, triggering enforcement under the Online Safety Act.
On 28 February 2025, Japan’s Cabinet announced significant plans to introduce a Bill to promote research, development, and practical application of artificial intelligence technologies. The legislation focuses on transparency, protection of rights, and international cooperation.
Both GDPR and HIPAA are key regulations focused on protecting sensitive data. GDPR applies to personal data of EU residents, while HIPAA governs healthcare data in the U.S. Organisations must comply with both for international operations.
Data and privacy has become the lifeblood of our digital society. From social media interactions to health records, organisations collect, analyse, and store vast amounts of sensitive information about individuals every day.
As awareness of the potential risks associated with widespread data usage grows, so does the public’s—and regulators’—demand for robust protection of personal information. Two main regulations in this arena are the General Data Protection Regulation (GDPR) in the European Union (EU) and the Health Insurance Portability and Accountability Act (HIPAA) in the United States.
Although GDPR and HIPAA arise from different jurisdictions and have unique scopes, they share the overarching goal of safeguarding individuals’ personal information.
Understanding their correlation—and their differences—is critical for any business, especially those operating internationally or handling health data across borders.
The General Data Protection Regulation (GDPR) is the European Union’s landmark data privacy law that took effect on 25 May 2018. Considered one of the strictest frameworks of its kind, the GDPR governs how organisations collect, process, store, and share personal data of EU residents. The regulation applies not only to companies based in EU member states, but also to any organisation, worldwide, that offers goods or services to EU residents or monitors their behavior. GDPR’s broad reach significantly raised the bar on data protection standards globally.
The key principles of GDPR revolve around lawfulness, fairness, and transparency in data processing. It also mandates data minimisation—only collecting the data truly necessary for a specific purpose—and requires organisations to maintain accuracy, integrity, and confidentiality of that data.
Consent is paramount under GDPR; data subjects must give explicit, informed consent for how organisations use their information. Violations can result in steep fines of up to €20 million or 4% of a company’s annual global turnover, whichever is higher. These penalties have propelled data privacy to the top of corporate risk management agendas worldwide.
The Health Insurance Portability and Accountability Act (HIPAA) was enacted by the U.S. Congress in 1996, primarily to modernise the flow of healthcare information and to ensure that personally identifiable information (PII) maintained by the healthcare and health insurance sectors remains protected against fraud and theft.
Over the years, additional rules were introduced under HIPAA—such as the Privacy Rule, Security Rule, and the Breach Notification Rule—that more specifically dictate how protected health information (PHI) should be handled.
HIPAA is unique in its focus on the healthcare sector, regulating hospitals, clinics, insurance providers, and other healthcare-related entities (as well as their “business associates,” i.e., vendors and partners with access to PHI).
The HIPAA Privacy Rule lays out patients’ rights over their health information, such as access to their medical records and control over how their data is shared. Meanwhile, the Security Rule sets minimum standards for safeguarding electronic PHI, and the Breach Notification Rule details the steps organisations must take in case of unauthorised disclosures of PHI. Non-compliance can lead to financial penalties ranging from thousands to millions of dollars, depending on the severity and nature of the violations.
Despite their different legislative contexts and scopes, GDPR and HIPAA share several common objectives. At the broadest level, both are driven by a commitment to protect individuals’ privacy. GDPR aims to preserve the fundamental right to personal data protection within the EU, whereas HIPAA focuses on ensuring the confidentiality and integrity of patient health data.
In practice, both regulations require organisations to be transparent about data use, implement sound security safeguards, and respond promptly to data breaches.
Under GDPR, data subjects have a right to know how, when, and where their data is processed.
Under HIPAA’s Privacy Rule, patients have similar rights regarding their medical records. Both regulations also have strict breach notification requirements, mandating that affected individuals (and, in some cases, government authorities) be notified of data breaches within a specific timeframe.
Although GDPR and HIPAA share common threads, they differ significantly in scope. GDPR casts a wide net over all personal data of EU residents—whether it’s their email address, phone number, IP address, or even cookie data related to online behaviour.
By contrast, HIPAA’s purview is narrower. It only applies to “covered entities” (healthcare providers, health plans, and healthcare clearinghouses) and their business associates, and it focuses specifically on protected health information.
This divergence leads to interesting compliance challenges for healthcare organisations operating internationally. A hospital in the EU must adhere to GDPR for all patient data. If it also processes data from American patients, HIPAA could come into play as well, especially if it has partnerships with U.S.-based entities.
Companies that manage global clinical trials likewise may find themselves juggling both frameworks, as participants might come from multiple jurisdictions with distinct data protection rules.
Consent stands at the heart of GDPR. The regulation imposes stringent requirements for obtaining valid consent, ensuring it is freely given, specific, informed, and unambiguous.
Data controllers must detail every purpose for which the data will be used, and data subjects have the right to withdraw consent at any time. On top of that, GDPR codifies the rights of data subjects, such as the right to access, rectify, erase, and port their data.
HIPAA, on the other hand, does address patient consent—particularly regarding how protected health information is shared. However, HIPAA also allows for disclosures without explicit patient authorisation for treatment, payment, and healthcare operations. While GDPR demands more explicit permissions, HIPAA’s rules are narrower and primarily revolve around uses of health-related data.
Another important correlation between GDPR and HIPAA is their emphasis on data security. Both regulations demand that organisations implement administrative, physical, and technical safeguards to ensure data confidentiality, integrity, and availability.
Under GDPR, data controllers must assess risk levels and adopt measures like encryption, pseudonymisation, and ongoing testing of security controls. HIPAA’s Security Rule is similarly structured—demanding safeguards ranging from secure access controls to robust encryption policies for ePHI.
But there are areas where HIPAA and GDPR diverge. For instance, while HIPAA’s Security Rule outlines specific required and addressable specifications (like unique user IDs, emergency access procedures, audit controls, etc.), GDPR is more principle-based. It does not lay out explicit technical prescriptions.
Instead, it expects organisations to assess the risks and implement “appropriate” measures. The challenge for companies is to reconcile both sets of requirements if they fall under both jurisdictions—ensuring they comply with the prescriptive elements of HIPAA while meeting GDPR’s more flexible, albeit stringent, principles.
Under the GDPR, organisations must report personal data breaches to their relevant Supervisory Authority within 72 hours of becoming aware of a breach. If the breach results in a high risk to the rights and freedoms of individuals, those affected must also be notified promptly. This short timeframe amplifies the importance of strong internal incident response processes and thorough record-keeping.
HIPAA sets forth a similarly strict but slightly different structure. Covered entities must notify individuals affected by a breach of unsecured protected health information without unreasonable delay and in no case later than 60 days after discovery. Additionally, if a breach affects more than 500 residents of a state or jurisdiction, media outlets must also be notified, along with the Secretary of the U.S. Department of Health and Human Services.
While the timelines differ, both frameworks emphasise the need for rapid identification, assessment, and communication regarding data breaches, reflecting a shared commitment to transparency and accountability.
GDPR specifically outlines rules around the transfer of personal data outside the EU. It restricts transfers to countries deemed to have inadequate data protection, unless certain safeguards—like Standard Contractual Clauses or Binding Corporate Rules—are in place.
Meanwhile, HIPAA is primarily concerned with safeguarding PHI, regardless of geographic boundaries, and does not have explicit “international transfer” clauses. However, healthcare organisations handling cross-border data may need to navigate GDPR’s transfer requirements in addition to HIPAA’s disclosure restrictions.
This dynamic is particularly relevant for multinational healthcare organisations that rely on cloud service providers or telemedicine solutions spanning multiple countries.
They need to ensure that both GDPR’s and HIPAA’s rules are respected, a task that can become quite complex. Thorough data mapping, contract reviews, and privacy impact assessments often form the backbone of effective compliance in such scenarios.
Below is a comparative table that outlines key aspects of both the GDPR and HIPAA. This concise overview can help you quickly identify where the regulations overlap and where they differ.
For organisations that find themselves subject to both GDPR and HIPAA, developing a cohesive compliance strategy is essential. Here are a few best practices:
While GDPR and HIPAA emerged from different legal, cultural, and regulatory environments, their shared aim to protect individuals’ sensitive information creates a strong correlation.
GDPR covers the full spectrum of personal data for EU residents, championing their right to control and understand how their data is used. HIPAA focuses on safeguarding the privacy and security of American patients’ health information in a highly specialised context.
For organisations that handle health-related data spanning both jurisdictions, compliance requires careful navigation of these two robust frameworks. Meeting GDPR’s principle-based approach while fulfilling HIPAA’s more prescriptive guidelines can seem daunting, but ultimately, the two regulations reinforce each other’s emphasis on accountability, transparency, and individual rights.
Italy has enforced new rules requiring digital devices to support parental control apps, ensuring parents can monitor children's online activity. The law also prevents companies from using collected data for advertising or profiling, strengthening privacy protections.
The CFPB seeks to categorise certain data brokers as consumer reporting agencies under Regulation V. Doing so would tighten obligations, require more transparency, and ensure consumers can see, correct, and control their own information.
House Bill H.210, introduced in Vermont, outlines new guidelines for digital platforms handling minors’ data. By mandating default high-privacy settings and transparent practices, legislators aim to reduce risks of emotional harm and excessive data harvesting.
Face recognition biometric attendance systems are transforming attendance tracking across industries, improving efficiency and accuracy. From corporate offices to remote teams, these solutions streamline processes while they must ensure compliance with privacy regulations.
Follow the latest Tech Law news and updates about AI, Digital Assets, Internet Law, Data Protection, LawTech.
