Every privacy promise, from the regulator.

Article 32(1) — Security of processing

“the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk… the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services.”

Note. EUR-Lex is the canonical EU regulator source but does not serve per-article fragment anchors. The UK post-Brexit retained version on legislation.gov.uk is substantively identical for this article and provides a scrollable deep link.

Enforcement on record. Meta Platforms Ireland Limited, May 2023: €1.2B fine under GDPR Article 46 for international data transfers. Amazon Europe, July 2021: €746M fine. The underlying audit evidence both companies produced was a standard query against their own internal logs.

§1798.100(e) — Reasonable security

“A business that collects a consumer’s personal information shall implement reasonable security procedures and practices appropriate to the nature of the personal information to protect the personal information from unauthorized or illegal access, destruction, use, modification, or disclosure…”

Note. California’s leginfo site does not serve sub-section fragment anchors. The URL lands on the full text of §1798.100 — the quoted clause is subsection (e). The text-fragment link jumps directly to the quoted sentence in browsers that support the W3C Text Fragments spec.

Articles 9 & 54 — Handler responsibility; self-audit

“Personal information handlers shall bear responsibility for their personal information handling activities, and adopt the necessary measures to safeguard the security of the personal information they handle… Personal information handlers shall regularly engage in audits of their personal information handling and compliance with laws and administrative regulations.”

Note. The official text is Mandarin. The English text shown here is from the Stanford DigiChina translation, which is the most widely cited English rendering but is not the law. The amended Cybersecurity Law (effective January 2026) adds AI governance provisions that intersect with PIPL Article 24.

CC6.1 — Logical and physical access controls

“The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity’s objectives.”

Note. SOC 2 is not a statute — it is a private-sector audit framework published by the AICPA. A SOC 2 Type II report is prepared by a CPA firm paid by the audited company and shared under NDA with enterprise customers. The data subject is never a party to the audit.

45 CFR §164.502(b)(1) — Minimum necessary

“When using or disclosing protected health information or when requesting protected health information from another covered entity or business associate, a covered entity or business associate must make reasonable efforts to limit protected health information to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request.”

Enforcement on record. OCR HIPAA enforcement: hundreds of settlements since 2003, cumulative penalties exceeding $140M. Most high-profile curiosity-read cases never produced a user-visible audit trail — the OCR found out because a human tipped them off.

45 CFR §164.312(b) — Audit controls

“Standard: Audit controls. Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information.”

45 CFR §164.408(c) — Notification to the Secretary

“A covered entity shall, following the discovery of a breach of unsecured protected health information… notify the Secretary… If a breach involves less than 500 individuals, the covered entity… shall maintain a log or other documentation of such breaches.”

42 CFR §2.16 — Security for records

“The Part 2 program or other lawful holder of patient identifying information must have in place formal policies and procedures to reasonably protect against unauthorized uses and disclosures of patient identifying information and to protect against reasonably anticipated threats or hazards to the security of patient identifying information.”

Note. 42 CFR Part 2 is the strictest federal privacy rule in the United States — substance use disorder records cannot even be disclosed to other healthcare providers without explicit patient consent, in contrast to HIPAA’s treatment-payment-operations exception.

16 CFR §314.4(c)(1) — Access controls

“Implement and periodically review access controls, including technical and, as appropriate, physical controls to… authenticate and permit access only to authorized users to protect against the unauthorized acquisition of customer information…”

Req. 7.1 — Need-to-know access / Req. 10 — Monitor access

“Processes and mechanisms for restricting access to system components and cardholder data by business need to know are defined and understood… Log and monitor all access to system components and cardholder data.”

Note. PCI DSS v4.0 is distributed as a click-through-licensed PDF — deep links into the full text are not supported. The verbatim sentences above are from Requirements 7.1 and 10 as published in the official v4.0 specification. PCI DSS is administered by the PCI Security Standards Council, a consortium of the major card networks, and assessed by a Qualified Security Assessor under NDA.

23 NYCRR §500.7 — Access privileges (as amended 2023)

“limit user access privileges to information systems that provide access to nonpublic information to only those necessary to perform the user’s job… periodically, but at a minimum annually, review all user access privileges and remove or disable accounts and access that are no longer necessary.”

Note. Text shown is the amended version from the Nov 2023 rule change, which took full effect May 1, 2025. The original 2017 rule had less specific language; the amendment tightened it.

Article 9(4)(c) — Protection and prevention

“implement policies that limit the physical or logical access to information assets and ICT assets to what is required for legitimate and approved functions and activities only, and establish to that end a set of policies, procedures and controls that address access rights and ensure a sound administration thereof.”

Note. DORA entered into application on 17 January 2025 and is the newest major financial-sector regulation in Europe. "Legitimate" here rhymes exactly with FERPA’s "legitimate educational interest" — two regulations, four decades apart, two continents, same load-bearing word.

34 CFR §99.31(a)(1)(i)(A) — Legitimate educational interest

“The disclosure is to other school officials, including teachers, within the agency or institution whom the agency or institution has determined to have legitimate educational interests.”

Note. The school is the sole arbiter of which of its employees has a "legitimate educational interest." The student has no access log to challenge the determination — and universities across the US know this, which is why three of them have added a line to their own notices that reads like a confession. See the pull quote below.

Article 12(1) — Record-keeping

“High-risk AI systems shall technically allow for the automatic recording of events (logs) over the lifetime of the system.”

Note. The Article 12 text is short because it is the stake in the ground — the *automatic* qualifier is the load-bearing word. A log written by software that can be disabled by the same team being audited is not "automatic" in any meaningful sense. Full application for high-risk AI systems is August 2, 2026; penalties for record-keeping failures reach €15M or 3% of global annual turnover, whichever is higher (Article 99).

Enforcement on record. Article 99(5): non-compliance with record-keeping obligations triggers administrative fines up to €15M or 3% of total worldwide annual turnover for the preceding financial year, whichever is higher. Full application for high-risk AI systems: August 2, 2026.

Article 19(1) — Automatically generated logs

“Providers of high-risk AI systems shall keep the logs referred to in Article 12(1), automatically generated by their high-risk AI systems, to the extent such logs are under their control, for a period appropriate to the intended purpose of the high-risk AI system, of at least six months, unless provided otherwise in the applicable Union or national law.”

Note. Article 19 is the retention counterpart to Article 12 — the two must be read together. Article 12 creates the logging obligation; Article 19 forbids the provider from throwing the logs away for at least six months. "Under their control" is doing load-bearing work: it excludes logs a deployer generated on their own infrastructure, but includes everything a provider touches as part of operating the system.

Enforcement on record. Same Article 99(5) ceiling as Article 12: up to €15M or 3% of global annual turnover. Financial-sector providers (Article 19(2)) may satisfy the obligation by keeping logs as part of documentation already kept under Union financial services law.