This dissertation examines the risk-based approach to privacy and data protection and the role of information sensitivity within risk management. Determining what information carries the greatest risk is a multi-layered challenge that involves balancing the rights and interests of multiple actors, including data controllers, data processors, and individuals. A comparative analysis of laws and policies in the European Union and the United States highlights similarities and differences not only in how they conceptualize "privacy" and "data protection", but also in how the notion of "risk" is inflected into their privacy and data protection frameworks. Obstacles that may hinder the effective implementation of the risk-based approach to privacy and data protection, such as the difficulty of measuring privacy harms, considering harms to individuals, incorporating public concerns into risk assessments, and dealing with uncertainty, are discussed. Because sensitive information is often associated with risks that are more likely, more severe, or threaten the fundamental rights of individuals (e.g., the risk of discrimination), heightened legal obligations are imposed on entities that process certain types of information deemed to be sensitive in nature. This dissertation points to possible ways forward for re-thinking the concept of sensitive information in risk management. Indeed, prioritizing sensitive information in practice is accompanied by several key challenges. EU and U.S. laws and courts define and interpret sensitive information in divergent ways. Moreover, ubiquitous data collection technologies have increased the amount of sensitive information that is processed, while technological developments have also generated novel forms of potentially sensitive data associated with new privacy threats. Recent technologies enable analytic and data-linking practices by which sensitive information about individuals can be discovered or inferred. Therefore, the risk-based approach to privacy and data protection requires assessing not only the nature of the data, but also how it is used, as well as individual-level attitudes and behaviors regarding privacy and information sharing. Given these dynamics, efforts to provide effective privacy and data protection cannot succeed unless the obstacles inherent to the risk-based approach and the challenges involving sensitive information are addressed in law and policy making across the Atlantic. [The dissertation citations contained here are published with the permission of ProQuest LLC. Further reproduction is prohibited without permission. Copies of dissertations may be obtained by Telephone (800) 1-800-521-0600. Web page: http://www.proquest.com.bibliotheek.ehb.be/en-US/products/dissertations/individuals.shtml.]