EU Data Protection Rules and U.S. Implications

Updated February 7August 9, 2019 EU Data Protection Rules and U.S. Implications Data Privacy and Protection in the United States and Europe U.S. and European citizens are increasingly concerned about ensuring the protection of personal data, especially online. A string of high-profile data breaches at companies such as Facebook and Google have contributed to heightened public awareness. The European Union’s (EU) new Union (EU) policymakers are focusing on protection of personal data with new and proposed legislation and enforcement actions. Data breaches at companies such as Facebook, Google, and Marriott have contributed to heightened public awareness. The EU’s General Data Protection Regulation (GDPR)—which took took effect on May 25, 2018—has drawn the attention of U.S. businesses and other stakeholders, prompting debate on U.S. on U.S. federal and state data privacy and protection policies. Both the United States and the 28-member EU assert that they are committed to upholding individual privacy rights and ensuring the protection of personal data, including electronic data. However, data privacy and protection issues have long been sticking points in U.S.-EU economic and security relations, in part because of differences in U.S. and EU legal regimes and approaches to data privacy. The GDPR highlights some of those differences and poses challenges for U.S. companies doing business in the EU. The United States does not broadly restrict cross-border data flows and has traditionally regulated privacy at a sectoral level to cover certain types of data. The EU considers the privacy of communications and the protection of personal data to be fundamental rights, which are codified in EU law. Europe’s history with fascist and totalitarian regimes informs the EU’s views on data protection and contributes to the demand for strict data privacy controls. The EU regards current U.S. data protection safeguards as inadequate; this has complicated the conclusion of U.S.-EU information-sharing agreements and raised concerns about U.S.-EU data flows. The transatlantic economy is the largest in the world, with goods and services trade of $2.7 billion a day and annual digital services trade of $260 billion. The United States and EU are each other’s largest customers of digitally delivered services exports (see Figure 1). Figure 1. Transatlantic Trade as a Percentage of Digitally-Delivered Service Exports1.2 trillion in 2018. U.S.-EU trade of information and communications technology (ICT) services and potentially ICT-enabled services was over $307 billion in 2017 (see Figure 1). Figure 1. U.S.-EU Trade of ICT and Potentially ICTEnabled (PICTE) Services What Is the GDPR? The GDPR establishes a set of rules for the protection of personal data throughout the EU. It seeks to strengthen individual fundamental rights and facilitate business by ensuring more consistent implementation of data protection rules EU-wide. The EU hopes the GDPR will further develop the EU Digital Single Market (DSM), aimed at increasing harmonization across the bloc on digital policies. The GDPR identifies what is a legitimate basis for data processing and sets out common rules for data retention, storage limitation, and record keeping. The GDPR applies to (1) all businesses and organizations with an EU establishment that process (perform operations on) personal data of individuals (or “data subjects”) in the EU, regardless of where the actual processing of the data takes place; and (2) entities outside the EU that offer goods or services (for payment or for free) to individuals in the EU or monitor the behavior of individuals in the EU. Processing certain sensitive personal data is generally prohibited. Stronger and new data protection requirements in the GDPR grant individuals the right to:  Receive clear and understandable information about who is processing one’s personal data and why;  Consent affirmatively to any data processing;  Access any personal data collected;  Rectify inaccurate personal data;  Erase one’s personal data, cease further dissemination of the data, and potentially have third parties halt processing of the data (the “right to be forgotten”);  Restrict or object to certain processing of one’s data;  Be notified without “undue delay” of a data breach if there is a high risk of harm to the data subject; and  Require the transmission of one’s data to another controller (data portability). The potential high penalties for noncompliance have attracted significant attention, since a company or organization can be fined up to 4% of its annual global turnover or €20 million (whichever is greater). Fines are assessed by the national supervisory authority (a Data Protection Authority, or DPA) in each member state and subject to appeal in national courts. The GDPR also requires some companies to hire data protection officers. Possible Impact on U.S. Companies Source: Kati Suominen “Where the Money Is: The Transatlantic Digital Market," CSIS, October 12, 2017GDPR: Year One Source: Bureau of Economic Analysis interactive data Table 3.3. Many U.S. firms have made and are making changes to comply with the GDPR, such as revising and clarifying user terms of agreement and asking for explicit consent. While it creates creates more requirements on companies that collect or process data, some experts contend that the GDPR may simplify https://crsreports.congress.gov EU Data Protection Rules and U.S. Implications process data, some experts contend that the GDPR may simplify compliance for U.S. firms because the same set of data data protection rules will apply across the EU. Also, companies companies established in the EU that engage in crossborder data cross-border data processing primarily only have to liaise with the supervisory authority of the EU country where the firm is based (the “lead” authority), possibly decreasing administrative costs. However, firms area firm is still subject to oversight and enforcement by the supervisory authority of every country where it does business. The GDPR and U.S.-EU Privacy Shield Under the GDPR, the U.S.-EU Privacy Shield will continue to serve continues to serve as a mechanism to transfer data for U.S. and EU firms that meet meet EU data protection requirements. However, participation Participation by a company in Privacy Shield does not necessarily guarantee full GDPR compliance compliance. A case challenging Privacy Shield’s validity is pending before the EU’s Court of Justice. U.S. firms have voiced several concerns about the GDPR, including the need to construct a compliance bureaucracy and possible high costs for adhering to the GDPR’s requirements. While large firms have the resources to hire consultants and lawyers, it may be harder and costlier for small and mid-sized enterprises (SMEs) to comply, possibly deterring them from entering the EU market and creating a de facto trade barrier. Some U.S. businesses, including several newspaper websites and digital advertising firms, opted to exit the EU market rather than confront the complexities of GDPR. Some U.S. (and European) firms also argue that the industry surveys show that GDPR’s restrictions on the use and sharing of data could limit opportunities for analysis of global data sets and might chill innovation sharing of data may be limiting the development of new technologies and deterring potential mergers and acquisitions. Although the GDPR is directly applicable in EU member states, implementing legislation is required to enact certain parts of the GDPR (e.g., appointment of a supervisory authority; ability to levy penalties). Critics note that the GDPR permits diverging national legislation in specified areas (e.g., employment data) and contend that this could lead to uneven implementation or enforcement. They also note the potential for localization trade barriers in areas where divergence is allowed. Since the GDPR took effect, European DPAs have received a range of GDPR complaints. In the fall of 2018, several GDPR enforcement actions and fines were announced. In January 2019, the French DPA (or CNIL) issued the largest penalty to date for a data privacy breach, imposing a €50 million fine on Google for a “lack of transparency, inadequate information and lack of valid consent regarding the ads personalization.” Analysts contend that the high fine may set a benchmark for future enforcement. Google is appealing the decision. Policy Implications While the United States has traditionally regulated privacy at a sectoral level to cover certain types of data, some U.S. policymakers and Members of Congress are considering whether comprehensive national legislation may be needed to better The EU reports that GDPR has increased European citizens’ awareness of their rights. Since taking effect, European DPAs have received almost 145,000 GDPR complaints and have initiated a range of enforcement actions, including issuing fines. In January 2019, France’s DPA (or CNIL) imposed a €50 million fine on Google for a “lack of transparency, inadequate information and lack of valid consent regarding the ads personalization.” In July 2019, the United Kingdom’s DPA (the ICO) issued the largest penalty to date, imposing a €230 million fine on British Airways for a data breach that affected half a million passenger records, including users’ name, address, login, payment card, and travel booking details. comprehensive national legislation may be needed to better safeguard privacy, especially online. Stakeholders representing consumer and industry groups have issued proposals and frameworks, with some advocating for the United States to adopt an approach similar to GDPR. The United States has played an important role in international discussions and has begun to address data privacy and data flows in recent free trade agreements. With no multilateral rules on cross-bordercrossborder data flows, experts contend that the GDPR may effectively set new global data privacy standards, since companies and organizations will strive for compliance to avoid being shut out of the EU market or penalized, and as other countries mayseek to introduce rules that imitate the modeled on the GDPR. It may also be easier and cheaper for some U.S. companies to apply GDPR protections to all users rather than maintain different policies for different users. Such developments could limit U.S. influence in future trade negotiations on issues related to digital trade and cross-border data flows. In addition to compliance costs, other elements of the GDPR are controversial. For example, the GDPR’s right to trade negotiations such as the ongoing World Trade Organization (WTO) plurilateral negotiations related to digital trade. Other elements of the GDPR are controversial. The GDPR’s right to be forgotten requires data controllers to delete personal data when it is no longer needed or when an individual requests it. Some question whether the right applies only to those accessing the Internet from the EU, or if the GDPR requires that a company delete specific information globally. Another issue is that the GDPR right to erasure could clash with freedom of information, and, for U.S. firms, with the First Amendment. The GDPR includes exceptions and recognizes the need to balance the right to personal data protection with freedom of expression, but advocates worry that Internet companies may be quick to grant erasure requests to avoid possible legal challenges, which, over time, could erode information online. Many stakeholders stakeholders view the GDPR as pitting the “right to be forgotten” against the “right to know.” U.S. officials voice concerns about the GDPR’s impact on the WHOIS database (managed by the Internet Corporation for Assigned Names and Numbers, or ICANN) used by law enforcement and cybersecurity researchers to identify hackers and malicious Internet domains. To comply with the GDPR, ICANN restricted the amount and types of data available on WHOIS, potentially limiting its effectiveness. The GDPR and ePrivacy Regulation The EU is considering a new ePrivacy Regulation to ensure privacy of electronic communications in the digital era that would complement the GDPR’s data protection requirements. The draft regulation would apply torequire traditional telecom providers as well as messaging services such as WhatsApp and SnapChat, require providers to (e.g., WhatsApp and SnapChat) to obtain explicit user consent for online tracking (use of cookies), and limit the amount of time a company can store tracking data. that tracking data may be stored. Some analysts suggest this could hinder the online advertising industry and others dependent on tracking data. Also see, Law Library of Congress, Online Privacy Law (2017 Update), December 2017, https://www.loc.gov/law/help/reports/pdf/2018-015633.pdf dependent on tracking data. The regulation has proved controversial in the EU and remains pending. Policy Implications Also see CRS Report R45584, Data Flows, Online Privacy, and Trade Policy, by Rachel F. Fefer. While the United States has traditionally regulated privacy at a sectoral level to cover certain types of data, in 2018, California passed a consumer privacy law and other states are considering similar legislation. Some U.S. policymakers and Members of Congress are examining whether Rachel F. Fefer, Analyst in International Trade and Finance Kristin Archick, Specialist in European Affairs https://crsreports.congress.gov EU Data Protection Rules and U.S. Implications IF10896 Disclaimer This document was prepared by the Congressional Research Service (CRS). CRS serves as nonpartisan shared staff to congressional committees and Members of Congress. It operates solely at the behest of and under the direction of Congress. Information in a CRS Report should not be relied upon for purposes other than public understanding of information that has been provided by CRS to Members of Congress in connection with CRS’s institutional role. CRS Reports, as a work of the United States Government, are not subject to copyright protection in the United States. Any CRS Report may be reproduced and distributed in its entirety without permission from CRS. However, as a CRS Report may include copyrighted images or material from a third party, you may need to obtain the permission of the copyright holder if you wish to copy or otherwise use copyrighted material. https://crsreports.congress.gov | IF10896 · VERSION 56 · UPDATED