link to page 1 
Updated February 7, 2019
EU Data Protection Rules and U.S. Implications
Data Privacy and Protection in the
What Is the GDPR?
United States and Europe
The GDPR establishes a set of rules for the protection of
U.S. and European citizens are increasingly concerned
personal data throughout the EU. It seeks to strengthen
about ensuring the protection of personal data, especially
individual fundamental rights and facilitate business by
online. A string of high-profile data breaches at companies
ensuring more consistent implementation of data protection
such as Facebook and Google have contributed to
rules EU-wide. The EU hopes the GDPR will further
heightened public awareness. The European Union’s (EU)
develop the EU Digital Single Market (DSM), aimed at
new General Data Protection Regulation (GDPR)—which
increasing harmonization across the bloc on digital policies.
took effect on May 25, 2018—has drawn the attention of
U.S. businesses and other stakeholders, prompting debate
The GDPR identifies what is a legitimate basis for data
on U.S. data privacy and protection policies.
processing and sets out common rules for data retention,
storage limitation, and record keeping. The GDPR applies
Both the United States and the 28-member EU assert that
to (1) all businesses and organizations with an EU
they are committed to upholding individual privacy rights
establishment that process (perform operations on) personal
and ensuring the protection of personal data, including
data of individuals (or “data subjects”) in the EU, regardless
electronic data. However, data privacy and protection issues
of where the actual processing of the data takes place; and
have long been sticking points in U.S.-EU economic and
(2) entities outside the EU that offer goods or services (for
security relations, in part because of differences in U.S. and
payment or for free) to individuals in the EU or monitor the
EU legal regimes and approaches to data privacy. The
behavior of individuals in the EU. Processing certain
GDPR highlights some of those differences and poses
sensitive personal data is generally prohibited.
challenges for U.S. companies doing business in the EU.
Stronger and new data protection requirements in the
The United States does not broadly restrict cross-border
GDPR grant individuals the right to:
data flows and has traditionally regulated privacy at a
Receive clear and understandable information about
sectoral level to cover certain types of data. The EU
who is processing one’s personal data and why;
considers the privacy of communications and the protection
of personal data to be fundamental rights, which are
Consent affirmatively to any data processing;
codified in EU law. Europe’s history with fascist and
totalitarian regimes informs the EU’s
views on data
Access any personal data collected;
protection and contributes to the demand for strict data
Rectify inaccurate personal data;
privacy controls. The EU regards current U.S. data
protection safeguards as inadequate; this has complicated
Erase one’s personal data, cease further dissemination of
the conclusion of U.S.-EU information-sharing agreements
the data, and potentially have third parties halt
and raised concerns about U.S.-EU data flows.
processing of the data (the “right to be forgotten”);
Restrict or object to certain processing of one’s data;
The transatlantic economy is the largest in the world, with
goods and services trade of $2.7 billion a day and annual
Be notified without “undue delay” of a data breach if
digital services trade of $260 billion. The United States and
there is a high risk of harm to the data subject; and
EU are each other’s largest customers of digitally delivered
Require the transmission of one’s data to another
services exports (see Figure 1).
controller (data portability).
Figure 1. Transatlantic Trade as a Percentage of
The potential high penalties for noncompliance have
Digitally-Delivered Service Exports
attracted significant attention since a company or
organization can be fined up to 4% of its annual global
turnover or €20 million (whichever is greater). Fines are
assessed by the national supervisory authority (a Data
Protection Authority, or DPA) in each member state and
subject to appeal in national courts. The GDPR also
requires some companies to hire data protection officers.
Possible Impact on U.S. Companies
Many U.S. firms have made and are making changes to
comply with the GDPR, such as revising and clarifying user
Source: Kati Suominen “Where the Money Is: The Transatlantic
terms of agreement and asking for explicit consent. While it
Digital Market," CSIS, October 12, 2017.
creates more requirements on companies that collect or
https://crsreports.congress.gov
EU Data Protection Rules and U.S. Implications
process data, some experts contend that the GDPR may
United States to adopt an approach similar to GDPR. The
simplify compliance for U.S. firms because the same set of
United States has played an important role in international
data protection rules will apply across the EU. Also,
discussions and has begun to address data privacy and data
companies established in the EU that engage in cross-
flows in recent free trade agreements. With no multilateral
border data processing primarily only have to liaise with the
rules on cross-border data flows, experts contend that the
supervisory authority of the EU country where the firm is
GDPR may effectively set new global data privacy
based (the “lead” authority), possibly decreasing
standards, since companies and organizations will strive for
administrative costs. However, firms are still subject to
compliance to avoid being shut out of the EU market or
oversight and enforcement by the supervisory authority of
penalized, and other countries may introduce rules that
every country where it does business.
imitate the GDPR. It may also be easier and cheaper for
some U.S. companies to apply GDPR protections to all
The GDPR and U.S.-EU Privacy Shield
users rather than maintain different policies for different
users. Such developments could limit U.S. influence in
Under the GDPR, the U.S.-EU Privacy Shield wil continue to
future trade negotiations on issues related to digital trade
serve as a mechanism to transfer data for U.S. and EU firms that
and cross-border data flows.
meet EU data protection requirements. However, participation
by a company in Privacy Shield does not necessarily guarantee
In addition to compliance costs, other elements of the
ful GDPR compliance.
GDPR are controversial. For example, the GDPR’s right to
be forgotten requires data controllers to delete personal data
when it is no longer needed or when an individual requests
U.S. firms have voiced several concerns about the GDPR,
it. Some question whether the right applies only to those
including the need to construct a compliance bureaucracy
accessing the Internet from the EU, or if the GDPR requires
and possible high costs for adhering to the GDPR’s
that a company delete specific information globally.
requirements. While large firms have the resources to hire
Another issue is that the GDPR right to erasure could clash
consultants and lawyers, it may be harder and costlier for
with freedom of information, and, for U.S. firms, with the
small and mid-sized enterprises (SMEs) to comply, possibly
First Amendment. The GDPR includes exceptions and
deterring them from entering the EU market and creating a
recognizes the need to balance the right to personal data
de facto trade barrier. Some U.S. businesses, including
protection with freedom of expression, but advocates worry
several newspaper websites and digital advertising firms,
that Internet companies may be quick to grant erasure
opted to exit the EU market rather than confront the
requests to avoid possible legal challenges, which, over
complexities of GDPR. Some U.S. (and European) firms
time, could erode information online. Many stakeholders
also argue that the GDPR’s restrictions on the use and
view the GDPR as pitting the “right to be forgotten” against
sharing of data could limit opportunities for analysis of
the “right to know.”
global data sets and might chill innovation.
U.S. officials voice concerns about the GDPR’s impact on
Although the GDPR is directly applicable in EU member
states, implementing legislation is required to enact certain
the WHOIS database (managed by the Internet Corporation
parts of the GDPR (e.g., appointment of a supervisory
for Assigned Names and Numbers, or ICANN) used by law
authority; ability to levy penalties). Critics note that the
enforcement and cybersecurity researchers to identify
GDPR permits diverging national legislation in specified
hackers and malicious Internet domains. To comply with
areas (e.g., employment data) and contend that this could
the GDPR, ICANN restricted the amount and types of data
lead to uneven implementation or enforcement. They also
available on WHOIS, potentially limiting its effectiveness.
note the potential for localization trade barriers in areas
where divergence is allowed.
The GDPR and ePrivacy Regulation
The EU is considering a new ePrivacy Regulation to ensure
Since the GDPR took effect, European DPAs have received
privacy of electronic communications in the digital era that
a range of GDPR complaints. In the fall of 2018, several
would complement the GDPR’s data protection requirements.
GDPR enforcement actions and fines were announced. In
The draft regulation would apply to traditional telecom
January 2019, the French DPA (or CNIL) issued the largest
providers as well as messaging services such as WhatsApp and
penalty to date for a data privacy breach, imposing a €50
SnapChat, require providers to obtain explicit user consent for
million fine on Google for a “lack of transparency,
online tracking (use of cookies), and limit the amount of time a
inadequate information and lack of valid consent regarding
the ads personalization.”
company can store tracking data. Some analysts suggest this
Analysts contend that the high fine
could hinder the online advertising industry and others
may set a benchmark for future enforcement. Google is
dependent on tracking data.
appealing the decision.
Policy Implications
Also see, Law Library of Congress, Online Privacy Law
While the United States has traditionally regulated privacy
(2017 Update), December 2017,
at a sectoral level to cover certain types of data, some U.S.
https://www.loc.gov/law/help/reports/pdf/2018-015633.pdf
policymakers and Members of Congress are considering
whether comprehensive national legislation may be needed
Rachel F. Fefer, Analyst in International Trade and
to better safeguard privacy, especially online. Stakeholders
Finance
representing consumer and industry groups have issued
Kristin Archick, Specialist in European Affairs
proposals and frameworks, with some advocating for the
https://crsreports.congress.gov
EU Data Protection Rules and U.S. Implications
IF10896
Disclaimer
This document was prepared by the Congressional Research Service (CRS). CRS serves as nonpartisan shared staff to
congressional committees and Members of Congress. It operates solely at the behest of and under the direction of Congress.
Information in a CRS Report should not be relied upon for purposes other than public understanding of information that has
been provided by CRS to Members of Congress in connection with CRS’s institutional role. CRS Reports, as a work of the
United States Government, are not subject to copyright protection in the United States. Any CRS Report may be
reproduced and distributed in its entirety without permission from CRS. However, as a CRS Report may include
copyrighted images or material from a third party, you may need to obtain the permission of the copyright holder if you
wish to copy or otherwise use copyrighted material.
https://crsreports.congress.gov | IF10896 · VERSION 5 · UPDATED