link to page 1 
Updated August 9, 2019
EU Data Protection Rules and U.S. Implications
Data Privacy and Protection in the
What Is the GDPR?
United States and Europe
The GDPR establishes a set of rules for the protection of
U.S. and European Union (EU) policymakers are focusing
personal data throughout the EU. It seeks to strengthen
on protection of personal data with new and proposed
individual fundamental rights and facilitate business by
legislation and enforcement actions. Data breaches at
ensuring more consistent implementation of data protection
companies such as Facebook, Google, and Marriott have
rules EU-wide. The EU hopes the GDPR will further
contributed to heightened public awareness. The EU’s
develop the EU Digital Single Market (DSM), aimed at
General Data Protection Regulation (GDPR)—which took
increasing harmonization across the bloc on digital policies.
effect on May 25, 2018—has drawn the attention of U.S.
businesses and other stakeholders, prompting debate on
The GDPR identifies what is a legitimate basis for data
U.S. federal and state data privacy and protection policies.
processing and sets out common rules for data retention,
storage limitation, and record keeping. The GDPR applies
Both the United States and the 28-member EU assert that
to (1) all businesses and organizations with an EU
they are committed to upholding individual privacy rights
establishment that process (perform operations on) personal
and ensuring the protection of personal data, including
data of individuals (or “data subjects”) in the EU, regardless
electronic data. However, data privacy and protection issues
of where the actual processing of the data takes place; and
have long been sticking points in U.S.-EU economic and
(2) entities outside the EU that offer goods or services (for
security relations, in part because of differences in U.S. and
payment or for free) to individuals in the EU or monitor the
EU legal regimes and approaches to data privacy. The
behavior of individuals in the EU. Processing certain
GDPR highlights some of those differences and poses
sensitive personal data is generally prohibited.
challenges for U.S. companies doing business in the EU.
Stronger and new data protection requirements in the
The United States does not broadly restrict cross-border
GDPR grant individuals the right to:
data flows and has traditionally regulated privacy at a
sectoral level to cover certain types of data. The EU
Receive clear and understandable information about
considers the privacy of communications and the protection
who is processing one’s personal data and why;
of personal data to be fundamental rights, which are
Consent affirmatively to any data processing;
codified in EU law. Europe’s history with fascist and
totalitarian regimes informs the EU’s views on data
Access any personal data collected;
protection and contributes to the demand for strict data
Rectify inaccurate personal data;
privacy controls. The EU regards current U.S. data
protection safeguards as inadequate; this has complicated
Erase one’s personal data, cease further dissemination of
the conclusion of U.S.-EU information-sharing agreements
the data, and potentially have third parties halt
and raised concerns about U.S.-EU data flows.
processing of the data (the “right to be forgotten”);
Restrict or object to certain processing of one’s data;
The transatlantic economy is the largest in the world, with
goods and services trade of $1.2 trillion in 2018. U.S.-EU
Be notified without “undue delay” of a data breach if
trade of information and communications technology (ICT)
there is a high risk of harm to the data subject; and
services and potentially ICT-enabled services was over
Require the transmission of one’s data to another
$307 billion in 2017 (see Figure 1).
controller (data portability).
Figure 1. U.S.-EU Trade of ICT and Potentially ICT-
The potential high penalties for noncompliance have
Enabled (PICTE) Services
attracted significant attention, since a company or
organization can be fined up to 4% of its annual global
turnover or €20 million (whichever is greater). Fines are
assessed by the national supervisory authority (a Data
Protection Authority, or DPA) in each member state and
subject to appeal in national courts. The GDPR also
requires some companies to hire data protection officers.
GDPR: Year One
Many U.S. firms have made changes to comply with the
Source: Bureau of Economic Analysis interactive data Table 3.3.
GDPR, such as revising and clarifying user terms of
agreement and asking for explicit consent. While it creates
more requirements on companies that collect or process
data, some experts contend that the GDPR may simplify
https://crsreports.congress.gov
EU Data Protection Rules and U.S. Implications
compliance for U.S. firms because the same set of data
comprehensive national legislation may be needed to better
protection rules apply across the EU. Also, companies
safeguard privacy, especially online. Stakeholders
established in the EU that engage in cross-border data
representing consumer and industry groups have issued
processing primarily only have to liaise with the
proposals, with some advocating for the United States to
supervisory authority of the EU country where the firm is
adopt an approach similar to GDPR. The United States has
based (the “lead” authority), possibly decreasing
played an important role in international discussions and
administrative costs. However, a firm is still subject to
has begun to address data privacy and data flows in recent
oversight and enforcement by the supervisory authority of
free trade agreements. With no multilateral rules on cross-
every country where it does business.
border data flows, experts contend that the GDPR may
effectively set new global data privacy standards, since
The GDPR and U.S.-EU Privacy Shield
companies and organizations will strive for compliance to
avoid being shut out of the EU market or penalized, and as
Under the GDPR, the U.S.-EU Privacy Shield continues to serve
other countries seek to introduce rules modeled on the
as a mechanism to transfer data for U.S. and EU firms that meet
GDPR. It may also be easier and cheaper for some U.S.
EU data protection requirements. Participation by a company in
companies to apply GDPR protections to all users rather
Privacy Shield does not necessarily guarantee ful GDPR
than maintain different policies for different users. Such
compliance. A case challenging Privacy Shield’s validity is pending
developments could limit U.S. influence in trade
before the EU’s Court of Justice.
negotiations such as the ongoing World Trade Organization
(WTO) plurilateral negotiations related to digital trade.
U.S. firms have voiced several concerns about the GDPR,
including the need to construct a compliance bureaucracy
Other elements of the GDPR are controversial. The
and possible high costs for adhering to the GDPR’s
GDPR’s right to be forgotten requires data controllers to
requirements. While large firms have the resources to hire
delete personal data when it is no longer needed or when an
consultants and lawyers, it may be harder and costlier for
individual requests it. Some question whether the right
small and mid-sized enterprises (SMEs) to comply, possibly
applies only to those accessing the Internet from the EU, or
deterring them from entering the EU market and creating a
if the GDPR requires that a company delete specific
de facto trade barrier. Some U.S. businesses, including
information globally. Another issue is that the GDPR right
several newspaper websites and digital advertising firms,
to erasure could clash with freedom of information, and, for
opted to exit the EU market rather than confront the
U.S. firms, with the First Amendment. The GDPR includes
complexities of GDPR. Some industry surveys show that
exceptions and recognizes the need to balance the right to
GDPR’s restrictions on the use and sharing of data may be
personal data protection with freedom of expression, but
limiting the development of new technologies and deterring
advocates worry that Internet companies may be quick to
potential mergers and acquisitions.
grant erasure requests to avoid possible legal challenges,
which, over time, could erode information online. Many
Although the GDPR is directly applicable in EU member
stakeholders view the GDPR as pitting the “right to be
states, implementing legislation is required to enact certain
forgotten” against the “right to know.”
parts of the GDPR (e.g., appointment of a supervisory
U.S. officials voice concerns about the GDPR’s impact on
authority; ability to levy penalties). Critics note that the
GDPR permits diverging national legislation in specified
the WHOIS database (managed by the Internet Corporation
areas (e.g., employment data) and contend that this could
for Assigned Names and Numbers, or ICANN) used by law
lead to uneven implementation or enforcement. They also
enforcement and cybersecurity researchers to identify
note the potential for localization trade barriers in areas
hackers and malicious Internet domains. To comply with
where divergence is allowed.
the GDPR, ICANN restricted the amount and types of data
available on WHOIS, potentially limiting its effectiveness.
The EU reports that GDPR has increased European
citizens’ awareness of their rights. Since taking effect,
The GDPR and ePrivacy Regulation
European DPAs have received almost 145,000 GDPR
The EU is considering a new ePrivacy Regulation to ensure
complaints and have initiated a range of enforcement
privacy of electronic communications in the digital era that
actions, including issuing fines. In January 2019, France’s
would complement the GDPR’s data protection requirements.
DPA (or CNIL) imposed a €50 million fine on Google for a
The regulation would require traditional telecom providers as
“lack of transparency, inadequate information and lack of
well as messaging services (e.g., WhatsApp and SnapChat) to
valid consent regarding the ads personalization.” In July
obtain explicit user consent for online tracking (use of cookies),
2019, the United Kingdom’s DPA (the ICO) issued the
and limit the amount of time that tracking data may be stored.
largest penalty to date, imposing a €230 million fine on
Some analysts suggest this could hinder the online advertising
British Airways for a data breach that affected half a
industry and others dependent on tracking data. The regulation
million passenger records, including users’ name, address,
has proved controversial in the EU and remains pending.
login, payment card, and travel booking details.
Policy Implications
Also see CRS Report R45584, Data Flows, Online Privacy,
and Trade Policy, by Rachel F. Fefer.
While the United States has traditionally regulated privacy
at a sectoral level to cover certain types of data, in 2018,
Rachel F. Fefer, Analyst in International Trade and
California passed a consumer privacy law and other states
Finance
are considering similar legislation. Some U.S. policymakers
and Members of Congress are examining whether
Kristin Archick, Specialist in European Affairs
https://crsreports.congress.gov
EU Data Protection Rules and U.S. Implications
IF10896
Disclaimer
This document was prepared by the Congressional Research Service (CRS). CRS serves as nonpartisan shared staff to
congressional committees and Members of Congress. It operates solely at the behest of and under the direction of Congress.
Information in a CRS Report should not be relied upon for purposes other than public understanding of information that has
been provided by CRS to Members of Congress in connection with CRS’s institutional role. CRS Reports, as a work of the
United States Government, are not subject to copyright protection in the United States. Any CRS Report may be
reproduced and distributed in its entirety without permission from CRS. However, as a CRS Report may include
copyrighted images or material from a third party, you may need to obtain the permission of the copyright holder if you
wish to copy or otherwise use copyrighted material.
https://crsreports.congress.gov | IF10896 · VERSION 6 · UPDATED