link to page 1 
Updated April 14, 2020
EU Data Protection Rules and U.S. Implications
Data Privacy and Protection in the
ICT-enabled services was over $307 billion in 2017 (see
United States and Europe
Figure 1).
U.S. and European Union (EU) policymakers are focused
on protection of personal data online with recent and
What Is the GDPR?
proposed legislation and enforcement actions. Data
The GDPR establishes a set of rules for the protection of
breaches at companies such as Facebook, Google, and
personal data throughout the EU. It seeks to strengthen
Marriott have contributed to heightened public awareness.
individual fundamental rights and facilitate business by
The EU’s General Data Protection Regulation (GDPR)—
ensuring more consistent implementation of data protection
which took effect on May 25, 2018—has drawn the
rules EU-wide. The EU hopes the GDPR will further
attention of Congress, U.S. businesses and other
develop the EU’s Digital Single Market (DSM), aimed at
stakeholders, prompting debate on U.S. federal and state
increasing harmonization across the bloc on digital policies.
data privacy and protection policies.
The EU also views the GDPR as underpinning efforts to
foster the EU’s digital transformation and bolster the EU’s
Both the United States and the 27-member EU assert that
technology sector vis -à-vis Chinese and U.S. competitors,
they are committed to upholding individual privacy rights
while protecting privacy rights and European values.
and ensuring the protection of personal data, including
electronic data. Differences in U.S. and EU approaches to
The GDPR identifies legitimate bases for data processing
data privacy and protection, however, have long been
and sets out common rules for data retention, storage
sticking points in U.S.-EU economic and security relations.
limitation, and record keeping. The GDPR applies to (1) all
The GDPR highlights some of those differences and poses
businesses and organizations with an EU establishment that
challenges for U.S. companies doing business in the EU.
process (perform operations on) personal data of
Although no longer a member of the EU, the United
individuals (or “data subjects”) in the EU, regardless of
Kingdom (UK) remains bound by GDPR through 2020 and
where the actual processing of the data takes place; and (2)
intends to incorporate GDPR into UK data protection law.
entities outside the EU that offer goods or services (for
payment or for free) to individuals in the EU or monitor the
The United States does not broadly restrict cross-border
behavior of individuals in the EU. Processing certain
data flows and has traditionally regulated privacy at a
sensitive personal data is generally prohibited.
sectoral level to cover certain types of data. The EU
considers the privacy of communications and the protection
Stronger and new data protection requirements in the
of personal data to be fundamental rights, which are
GDPR grant individuals the right to:
codified in EU law. Europe’s history with fascist and
Receive clear and understandable information about
totalitarian regimes informs the EU’s views on data
who is processing one’s personal data and why;
protection and contributes to the demand for strict data
Consent affirmatively to any data processing;
privacy controls. The EU regards current U.S. data
protection safeguards as inadequate; this has complicated
Access any personal data collected;
the conclusion of U.S.-EU information-sharing agreements
Rectify inaccurate personal data;
and raised concerns about U.S.-EU data flows.
Erase one’s personal data, cease further dissemination of
Figure 1. U.S.-EU Trade of ICT and Potentially ICT-
the data, and potentially have third parties halt
Enabled (PICTE) Services, 2017
processing of the data (the “right to be forgotten”);
Restrict or object to certain processing of one’s data;
Be notified without “undue delay” of a data breach if
there is a high risk of harm to the data subject; and
Require the transmission of one’s data to another
controller (data portability).
The potential high penalties for noncompliance have
attracted significant attention, since a company or
organization can be fined up to 4% of its annual global
Source: Bureau of Economic Analysis interactive data Table 3.3.
turnover or €20 million (whichever is greater). Fines are
assessed by the national supervisory authority (a Data
The transatlantic economy is the largest in the world, with
Protection Authority, or DPA) in each member state and
goods and services trade of $1.3 trillion in 2019; the UK
subject to appeal in national courts. The GDPR also
accounted for 20%. U.S.-EU trade of information and
requires some companies to hire data protection officers.
communications technology (ICT) services and potentially
https://crsreports.congress.gov
EU Data Protection Rules and U.S. Implications
GDPR Implementation
details. The EU is set to review the implementation of
Many U.S. firms have made changes to comply with the
GDPR, including international data transfers, in June 2020.
GDPR, such as revising and clarifying user terms of
agreement and asking for explicit consent. While it creates
The GDPR and ePrivacy Regulation
more requirements on companies that collect or process
data, some experts contend that the GDPR may simplify
The EU is considering a new ePrivacy Regulation to ensure
compliance for U.S. firms because the same set of data
privacy of electronic communications in the digital era that
protection rules apply across the EU. Also, companies
would complement the GDPR’s data protection requirements.
established in the EU that engage in cross-border data
The regulation would require traditional telecom providers, as
processing primarily only have to liaise with the DPA of the
wel as messaging services (e.g., WhatsApp and SnapChat), to
EU country where the firm is based (the “lead” authority),
obtain explicit user consent for online tracking (use of cookies),
possibly decreasing administrative costs. However, a firm is
and limit the amount of time that tracking data may be stored.
Some analysts suggest this could hinder the online advertising
still subject to oversight and enforcement by the DPA of
every country where it does business. Some member states
industry and others dependent on tracking data. The regulation
have criticized the system as many of the largest digital
has proved controversial in the EU and remains pending.
firms are based in a few countries and overseen by those
states’ DPAs, creating enforcement delays and logjams due
GDPR and COVID-19
to limited resources.
To track the spread of Covid-19, some EU governments are
using anonymized, aggregated mobile phone data from
U.S. firms have voiced several concerns about the GDPR,
telecom firms. Some countries, like Poland, go further,
including the need to construct a compliance bureaucracy
mandating persons who may have Covid-19 to install a
and possible high costs for adhering to the GDPR’s
mobile tracking app. The scope of data collected varies by
requirements. While large firms have the resources to hire
country. The EU Data Protection Supervisor has stated that
consultants and lawyers, it may be harder and costlier for
limited data collection with certain constraints (e.g.,
small and mid-sized enterprises (SMEs) to comply, possibly
temporary data retention) is GDPR compliant and that the
deterring them from entering the EU market and creating a
“right to the protection of personal data is not an absolute
de facto trade barrier. Some U.S. businesses, including
right.” EU officials call for an EU-coordinated app rather
several newspaper websites and digital advertising firms,
than country-specific apps. Some privacy advocates raise
opted to exit the EU market rather than confront the
concerns that such data collection will set a precedent that
complexities of GDPR. Some industry surveys show that
lasts past the pandemic. As U.S. officials also begin
GDPR’s restrictions on the use and sharing of data may be
considering using mobile tracking apps and data analytics
limiting the development of new technologies and deterring
to combat Covid-19, some Members of Congress express
potential mergers and acquisitions.
interest in examining the possible benefits of such
measures, as well as privacy and other data-related issues.
The GDPR and U.S.-EU Privacy Shield
Policy Implications
Under the GDPR, the U.S.-EU Privacy Shield continues to serve
as a mechanism to transfer data for U.S. and EU firms that meet
While the United States has traditionally regulated privacy
EU data protection requirements. Participation by a company in
at a sectoral level to cover certain types of data, in 2018,
Privacy Shield does not necessarily guarantee ful GDPR
California passed a consumer privacy law and other states
compliance. A case chal enging Privacy Shield’s validity is pending
are considering similar legislation with varying rules. While
before the EU’s Court of Justice.
the state laws have similarities with the GDPR, they do not
fully replicate it. U.S. policymakers and Members of
Congress are assessing the need for comprehensive national
Although the GDPR is directly applicable in EU member
legislation, and multiple online privacy bills have been
states, implementing legislation is required to enact certain
introduced. Some consumer and industry groups have
parts of the GDPR (e.g., appointment of a supervisory
advocated for a U.S. approach similar to the GDPR.
authority; ability to levy penalties). Critics note that the
GDPR permits diverging national legislation in specified
The United States plays an important role in international
areas (e.g., employment data) and contend that this could
discussions on data protection and has begun to address
lead to uneven implementation or enforcement. They also
data privacy and data flows in free trade agreements,
note the potential for localization trade barriers in areas
including in the U.S.-Mexico-Canada Agreement. With no
where divergence is allowed.
multilateral rules on cross-border data flows, the GDPR
may effectively set new global data privacy standards, as
Since taking effect, European DPAs have received a steady
firms and organizations strive for compliance to avoid
stream of GDPR complaints —almost 145,000 in its first
being shut out of the EU market or penalized, and as other
year—and have initiated various enforcement actions.
countries seek to introduce rules modeled on the GDPR.
These have included issuing fines for a range of violations
Such developments could limit U.S. influence in trade
against companies such as Google and Facebook, as well as
negotiations, such as the ongoing World Trade
smaller entities and organizations. In July 2019, the UK’s
Organization (WTO) plurilateral negotiations related to
DPA issued the largest penalty to date, imposing a €230
digital trade. Also see CRS Report R45584, Data Flows,
million fine on British Airways for a data breach that
Online Privacy, and Trade Policy, by Rachel F. Fefer.
affected half a million passenger records, including users’
name, address, login, payment card, and travel booking
https://crsreports.congress.gov
EU Data Protection Rules and U.S. Implications
Kristin Archick, Specialist in European Affairs
IF10896
Rachel F. Fefer, Analyst in International Trade and
Finance
Disclaimer
This document was prepared by the Congressional Research Service (CRS). CRS serves as nonpartisan shared staff to
congressional committees and Members of Congress. It operates solely at the behest of and under the direction of Congress.
Information in a CRS Report should not be relied upon for purposes other than public understanding of information that has
been provided by CRS to Members of Congress in connection with CRS’s institutional role. CRS Reports, as a work of the
United States Government, are not subject to copyright protection in the United States. Any CRS Report may be
reproduced and distributed in its entirety without permission from CRS. However, as a CRS Report may include
copyrighted images or material from a third party, you may need to obtain the permissio n of the copyright holder if you
wish to copy or otherwise use copyrighted material.
https://crsreports.congress.gov | IF10896 · VERSION 7 · UPDATED