EU Data Protection Rules and U.S. Implications

link to page 1

Updated July 17, 2020
EU Data Protection Rules and U.S. Implications
Data Privacy and Protection in the
What Is the GDPR?
United States and Europe
The GDPR establishes a set of rules for the protection of
U.S. and European Union (EU) policymakers are focused
personal data throughout the EU to strengthen individual
on protection of personal data online with recent and
rights and facilitate business. The EU hopes the GDPR will
proposed legislation and enforcement actions. Data
further develop the EU’s Digital Single Market (DSM),
breaches at companies such as Facebook, Apple, and
aimed at increasing harmonization across the bloc on digital
Marriott have contributed to heightened public awareness.
policies. The EU also views the GDPR as underpinning
The EU’s General Data Protection Regulation (GDPR)—
efforts to foster the EU’s digital transformation and bolster
which took effect on May 25, 2018—has drawn the
the EU’s technology sector vis-à-vis Chinese and U.S.
attention of Congress, U.S. businesses and other
competitors, while protecting European values.
stakeholders, prompting debate on U.S. federal and state
data privacy and protection policies.
The GDPR identifies legitimate bases for data processing
and sets out common rules for data retention, storage
Both the United States and the 27-member EU assert that
limitation, and record keeping. The GDPR applies to (1) all
they are committed to upholding individual privacy rights
businesses and organizations with an EU establishment that
and ensuring the protection of personal data, including
process (perform operations on) personal data of
electronic data. Differences in U.S. and EU approaches to
individuals (or “data subjects”) in the EU, regardless of
data privacy and protection, however, have long been
where the actual processing of the data takes place; and (2)
sticking points in U.S.-EU economic and security relations.
entities outside the EU that offer goods or services (for
The GDPR highlights some of those differences and poses
payment or for free) to individuals in the EU or monitor the
challenges for U.S. companies doing business in the EU.
behavior of individuals in the EU. Processing certain
Although no longer a member of the EU, the United
sensitive personal data is generally prohibited.
Kingdom (UK) remains bound by GDPR through 2020 and
intends to incorporate GDPR into UK data protection law.
Stronger and new data protection requirements in the
GDPR grant individuals the right to:
The U.S. does not broadly restrict cross-border data flows
 Receive clear and understandable information about
and has traditionally regulated privacy at a sectoral level to
who is processing one’s personal data and why;
cover certain types of data. The EU considers the privacy of

communications and the protection of personal data to be
Consent affirmatively to any data processing;
fundamental rights, which are codified in EU law. The EU
 Access any personal data collected;
regards current U.S. data protection safeguards as
 Rectify inaccurate personal data;
inadequate. Since 2000, many entities used U.S.-EU
 Erase one’s personal data, cease further dissemination of
negotiated agreements for cross-border data flows, but the
EU’s top court has invalidated successive accords due to
the data, and potentially have third parties halt
processing of the data (the “right to be forgotten”);
concerns about U.S. surveillance laws (most recently,

striking down Privacy Shield in July 2020).
Restrict or object to certain processing of one’s data;
 Be notified without “undue delay” of a data breach if
Figure 1. U.S.-EU Trade of ICT and Potentially ICT-
there is a high risk of harm to the data subject; and
Enabled (PICTE) Services, 2018
 Require the transmission of one’s data to another
controller (data portability).
A company or organization can be fined up to 4% of its
annual global turnover or €20 million (whichever is greater)
for noncompliance. Fines are assessed by the national
supervisory authority (a Data Protection Authority, or DPA)
in each member state and subject to appeal in national
courts. The GDPR also requires some companies to hire

data protection officers.
Source: Bureau of Economic Analysis interactive data Table 3.3.
GDPR Implementation
The transatlantic economy is the largest in the world, with
goods and services trade of $1.3 trillion in 2019; the UK
Many U.S. firms have made changes to comply with the
accounted for 20%. U.S.-EU trade of information and
GDPR, such as revising and clarifying user terms of
communications technology (ICT) services and potentially
agreement and asking for explicit consent. While it creates
ICT-enabled services, including the UK, was over $345
more requirements on companies that collect or process
billion in 2018 (see Figure 1).
data, some experts contend that the GDPR may simplify
compliance for U.S. firms because the same set of data

EU Data Protection Rules and U.S. Implications
protection rules apply across the EU. Also, companies
According to the EU review, in its first two years, almost
established in the EU that engage in cross-border data
300,000 complaints have been filed. DPAs have levied 273
processing primarily only have to liaise with the DPA of the
GDPR fines—totaling about €150 million—for a range of
EU country where the firm is based (the “lead” authority),
violations against companies such as Equifax and
possibly decreasing administrative costs. However, a firm is
Facebook, as well as smaller entities. Belgium fined Google
still subject to oversight and enforcement by the DPA of
€600,000 for not complying with the ‘right to be forgotten’.
every country where it does business. Some member states
and privacy activists have criticized the system as many of
The GDPR and ePrivacy Regulation
the largest digital firms are based in a few countries and
overseen by those states’ DPAs, creating enforcement
The EU is debating an ePrivacy Regulation to ensure privacy of
delays and logjams due to limited resources.
electronic communications in the digital era that would
complement the GDPR’s data protection requirements. The
U.S. firms have voiced several concerns about the GDPR,
regulation would require traditional telecom providers, as well
including the need to construct a compliance bureaucracy
as messaging services (e.g., WhatsApp and SnapChat), to obtain
and possible high costs for adhering to the GDPR’s
explicit user consent for online tracking (use of cookies), and
requirements. While large firms have the resources to hire
limit the amount of time that tracking data may be stored. Some
consultants and lawyers, it may be harder and costlier for
analysts suggest this could hinder the online advertising industry
small and mid-sized enterprises (SMEs) to comply, possibly
and others dependent on tracking data. The regulation has
deterring them from entering the EU market and creating a
proved controversial in the EU and remains pending.
de facto trade barrier. Some U.S. businesses, including
several newspaper websites and digital advertising firms,
opted to exit the EU market rather than confront the
To help track the spread of Coronavirus Disease 2019
complexities of GDPR. Some industry surveys show that
(COVID-19), several EU governments ask people to
GDPR’s restrictions on the use and sharing of data may be
download a mobile tracking app, but uptake has been slow.
limiting the development of new technologies and deterring
The scope of data collected varies by country. The EU Data
potential mergers and acquisitions.
Protection Supervisor has stated that limited data collection
with certain constraints (e.g., temporary data retention) is
Although the GDPR is directly applicable in EU member
GDPR compliant and that the “right to the protection of
states, implementing legislation is required to enact certain
personal data is not an absolute right.” Some privacy
parts of the GDPR (e.g., appointment of a supervisory
advocates raise concerns that such data collection will set a
authority; ability to levy penalties). Critics note that the
precedent that lasts past the pandemic.
GDPR permits diverging national legislation in specified
areas (e.g., employment data) and contend that this could
Policy Implications
lead to uneven implementation or enforcement.
While the United States has traditionally regulated privacy
at a sectoral level to cover certain types of data, in 2018,
U.S.-EU Data Flows and GDPR
California passed a consumer privacy law and other states
To transfer personal data outside the EU, a firm must comply
are considering similar legislation with varying rules. While
with GDPR by transferring data (1) to a country the EU deems
the state laws have similarities with the GDPR, they do not
has adequate data protection, (2) through EU-approved standard
fully replicate it. U.S. policymakers and some Members of
contractual clauses (SCCs), or (3) using legally binding corporate
Congress are assessing the need for comprehensive national
rules. A July 2020 decision by the European Court of Justice
legislation, and multiple online privacy bills have been
invalidated the U.S.-EU Privacy Shield framework as a mechanism
introduced. Some consumer and industry groups have
for data transfers and raised questions about the use of SCCs for
advocated for a U.S. approach similar to the GDPR.
U.S. companies subject to U.S. surveillance laws.
The U.S. plays an important role in international
Two-Year Anniversary
discussions on data protection and has begun to address
data privacy and data flows in free trade agreements,
In its two-year review, the European Commission (EC)
including in the U.S.-Mexico-Canada Agreement. With no
stated the GDPR “met its objectives of strengthening the
multilateral rules on cross-border data flows, the GDPR
protection of the individual’s right to personal data
may effectively set new global data privacy standards, as
protection.” The EC review noted success in raising EU
firms and organizations strive for compliance to avoid
public awareness on data privacy, but raised concerns about
being shut out of the EU market or penalized, and as other
some implementation differences among member states,
countries seek to introduce rules modeled on the GDPR.
lack of DPA cooperation and adequate resources, and
Such developments could limit U.S. influence in trade
localization requirements.
negotiations, such as in the ongoing World Trade
Organization plurilateral negotiations related to e-
As part of its review, the EC solicited external comments.
commerce. Also see CRS Report R45584, Data Flows,
The U.S. Administration asserted that the GDPR has made
Online Privacy, and Trade Policy, by Rachel F. Fefer.
citizens less safe by hindering the sharing of data needed
for health research, criminal investigations, and countering
Rachel F. Fefer, Analyst in International Trade and
terrorism. The U.S. Chamber of Commerce and industry
groups also raised concerns about international data transfer
limits and the lack of coordination between DPAs.
Kristin Archick, Specialist in European Affairs

EU Data Protection Rules and U.S. Implications

This document was prepared by the Congressional Research Service (CRS). CRS serves as nonpartisan shared staff to
congressional committees and Members of Congress. It operates solely at the behest of and under the direction of Congress.
Information in a CRS Report should not be relied upon for purposes other than public understanding of information that has
been provided by CRS to Members of Congress in connection with CRS’s institutional role. CRS Reports, as a work of the
United States Government, are not subject to copyright protection in the United States. Any CRS Report may be
reproduced and distributed in its entirety without permission from CRS. However, as a CRS Report may include
copyrighted images or material from a third party, you may need to obtain the permission of the copyright holder if you
wish to copy or otherwise use copyrighted material. | IF10896 · VERSION 8 · UPDATED