About | HeinOnline Law Journal Library | HeinOnline Law Journal Library | HeinOnline
LOG IN
LOG IN

1 [1] (July 17, 2020)

handle is hein.crs/govdaye0001 and id is 1 raw text is: FF. ' riE -E-.$ri ,, - i p\w -- , gnom go mppm qq\ , q I aS 11LULANJILiN, Updated July 17, 2020 EU Data Protection Rules and U.S. Implications Umk d St-abe\, aund Eurmpe U.S. and European Union (EU) policymakers are focused on protection of personal data online with recent and proposed legislation and enforcement actions. Data breaches at companies such as Facebook, Apple, and Marriott have contributed to heightened public awareness. The EU's General Data Protection Regulation (GDPR) which took effect on May 25, 2018 has drawn the attention of Congress, U.S. businesses and other stakeholders, prompting debate on U.S. federal and state data privacy and protection policies. Both the United States and the 27-member EU assert that they are committed to upholding individual privacy rights and ensuring the protection of personal data, including electronic data. Differences in U.S. and EU approaches to data privacy and protection, however, have long been sticking points in U.S.-EU economic and security relations. The GDPR highlights some of those differences and poses challenges for U.S. companies doing business in the EU. Although no longer a member of the EU, the United Kingdom (UK) remains bound by GDPR through 2020 and intends to incorporate GDPR into UK data protection law. The United States does not broadly restrict cross-border data flows and has traditionally regulated privacy at a sectoral level to cover certain types of data. The EU considers the privacy of communications and the protection of personal data to be fundamental rights, which are codified in EU law. The EU regards current U.S. data protection safeguards as inadequate. Since 2000, many entities used U.S.-EU negotiated agreements for cross- border data flows, but the EU's top court has invalidated successive accords due to concerns about U.S. surveillance laws (most recently, striking down Privacy Shield in July 2020). Figure I. U.S.-EU Trade of ICT and Potentially ICT- Enabled (PICTE) Services, 2018 ........ '......... :'7...... '' :iiiiii::i::::i ........ . ..:: .......iiiiiiiiiiiii ..-.. ........ ..-.. : . .::::::::::::::::::::: ' .i :: ::il :i: Source: Bureau of Economic Analysis interactive data Table 3.3. The transatlantic economy is the largest in the world, with goods and services trade of $1.3 trillion in 2019; the UK accounted for 20%. U.S.-EU trade of information and communications technology (ICT) services and potentially ICT-enabled services, including the UK, was over $345 billion in 2018 (see Figure 1). The GDPR establishes a set of rules for the protection of personal data throughout the EU to strengthen individual rights and facilitate business. The EU hopes the GDPR will further develop the EU's Digital Single Market (DSM), aimed at increasing harmonization across the bloc on digital policies. The EU also views the GDPR as underpinning efforts to foster the EU's digital transformation and bolster the EU's technology sector vis-i-vis Chinese and U.S. competitors, while protecting European values. The GDPR identifies legitimate bases for data processing and sets out common rules for data retention, storage limitation, and record keeping. The GDPR applies to (1) all businesses and organizations with an EU establishment that process (perform operations on) personal data of individuals (or data subjects) in the EU, regardless of where the actual processing of the data takes place; and (2) entities outside the EU that offer goods or services (for payment or for free) to individuals in the EU or monitor the behavior of individuals in the EU. Processing certain sensitive personal data is generally prohibited. Stronger and new data protection requirements in the GDPR grant individuals the right to: * Receive clear and understandable information about who is processing one's personal data and why; * Consent affirmatively to any data processing; * Access any personal data collected; * Rectify inaccurate personal data; * Erase one's personal data, cease further dissemination of the data, and potentially have third parties halt processing of the data (the right to be forgotten); * Restrict or object to certain processing of one's data; * Be notified without undue delay of a data breach if there is a high risk of harm to the data subject; and * Require the transmission of one's data to another controller (data portability). A company or organization can be fined up to 4% of its annual global turnover or £20 million (whichever is greater) for noncompliance. Fines are assessed by the national supervisory authority (a Data Protection Authority, or DPA) in each member state and subject to appeal in national courts. The GDPR also requires some companies to hire data protection officers. Many U.S. firms have made changes to comply with the GDPR, such as revising and clarifying user terms of agreement and asking for explicit consent. While it creates

What Is HeinOnline?

HeinOnline is a subscription-based resource containing thousands of academic and legal journals from inception; complete coverage of government documents such as U.S. Statutes at Large, U.S. Code, Federal Register, Code of Federal Regulations, U.S. Reports, and much more. Documents are image-based, fully searchable PDFs with the authority of print combined with the accessibility of a user-friendly and powerful database. For more information, request a quote or trial for your organization below.



Short-term subscription options include 24 hours, 48 hours, or 1 week to HeinOnline.

Purchase Access

Already a HeinOnline Subscriber?

Log In

profiles profiles most