About | HeinOnline Law Journal Library | HeinOnline Law Journal Library | HeinOnline
LOG IN
LOG IN

1 [1] (February 7, 2019)

handle is hein.crs/govybk0001 and id is 1 raw text is: EU Data Protection Rules and U.S. Implications Data Privacy and Protection in the United States and Europe U.S. and European citizens are increasingly concerned about ensuring the protection of personal data, especially online. A string of high-profile data breaches at companies such as Facebook and Google have contributed to heightened public awareness. The European Union's (EU) new General Data Protection Regulation (GDPR)-which took effect on May 25, 2018-has drawn the attention of U.S. businesses and other stakeholders, prompting debate on U.S. data privacy and protection policies. Both the United States and the 28-member EU assert that they are committed to upholding individual privacy rights and ensuring the protection of personal data, including electronic data. However, data privacy and protection issues have long been sticking points in U.S.-EU economic and security relations, in part because of differences in U.S. and EU legal regimes and approaches to data privacy. The GDPR highlights some of those differences and poses challenges for U.S. companies doing business in the EU. The United States does not broadly restrict cross-border data flows and has traditionally regulated privacy at a sectoral level to cover certain types of data. The EU considers the privacy of communications and the protection of personal data to be fundamental rights, which are codified in EU law. Europe's history with fascist and totalitarian regimes informs the EU's views on data protection and contributes to the demand for strict data privacy controls. The EU regards current U.S. data protection safeguards as inadequate; this has complicated the conclusion of U.S.-EU information-sharing agreements and raised concerns about U.S.-EU data flows. The transatlantic economy is the largest in the world, with goods and services trade of $2.7 billion a day and annual digital services trade of $260 billion. The United States and EU are each other's largest customers of digitally delivered services exports (see Figure 1). Figure I. Transatlantic Trade as a Percentage of Digitally-Delivered Service Exports Source: Kati Suominen Where the Money Is: The Transatlantic Digital Market, CSIS, October 12, 2017. Updated February 7, 2019 What Is the GDPR? The GDPR establishes a set of rules for the protection of personal data throughout the EU. It seeks to strengthen individual fundamental rights and facilitate business by ensuring more consistent implementation of data protection rules EU-wide. The EU hopes the GDPR will further develop the EU Digital Single Market (DSM), aimed at increasing harmonization across the bloc on digital policies. The GDPR identifies what is a legitimate basis for data processing and sets out common rules for data retention, storage limitation, and record keeping. The GDPR applies to (1) all businesses and organizations with an EU establishment that process (perform operations on) personal data of individuals (or data subjects) in the EU, regardless of where the actual processing of the data takes place; and (2) entities outside the EU that offer goods or services (for payment or for free) to individuals in the EU or monitor the behavior of individuals in the EU. Processing certain sensitive personal data is generally prohibited. Stronger and new data protection requirements in the GDPR grant individuals the right to: * Receive clear and understandable information about who is processing one's personal data and why; * Consent affirmatively to any data processing; * Access any personal data collected; * Rectify inaccurate personal data; * Erase one's personal data, cease further dissemination of the data, and potentially have third parties halt processing of the data (the right to be forgotten); * Restrict or object to certain processing of one's data; * Be notified without undue delay of a data breach if there is a high risk of harm to the data subject; and * Require the transmission of one's data to another controller (data portability). The potential high penalties for noncompliance have attracted significant attention since a company or organization can be fined up to 4% of its annual global turnover or E20 million (whichever is greater). Fines are assessed by the national supervisory authority (a Data Protection Authority, or DPA) in each member state and subject to appeal in national courts. The GDPR also requires some companies to hire data protection officers. Possible Impact on U.S. Companies Many U.S. firms have made and are making changes to comply with the GDPR, such as revising and clarifying user terms of agreement and asking for explicit consent. While it creates more requirements on companies that collect or >s://crsreports.congress.gos

What Is HeinOnline?

HeinOnline is a subscription-based resource containing thousands of academic and legal journals from inception; complete coverage of government documents such as U.S. Statutes at Large, U.S. Code, Federal Register, Code of Federal Regulations, U.S. Reports, and much more. Documents are image-based, fully searchable PDFs with the authority of print combined with the accessibility of a user-friendly and powerful database. For more information, request a quote or trial for your organization below.



Short-term subscription options include 24 hours, 48 hours, or 1 week to HeinOnline.

Purchase Access

Already a HeinOnline Subscriber?

Log In

profiles profiles most