The Congressional Research Service ("CRS") outlined the differences between the EU data privacy and protection rules and those in the United States.
In a new report, the CRS explained that the United States and European Union have different perceptions about what sufficient data protection entails, based on their respective histories. Specifically, the European Union's views are shaped by the misuse and abuse of personal data by regimes of the early 20th century. According to the report, the European Union currently regards data privacy as a fundamental right and has high penalties for non-compliance (currently the higher of 4 percent of a company's annual global turnover, or €20 million). The United States, by contrast, treats data privacy generally as a commercial issue, and does not prohibit the cross-border transmission of data. The CRS observed that the divergence between U.S. and EU views on data privacy has led the European Union to regard U.S. protections as inadequate, complicating U.S.-EU information-sharing agreements.
The CRS highlighted several issues that have been raised by U.S. companies and individuals regarding the European Union's General Data Protection Regulation ("GDPR"). According to the report, small and mid-sized companies may avoid EU markets due to the complexity and high penalties associated with issuer compliance. Other U.S. companies may find it easier and cheaper to apply GDPR protections for all users, as the EU has a single, largely unified scheme of regulation, as compared to a diversity of regulations in the United States.
The CRS also raised issues concerning the GDPR's "right to be forgotten" protections, which "requires data controllers to delete personal data when it is no longer needed or when an individual requests it." Concerns include "whether the right applies only to those accessing the Internet from the EU, or if the GDPR requires that a company delete specific information globally." Another issue raised by the CRS concerns the GDPR "right to erasure" and whether the GDPR rules would clash with freedom of information or the First Amendment. CRS stated that some advocates were concerned that internet companies would grant erasure requests to avoid lawsuits, "which may, over time, reduce the amount of information available online."
The UK Information Commissioner's Office proposed a draft statutory code of practice on data sharing.