GDPR In The U.S.: How It Differs From Other Countries | Compliant

<h1>GDPR In The U.S.: How It Differs From Other Countries | Compliant</h1>

In the summer of 2018, the European Union (EU) instituted one of the most robust and strictest data privacy laws globally. This staunch piece of legislation ensured the protection of personal information for EU residents.

Of course, privacy laws greatly impact digital content creators and marketers, both of which rely on collecting personal data to improve user experience.

These regulations do much to bolster the privacy rights of data subjects in EU countries. But, does this legislation impact the United States at all? Are non-EU companies subject to these privacy laws as well?

What Is GDPR?

The General Data Protection Regulation (GDPR) is touted as the toughest privacy and security law in the world. The legislation effectively replaced the long-standing Data Protection Directive law of 1995, which fell short regarding the coherence between the European countries.

In May of 2018, the GDPR was enacted into law by an overwhelming majority. This privacy protection law applies to all those who hold EU citizenship, whether they live in one of the 27 EU member states or within the European Economic Area (EEA).

In effect, the GDPR regulates the processing of data of EU citizens. More specifically, the law impacts the use of personal data, which is any information that relates to an individual who can be directly or indirectly identified. This could include names, email addresses, location data, ethnicity, gender, political opinions, IP addresses, and more.

Per the language of the legislation, the person whose data is being processed is referred to as a data subject. Data processing refers to any action performed on data, whether manually or automated. This could include collecting personal data of data subjects, the recording, organizing, storing, or erasing of data from any identifiable natural person.

Those that handle or use this personal data are defined in two groups:

  • Data controller – Persons who decide how and why personal data is to be processed. This could apply to the owner or employee within an organization that handles the data.
  • Data processors – This refers to a third party that processes personal data on behalf of an organization (the data controller).

The provisions of the GDPR are outlined in 99 Articles with 173 Recitals of the Regulations. Those processing personal data must abide by seven protection and accountability principles:

  1. Processing must be lawful, fair, and transparent.
  2. Data must be processed for legitimate purposes and explicitly stated to the data subject.
  3. Processors should practice data minimization, collecting what is necessary for stated purposes.
  4. Personal data must be kept accurate and up to date.
  5. Data should only be stored for as long as it’s needed for the intended purpose.
  6. Processing must ensure integrity, confidentiality (e.g., encryption), and security.
  7. Data controllers must be accountable and are responsible for demonstrating GDPR compliance for processing activities.

Is the GDPR Enforceable in the US?

The supervisory authority that is responsible for GDPR compliance is the Information Commissioner’s Office (ICO). This entity holds primary responsibility for GDPR enforcement.

Even so, the provisions in the GDPR do allow each EU country to issue its fines and sanctions to organizations with violations of the privacy regulations.

Non-compliance can be costly and comes with heavy penalties. The maximum penalty for non-compliance can reach upwards of €20 million or 4 percent of global revenue.

While there are a few GDPR exemptions about national security and law enforcement issues, the law applies to all EU companies that process data.

The regulation also applies to international organizations tracking and analyzing any personal data of EU citizens (e.g., US-based web development companies or companies like Google and Facebook).

These fall under the territorial scope of Article 3.

Audit for EU Personal Data

For U.S. companies, the first action item for GDPR compliance would consist of running an audit for EU personal data. This involves reviewing your data to see if GDPR applies to you; if your site reaches international users, then there is a good chance the GDPR applies.  

Next, you will need to ensure you have legitimate grounds for collecting and processing the data (e.g., selling products). Most U.S. companies choose to run a Data Protection Impact Assessment (DPIA) to see where they stand in data security.

Inform Customers About Your Data Processing

One of the biggest elements of GDPR compliance has to do with consent. Companies must be transparent with data subjects on why and how their data is being collected and used. Provisions for consent are outlined in Article 7.

Improve Your Protection

Effective safeguards should also be in place to protect personal data. Most ensure this by employing some sort of security risk management system. In effect, these systems will help identify and assess potential risks and take appropriate measures for protection.

Although this entails implementing security tools, the organization has to uphold subject data rights.

Have an EU Representative

Most companies employ a data protection officer to monitor and oversee GDPR compliance. However, Article 27 of the GDPR requires non-EU companies to appoint an EU representative to ensure compliance.

This member must be established in one of the EU countries and can be called upon on behalf of the controller or processor.

Know What to Do If There’s a Breach

Companies must also have an action plan in place in the event of data breaches. Per Articles 33 and 34, data controllers must notify supervisory and data protection authorities without undue delay in the event of a personal data breach or when such an event is a high risk.

What Is the US Equivalent of GDPR?

From a federal standpoint, the U.S.’s closest thing to the GDPR would be the Federal Trade Commission, which does enforce some U.S. privacy policies. But, this is not a federal data privacy law. There are some privacy laws within the U.S. But, laws like the Health Insurance Portability and Accountability Act (HIPAA) only protect personal health data. However, there are some provisions in terms of employee data protection.

The California Privacy Act, known as the California Consumer Privacy Act (CCPA), would probably be the closest likeness to the GDPR. But it only regulates data and personally identifiable information of residents in the state of California.

It should be noted that the Privacy Shield Framework was designed by the U.S. Dept. of Commerce and the EU as a mechanism to comply with data protection as it relates to transatlantic commerce.

Why Does the US Not Have a GDPR?

In effect, the notion that privacy and personal data protection is a fundamental right has not been embraced nationally within the U.S. A nationwide equivalent would require bipartisan congressional approval, which would mean it had public demand. In short, it is still a tough sell.

Is the US Developing Any Similar Legislations?</h2>

While the idea to create a similar law is being floated at the national level, there has been more momentum at the State level.

Virginia Act

The Virginia Consumer Data Protection Act was signed into law in March 2021, following California’s footsteps. Much of the language and provisional measures were adopted from the GDPR.

Washington Act

In Washington, Senate Bill 5062, known as the Washington Privacy Act, passed in the State senate. The bill would give consumers the right to access, correct, and delete personal data collected by organizations. But, to date, the bill has failed to leave the State House of Representatives.

New York Act

In May 2021, the New York Privacy Act passed out of the New York State Senate. It is similar to the laws in VA and CA, but some provisions are different, e.g., controllers must obtain opt-in consent from consumers. To date, the bill has yet to be signed into law.


The General Data Protection Regulation law helps protect the personal data of persons within the European Union, how it is collected, processed, stored, and erased. It is one of the most robust data privacy laws in the world.

This law also has implications for U.S. companies that collect and process personal data from individuals within the EU. They are subject to its provisions and are responsible for maintaining compliance.

At present, the U.S. lacks an equivalent law at the national level. However, some states have adopted (or are in the process of adopting) their privacy laws, modeled largely after the regulations outlined in the GDPR.