The General Data Protection Regulation (the “GDPR”), promulgated by the European Commission, was adopted in April 2016 and became effective in May 2018. Last year, we provided an update discussing the second-year benefits for companies and trends for the US following the enactment of the GDPR.
This year, we will take a look at current EU-US compliance issues, and US regulations following the adoption of GDPR.
US companies who offer goods and services or monitor the behavior of EU residents are subject to compliance with GDPR; however, murky guidelines have called EU-US data transfers into question.
In July of 2020, the Court of Justice of the European Union (CJEU) issued a decision, commonly referred to as “Schrems II,” that invalidated the 2016 EU-US Privacy Shield, disrupting EU-US data flows and creating both uncertainty and risk for US companies relying on the Privacy Shield for GDPR compliance.
In May of 2021, Members of the European Parliament (MEPs) adopted a resolution urging the Data Protection Commission (DPC) to establish clear guidelines on EU-US data transfers consistent with the GDPR. MEPs expressed the commission’s failure to properly enforce GDPR for international data transfer as well as failing “to take meaningful corrective decisions.”
MEP rapporteur Juan Fernando López Aguilar (S&D, ES) commented on the May resolution “the Commission must not repeat the same mistakes by negotiating data transfer agreements with the United States. We do not want to witness a “Schrems III” case so it is crucial the Commission gets it right this time.”
Pressure is increasing on the US to roll out a national data privacy legislation. The last efforts to pass a nationwide Act fell flat in 2019; however, a bipartisan group of senators, led by Sen. Amy Klobuchar (D-MN), have reintroduced the Social Media Privacy Protection and Consumer Rights Act in an effort to provide consumers with more control over their personal information.
In a statement to The Verge, Sen. Klobuchar remarked, “For too long companies have profited off of Americans’ online data while consumers have been left in the dark. This legislation will protect and empower consumers by allowing them to make choices about how companies use their data and inform them of how they can protect personal information.”
At present, California and Virginia are the only two states with broad sweeping data protection laws analogous to the GDPR while states like Washington and Florida have recently failed to pass similar legislation. However, an increasing number of states are jumping on board with new bills and revisions, demonstrating the increasing interest across the nation but also highlighting key trends where industry lobbyists are taking focus, such as the private right of action, that will become sticking points for future legislation.