A Look a the GDPR Three Years In

The General Data Protection Regulation (the “GDPR”), promulgated by the European Commission, was adopted in April 2016 and became effective in May 2018. Last year, we provided an update discussing the second-year benefits for companies and trends for the US following the enactment of the GDPR.

This year, we will take a look at current EU-US compliance issues, and US regulations following the adoption of GDPR.

The Pressure to Globally Enforce GDPR

US companies who offer goods and services or monitor the behavior of EU residents are subject to compliance with GDPR; however, murky guidelines have called EU-US data transfers into question.

In July of 2020, the Court of Justice of the European Union (CJEU) issued a decision, commonly referred to as “Schrems II,” that invalidated the 2016 EU-US Privacy Shield, disrupting EU-US data flows and creating both uncertainty and risk for US companies relying on the Privacy Shield for GDPR compliance.

In May of 2021, Members of the European Parliament (MEPs) adopted a resolution urging the Data Protection Commission (DPC) to establish clear guidelines on EU-US data transfers consistent with the GDPR. MEPs expressed the commission’s failure to properly enforce GDPR for international data transfer as well as failing “to take meaningful corrective decisions.”

MEP rapporteur Juan Fernando López Aguilar (S&D, ES) commented on the May resolution “the Commission must not repeat the same mistakes by negotiating data transfer agreements with the United States. We do not want to witness a “Schrems III” case so it is crucial the Commission gets it right this time.”


Looking back on enforcement of GDPR, in 2020, according to publicly available information, supervisory authorities across the EU and the UK have issued over EUR 170 million worth of fines combined, with six of the top ten individual fines imposed being issued in 2020. As we look forward, we feel that GDPR enforcement will accelerate as regulators begin testing their powers in earnest to give teeth to the GDPR. However, administrative fines are not the only piece that could impact businesses under GDPR. Data subject compensation is also increasing and is being facilitated by incoming collective redress regimes across Europe. Put together, headline-grabbing GDPR violations appear to be on the rise.


Pressure is increasing on the US to roll out a national data privacy legislation. The last efforts to pass a nationwide Act fell flat in 2019; however, a bipartisan group of senators, led by Sen. Amy Klobuchar (D-MN), have reintroduced the Social Media Privacy Protection and Consumer Rights Act in an effort to provide consumers with more control over their personal information.

In a statement to The Verge, Sen. Klobuchar remarked, “For too long companies have profited off of Americans’ online data while consumers have been left in the dark. This legislation will protect and empower consumers by allowing them to make choices about how companies use their data and inform them of how they can protect personal information.”

At present, California and Virginia are the only two states with broad sweeping data protection laws analogous to the GDPR while states like Washington and Florida have recently failed to pass similar legislation. However, an increasing number of states are jumping on board with new bills and revisions, demonstrating the increasing interest across the nation but also highlighting key trends where industry lobbyists are taking focus, such as the private right of action, that will become sticking points for future legislation.

If you are a business that has questions about data protection laws and how the laws impact your business contracts, contact our Founders Legal team at [email protected]m and [email protected].

Stan Stater, Corporate & Technology Attorney

Stan Sater
Associate Attorney
[email protected]

Lauren Hawksworth
Marketing Administrator

Stan Sater is a corporate and technology attorney at Founders Legal. Stan advises clients on corporate transactions, data privacy, contract drafting, regulatory analysis, intellectual property licensing, terms of service, and outside general counsel assistance.

Founders Legal (Bekiares Eliezer LLP) is a boutique Corporate & Intellectual Property Law Firm based in Atlanta, Georgia USA, and trusted by thousands of companies nationwide. Founders Legal focuses exclusively on complex matters in the areas of Intellectual Property, Corporate, Transactional, and Securities law.

When you visit our website, it may store information through your browser from specific services, usually in form of cookies.