The United States and the EU’s General Data Protection Regulation

Abstract

This chapter focuses on U.S. information privacy and data protection laws, their similarities and differences with the EU’s General Data Protection Regulation (GDPR), and how the GDPR is likely to affect privacy and data protection in the United States in the years ahead. In contrast to the EU’s omnibus approach to data protection, U.S. privacy laws are “sectoral” in nature, meaning that businesses in different economic sectors are subject to different privacy rules and regulations. Several key federal and state-level privacy protections, including the Fourth Amendment and state privacy torts, as well as regulatory authorities, such as the Federal Trade Commission and state attorneys general, shape the boundaries of the right to privacy in the United States. Regarding the interaction between the GDPR and U.S. law, the conflict between the right to be forgotten and the protection of speech and of the press provided by the First Amendment has been a primary concern. Attention within U.S. privacy circles has also shifted in recent years toward handling data breaches, defining “privacy harms,” and the understanding the interaction of state-level consumer privacy laws—such as the California Consumer Privacy Act of 2018—and legislative efforts at the federal level.