48 Years of Impactful Scholarship
Banner_Library2.jpg

ILJ Online

ILJ Online is the online component of Fordham International Law Journal.

Comparing United States Data Privacy Protection to the World-Renowned GDPR

The vast advancement of technology requires the evolution of a new legal field: data privacy regulation. Each country approaches the sensitive substance and digital nuance of this field in its own unique way. The “toughest privacy and security law in the world” is the General Data Protection Regulation (“GDPR”) governing the European Union.[1] This regulation is significantly more robust than any data privacy legislation currently in place in the US, which may be a result of the EU’s heightened prioritization of privacy rights. The 1950 European Convention on Human Rights conveys on EU citizens a “right to respect for his private and family life, his home and his correspondence.”[2] The US Constitution does not expressly provide a right to privacy like this. Rather, Americans’ right to privacy is derived from a history of case law. The seminal case is Griswold v. Connecticut where the Supreme Court (“SCOTUS”) held that the right to privacy is alluded to by a “penumbra” of other explicitly stated protections located in the Bill of Rights.[3] The court later extended the right to privacy in Eisenstadt v. Baird in 1971 and Lawrence v. Texas in 2003.[4] Nonetheless, US law on data privacy is constrained because the Constitution lacks an express right to privacy generally, and recent Supreme Court activity generates concern that a right to privacy is now defined even more narrowly.[5]

Weak protection for a legal right to privacy in the US is evident when comparing American data privacy laws to the GDPR. Primarily, the GDPR broadly applies to “any organization that is established in the EU, offers products or services in the EU, or monitors the behavior of EU data subjects,” while individual, variable state law governs data privacy in the US.[6] This individualization narrows the scope of the law, because it applies only to companies established in or conducting business in the law’s respective state. Additionally, American laws tend to target certain behavior, rather than the vast array of possible acts the GDPR may adddress.[7] For further clarity, the GDPR can be likened to a house, while US laws are more similar to the kitchen; most important things happen in the kitchen, but there are certainly other things going on in the house.[8] Perhaps the greatest point of variation exists in the way these legislatures punish violative acts. The EU imposes hefty fines that can reach millions of euros, while the fines under American law ranges from $2,500 to $20,000.[9] The US and other countries are heavily influenced by the GDPR when creating their own data privacy regulations, yet the leniency in the US is glaring.

As previously mentioned, data privacy is currently a state-law regime in the US. The most significant is the California Privacy Rights Act (“CPRA” - an evolution of the CCPA).[10] Not only do these laws not apply to organizations on a national scale, but only certain companies meet the thresholds required to invoke these laws. Like the laws, the thresholds vary state-to-state, but some include, “companies that generate significant annual revenue (e.g., $25m), process a significant volume of data (e.g., personal information of 100,000 consumers), or derive a significant portion of their revenue from ‘selling’ or ‘sharing’ personal information (e.g., 50%).”[11] Further, US laws exempt various categories of organizations and data, which the GDPR does not. For example, the GDPR regulates any entity processing others’ personal data for activities of an establishment, offering goods or services, or monitoring behavior generally. US laws apply compliance thresholds that limit who the law applies to.[12] Each existing state law regulates only those entities doing business in the applicable state, and California data privacy laws (considered the leading US data privacy regulation) shrink the regulated group further by applying only to entities with annual gross revenues surpassing $25,000, at least 50% of that revenue resulting from selling data, and data collection on at least 50,000 consumers.[13] Data collectors that fall outside these parameters are conducting their business in a highly deregulated manner.

It seems that there is growing recognition of the vulnerability of US data privacy laws, because there is a recent Executive Order on the matter. EO14110 works to develop guidelines for “safe, secure, and trustworthy artificial intelligence.”[14] The overall goal is to create a healthier process for the OMB to guide and oversee the use of Aritifical Intelligence (“AI”). While this order primarily targets AI, AI is a vast and powerful tool that makes it easier to “extract, re-identify, link, infer, and act on sensitive information about people's identities, locations, habits, and desires.”[15]  This executive initiative to reign in technology with such intrusive capabilities may illustrate a step towards the creation of stricter data privacy protection in the US.

Alexis Saulny is a staff member of Fordham International Law Journal Volume XLVII.


[1] See What is GDPR, the EU’s New Data Protection Law?, GDPR.eu (last retrieved Dec. 3, 2023), https://gdpr.eu/what-is-gdpr/.

[2] See Privacy, Legal Information Institute (last retrieved Dec. 3, 2023), https://www.law.cornell.edu/wex/privacy.

[3] See Griswold v. Connecticut, 85 U.S. 479, 484 (1965).

[4] See Eisenstadt v. Baird, 405 U.S. 438, 453 (1972); see also Lawrence v. Texas, 539 U.S. 558, 564 (2003).

[5] See generally Dobbs v. Jackson Women’s Health Organization 597 U.S. 215 (2022) where SCOTUS ruled the right to have an abortion will be a matter decided individually by each state; see also Len Niehoff, Unprecedented Precedent And Orginal Originalism: How The Supreme Court’s Decision In Dobbs Threatens Privacy And Free Speech Rights, American Bar Association (June 9, 2023), https://www.americanbar.org/groups/communications_law/publications/communications_lawyer/2023-summer/unprecedented-precedent-and-original-originalism/.

[6] Richard Lawne, GDPR vs U.S. State Privacy Laws: How do They Measure Up?, FieldFisher (Jan. 3, 2023), https://www.fieldfisher.com/en/insights/gdpr-vs-u-s-state-privacy-laws-how-do-they-measure.

[7] See id.

[8] See id.

[9] See id.

[10] See Lawne, supra note 5.

[11] See Lawne, supra note 5.

[12] See Comparing U.S. State Data Privacy laws vs. The EU’s GDPR, Bloomberg Law (July 11, 2023), https://pro.bloomberglaw.com/insights/privacy/privacy-laws-us-vs-eu-gdpr/.

[13] See id.

[14] See Executive Office of the President, Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence, Federal Register (Nov. 1, 2023), https://www.federalregister.gov/documents/2023/11/01/2023-24283/safe-secure-and-trustworthy-development-and-use-of-artificial-intelligence.

[15] See id.  

This is a student blog post and in no way represents the views of the Fordham International Law Journal.