THE LEGAL-REGULATORY GAP IN DATA PROTECTION BETWEEN THE EUROPEAN UNION AND THE UNITED STATES OF AMERICA – CHALLENGES AND IMPLICATIONS

Milica Vasić

doi:10.5937/ptp2502143V

Authors

Milica Vasić PhD Candidate and Teaching Assistant, University Business Academy in Novi Sad, Faculty of Law for Commerce and Judiciary, Novi Sad, Serbia https://orcid.org/0000-0002-5964-3524

DOI:

https://doi.org/10.5937/ptp2502143V

Keywords:

GDPR, CCPA, data protection, digital society

Abstract

In the era of global digitalization, the legal regulation of data protection has become a key challenge for international law and business. While the European Union establishes robust privacy standards through the General Data Protection Regulation (GDPR), the United States applies a fragmented approach through various federal and state laws, creating legal challenges in transatlantic data protection regulation. This paper analyzes the legal consequences of the regulatory gap between the EU and the United States, particularly in light of the annulment of the Privacy Shield agreement. Through comparative legal analysis and case studies, the paper explores how differing legal frameworks impact the global digital economy, user privacy, and international corporations. Special attention is given to the extraterritorial reach of the GDPR, its influence on U.S. legislation, and potential legal mechanisms that could contribute to regulatory harmonization. The paper highlights the need for harmonizing international data protection standards that establish a balance between legal security, privacy protection and encouraging innovation in the digital ecosystem.

References

Adequacy decisions, European Commission, Downloaded 2025, January 13 from https://commission.europa.eu/law/law-topic/data-protection/ international-dimension-data-protection/adequacy-decisions_en

Batlle, S. & van Waeyenberge, A. (2024). EU–US data privacy framework: A first legal assessment. European Journal of Risk Regulation, 15(1), pp. 191–200

Colorado Attorney General. (n.d.). Colorado Privacy Act (CPA). Downloaded 2025, March 19 from https://coag.gov/resources/coloradoprivacy-act/

Consumer Privacy Act. (n.d.). Connecticut Consumer Privacy Law (CTDPA). Downloaded 2025, March 19 from https://www.consumerprivacyact.com/connecticut-consumer-privacy-law/

Czerniawski, M., & Svantesson, D. (2024). Challenges to the extraterritorial enforcement of data privacy law–EU case study. Dataskyddet, 50, pp. 127-153. Downloaded 2025, March 19 from SSRN: https://ssrn.com/abstract=4698122

European Commission aiming to reform GDPR enforcement rules in cross-border cases, European Company Lawyers Association, February 2023, Downloaded 2025, January 14 from https://inhouse-legal.eu/digitalisation-gdpr/european-commission-aiming-to-reform-gdprenforcement-rules-in-cross-border-cases/

European Data Protection Board. (2023). Opinion 5/2023 on the European Commission Draft Implementing Decision on the adequate protection of personal data under the EU-US Data Privacy Framework. Downloaded 2025, March 19 from https://www.edpb.europa.eu/system/files/2023-09/edpb_opinion52023_eu-us_dpf_hr.pdf

Federal Bureau of Investigation. (n.d.). Foreign Intelligence Surveillance Act (FISA) and Section 702. U.S. Department of Justice. Downloaded 2025, March 19 from https://www.fbi.gov/how-we-investigate/intelligence/foreign-intelligence-surveillance-act-fisa-and-section-702

Houser, K. A., & Voss, W. G. (2018). Gdpr: The end of google and facebook or a new paradigm in data privacy? Richmond Journal of Law & Technology, 25(1), pp. 1–109 Downloaded 2025, March 19 from https://scholarship.richmond.edu/cgi/viewcontent. cgi?article=1457&context=jolt

Kuner, C. (2017). Reality and illusion in EU data transfer regulation post Schrems. German Law Journal, 18(4), pp. 881–918

Mirković, P. (2023). Digital assets – a legal approach to the regulation of the new property law institute. Pravo – teorija i praksa, 40(suppl), pp. 17–31 https://doi.org/10.5937/ptp2300017M

MyRhline (2025). Espionnage chez IKEA France: un réseau d’espionnage de la direction démasqué. MyRhline. Downloaded 2025, January 10 from https://myrhline.com/type-article/espionnage-ikea-france/

Office of the Attorney General. (2020). California Privacy Rights and Enforcement Act of 2020. Downloaded 2025, January 08 from https://oag.ca.gov/system/files/initiatives/pdfs/20-0009A%20%28Privacy%29.pdf

Pit, R. (2023). Digitalization vs. GDPR—Friends or Foes?, Copperberg, Downloaded 2025, January 13 from https://www.copperberg.com/digitalization-vs-gdpr-friends-or-foes/

PrivacyEngine. (2023). Virginia Consumer Data Protection Act (VCDPA): A comprehensive guide. Downloaded 2025, March 19 from https://www.privacyengine.io/blog/virginia-consumer-data-protection-act/

Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC, Downloaded 2025, January 16 from https://eur-lex.europa.eu/eli/reg/2016/679/oj

Schwartz, P. M. (2025). Spiros Simitis as Data Protection Pioneer, G.W. J. Law & Tech. (JOLT) pp. 102-118, https://dx.doi.org/10.2139/ssrn.5146813

Shaping a Safer Digital Future: a New Strategy for a New Decade, European Data Protection Supervisor, 2020, Downloaded 2025, January

from https://www.edps.europa.eu/press-publications/publications/ strategy/shaping-safer-digital-future_en

Stojšić Dabetić, J., & Mirković, P. (2024). Digitalna imovina – novo poglavlje u regulisanju imovinskih prava [Digital property – a new chapter in the regulation of property rights]. In: Počuča, M. (ured.), XXI međunarodni naučni skup „Pravnički dani – Prof. dr Slavko Carić“ Odgovori pravne nauke na izazove savremenog društva [XXI International Scientific Conference “Legal days – Prof. Slavko Carić, PhD” The responses of legal sciences to the challenges of modern society] (pp. 667– 677). Novi Sad: Univerzitet Privredna akademija u Novom Sadu, Pravni fakultet za privredu i pravosuđe u Novom Sadu https://doi.org/10.5937/PDSC24667S

Swensen, D. (2021). Data Protection v. Facebook Ireland Limited and Maximilian Schrems: Where Do We Go from Here?. Md. J. Int’l L., 36(1), pp. 24–50

Encyclopaedia Britannica, Edward Snowden. Downloaded 2025, March 19 from https://www.britannica.com/biography/Edward-Snowden

Tolson, B., (2025). Still no Federal Data Privacy Law: What happened to the ADPPA? Downloaded 2025, January 14 from https://wwwsmarsh.com/blog/thought-leadership/no-federal-data-privacy-law-whathappened-ADPPA

Weiss, M. A., & Archick, K. (2016). US-EU data privacy: from safe harbor to privacy shield. Report prepared for Members and Committees of Congress, 19 March 2016, Downloaded 2025, January 15 from https://insidecybersecurity.com/sites/insidecybersecurity.com/files/documents/may2016/cs2016_0076.pdf