US-EU war: Data protection beats customs tariffs. What sectors of activity will be affected due to regulatory differences
The “data war” between the EU and the US is at least as important as the “commercial war”, generated by the mutual customs, being more than just a legal dispute, say the specialists.
The “Data War” between the EU and the US, as important as the “commercial war”. Photo shutterstock
“We are talking about one conflict of value and geopolitical visions On the digital future, in the center of which there are some essential questions: who keeps and controls our data? How are they protected? Who can we trust, as institutions and legislation? Cyber security and data protection have become extremely sensitive aspects. Especially in the context of artificial intelligence, the risks of taking and use without control and without the consent of those who are used data are incommensurable”, Said Cristiana Deca, CEO & Cofounder Decalex Digital, expert in Cybersecurity and GDPR, explaining in detail the regulatory differences.
GDPR in the EU versus data protection in the US
The European Union (EU) implemented in 2018 the General Data Protection Regulation (GDPR), a strict and uniform legislative framework. The United States (USA) does not have an equivalent of the European Regulation, approaching the protection of fragmented data, depending on the field of activity, the legislation being built at the level of each state of the American Federation.
GDPR applies to all organizations that collect or process EU citizens data, regardless of where they are based.
The main features of the GDPR:
• Explicit consent: the processing of personal data must be based on the clear and informed consent of the person.
• increased rights for individuals: the right of access, the right of rectification, the right of deletion (“the right to be forgotten”), the portability of the data, etc.
• Responsibility and transparency: Data operators must demonstrate that they respect GDPR principles.
• Notification of violations: Security violations must be reported to authorities within 72 hours.
• Severe sanctions: fines of up to 20 million euros or 4% of the annual global turnover.
Regulation of data protection in the US – a real puzzle
Data protection in the USA looks completely different depending on the place, data type and industry. There is no unified federal law governing data protection in all sectors of activity, at national level, but there are a number of sectoral and state laws.
Examples of relevant regulations:
• California Consumer Privacy Act (CCPA): A law close to the GDPR, offers residents the right to find out what data are collected about them, request to delete them and opt for selling their data.
• Health Insurance Portability and Accountability Act (HIPAA): protects the medical data.
• Children's Online Privacy Protection Act (COPPA): It regulates data from children under 13 years.
• Gramm-sibliley act (GLBA): protects the financial information of consumers.
What did Google and Apple accuse
Although the US does not have a direct equivalent of the GDPR regulation, its appearance has put pressure on American companies with operations in Europe.
In March 2025, the European Commission accused Google and Apple of violating the Digital Markets Act – DMA) of the EU. The Commission claimed that Google favored its services in search results and restricted Play Store developers to direct consumers to more advantageous offers. Apple has been accused of limiting competitors' access to his operating systems. These shares could lead to fines of up to 20% of the global revenue of a company. The US Administration, led by President Donald Trump, reacted threatening with imposing customs tariffs.
Several US states – especially California, Virginia, Colorado and Utah – have begun to adopt partially inspired laws. If the GDPR regulation sets a high and unitary standard in the EU, the American frame is fragmented, permissively and often more favorable to companies than consumers.
Key differences between the EU and the US
| APPEARANCE | EU (GDPR) | US |
| The legal framework | Uniformly, at the level of the whole of the EU | Fragmented: sectoral/state laws |
| Consent | Explicit and informed | Sometimes default, according to context |
| Users rights | Sometimes default, according to context | Limited and different depending on the state |
| Approach | Centered on the rights of the individual | Focused on commercial interests |
| penalties | Severe, centralized | Variables, according to applicable law |
| Extraterritoriality | Applicable globally (for EU data) | Applicable globally (for EU data) |
“There are voices that say that the EU has exaggerated with the regulations and has put a too big burden on companies. It is no less true that companies must adapt to the new digital reality. And we are not talking about a mere adoption of acts and rules, but about an understanding of the phenomen serious such as thefts and use of identity or continuous surveillance“, Added Cristiana Deca.
According to her, the United States and the European Union were and will be involved in all kinds of disputes, “the war of regulations“Being the one that covers various sectors, including technology, agriculture and environmental standards. Precisely because the interconnections and operations of American and European companies are running on a global market, not just bilateral, it becomes more and more pressing the finding of common decks.
