One of the main components of GDPR is aimed particularly at internet privacy. It clearly states that companies are not allowed to work with any personal data of EU citizens without an informed consent from them. What is considered to be “personal data” extends to details such as IP addresses, user browsing history and other identifiers coming from their online activity, which are sometimes stored by browsers and third parties in small files called “cookies”.
By installing these cookies on the devices of internet users, companies are able to track users and, based on that, to send them customized ads and messages, based on their history. After GDPR, doing this without explicit consent for each cookie and without explaining what data they store, for what purpose and for how long, is not possible anymore. It makes website and app owners responsible for all the data gathered through their sites/apps, whether they are doing it, or a third party is doing it. An example of a third party would be an analytics app for monitoring website traffic.
The catch is that this should not only apply to EU websites, but also to sites anywhere in the world that may at some point have visitors from the EU. And this includes the US.
With the EU and US economies being somewhat connected, a workaround for this issue was found. Named the Privacy Shield, it set out a few privacy rules based on GDPR, that US companies had to comply with, in order to transfer data from the EU to the USA. Many companies applied to be part of the Privacy Shield, including some who have been in the spotlight for their user privacy infringement in the past, like Google and Facebook.
Under this regulation, they were still allowed to transfer data from the EU and host it in the US.