Having worked for many years in digital security in Europe, I believe that I have some understanding of this issue. It all boils down to the presence (US) or absence (EU) of private credit rating and consumer data collection industries. In Europe, banks are required to do their own risk assessment. If any data collected about a consumer falls in the wrong hands, the collecting party is liable for any damages UNLESS the consumer has given formal (i.e. written) consent for that information to be passed on.
In the US, the entire credit industry is predicated on the ability to collect large amounts of data about consumers and then to create risk profiles based on that data.