Europe's new General Data Protection Regulation (GDPR) goes into force today, after two years of preparation. Anxiety and fallout from the law are running high. Some US businesses, including major newspapers, have blocked all European access to their sites for fear of running afoul of European regulators. (Bruce Brown of the Reporters Committee for Freedom of the Press and I predicted this in a NY Times op ed two years ago. I'm very sad to have been right about this step toward Internet balkanization.) And privacy activist Max Schrems has already sued Google and Facebook, saying the platforms' revised privacy practices violate the one-day-old law.
Meanwhile, in the US, a remarkable number of people are suggesting we should adopt something like the GDPR. The idea that we need better privacy laws is a very sound one. It's getting traction now largely due to the entirely predictable seepage of users' personal data from Facebook to the political consulting firm Cambridge Analytica. But the idea that we specifically need the GDPR is, frankly, bizarre. The GDPR is a massive piece of legislation. Any one of its numerous provisions would warrant extended debate here. It is hard for me to believe that many Americans just happen to agree with every detail of a heavily negotiated, 351-page, European political compromise.
I talked about this yesterday on a panel hosted by CIS and the Stanford Law and Technology Association. A few people asked me to share my slides, so I'm doing that. This isn't a comprehensive GDPR overview, or even a real introduction to Data Protection law. It provides a quick and dirty review of some GDPR rules and consequences, and of Data Protection -- an area of law that has no real analogue in the US and that is typically unknown to US lawyers. I then list the areas where the GDPR requires major trade-offs, including government policy on competition, innovation, free expression, and trade. The point isn't that Europe's resolution of these trade-offs -- which accepts foreseeable downsides in other areas, in exchange for better privacy protections -- is wrong for America. It's that they are trade-offs. They are complex and highly consequential -- the lists of issues and questions in these slides barely scratches the surface. These questions could be resolved in a thousand different ways, and the GDPR represents just one very specific and very complex option.
I hope this is helpful. I'll now return to my regularly scheduled job as an intermediary liability lawyer, not a privacy lawyer.