Stanford CIS

Why Europe's GDPR magic will never work in the US

By Neil Richards on

The internet has been with us for a quarter of a century, but the US has still not passed a law requiring its companies to abide by meaningful data-privacy protections. This matters because most of the western world’s big technology companies are American. In 2020, America’s privacy bill will finally be settled.

In May 2018, the EU’s General Data Protection Regulation (GDPR) took effect, and it is already transforming American privacy law and practice. GDPR is a comprehensive set of regulations, and its extensive requirements are becoming a global market norm. In practice, if you want to do international business in personal data, you have to follow at least the spirit of GDPR, even in the US.

State legislatures have taken the initiative and called Congress’s hand on privacy, even if Congress hasn’t updated its approach to privacy in years. Influenced by the GDPR, states have started to pass their own data protection statutes, such as the new California Consumer Protection Act. And now, after years of opposition to regulation, big technology companies have started to call for a baseline US privacy law that everyone abides by. Congress now finds itself sandwiched between bottom-up momentum from the states, and sideways influence from the EU. In 2020 it will be forced to make a choice.

While the GDPR and the US states’ proposals differ in important ways, each more or less requires transparency and accountability from companies and control for data subjects. But any version of the GDPR that is likely to pass Congress is also likely to be significantly watered down, and look more like the existing US model of notice (reading the privacy policy) and choice (opting out of Facebook and Google).

Read the full piece at Wired.