ABSTRACT
EU Data Protection Agencies have been vigorously enforcing violations of regional and national data protection law in recent years against US tech companies, but few changes have been made to their business model of exchanging free services for personal data. With the Cambridge Analytica debacle revealing how insufficient American privacy law is, we now find ourselves questioning whether the General Data Protection Regulation (GDPR) is not the onerous 99 article regulation to be feared, but rather a creation years ahead of its time. This paper will explain how the differences in US and EU privacy and data protection law and ideology have led to a wide divergence in enforcement actions and what US companies will need to do in order legally process the data of their users in the EU. The failure of US tech companies to fulfill the requirements of the GDPR, which has extraterritorial application and becomes applicable on May 25, 2018, could result in massive fines (up to $4 billion using the example of Google). The GDPR will mandate a completely new business model for these US tech companies that have been operating for well over a decade with very loose restrictions under US law. Will the GDPR be the end of Google and Facebook or will it be embraced as the gold standard of how companies ought to operate?
Kimberly A Houser and WG Voss, GDPR: The End of Google and Facebook or a New Paradigm in Data Privacy?, 25 Richmond Journal of Law and Technology 1 (2024).
Leave a Reply