On Friday, the European Union’s General Data Protection Regulation came into force.
The GDPR allows European residents to control much of the information that a company can collect and retain about them. The most operative effect here will be in limiting how much information social media giants like Facebook and Google can store about individuals without first attaining their consent to store that information. Individuals can also revoke a company’s authority to retain their information.
And if companies fall afoul of the regulation, they can be fined up to $23.3 million or 4 percent of global annual turnover. For the social media giants, that means the prospect of fines reaching into the tens of billions of dollars.
But the major question here is how the European courts will now respond to lawsuits such as that introduced by Max Schrems on Friday. Schrems is suing social media companies for threatening to deactivate user accounts if they do not accept new post-GDPR data retention agreements.
The issue for the courts is whether private businesses still have a legal responsibility to provide their services if a user refuses to accede to their data retention requests. And if the courts do rule in the users favor, which is very possible, major social media companies may decide that their business model is no longer sustainable in Europe. At the same time we’re seeing U.S. media companies such as the Los Angeles Times denying access to their platforms for European residents. They are doing so because they don’t want the prospect of fines and they don’t see European readers as central to their business model.
This raises the interesting question of a regulatory segregation of the Internet and ensuing questions of free speech and access to information.
Ultimately, though, the GDPR won’t affect American citizens beyond residents in Europe and those who head up companies doing business in Europe. But it does seem likely that U.S. politicians will soon attempt to replicate the GDPR in some fashion.
