EU Data Protection Agencies have been vigorously enforcing violations of
regional and national data protection law in recent years against U.S. tech
companies, but few changes have been made to their business model of
exchanging free services for personal data. With the Cambridge Analytica
debacle revealing how insufficient American privacy law is, we now find
ourselves questioning whether the General Data Protection Regulation
(GDPR) is not the onerous 99 article regulation to be feared, but rather a
creation years ahead of its time. This paper will explain how the differences
in U.S. and EU privacy and data protection law and ideology have led to a
wide divergence in enforcement actions and what U.S. companies will need
to do in order legally process the data of their users in the EU. The failure
of U.S. tech companies to fulfill the requirements of the GDPR, which has
extraterritorial application and becomes applicable on May 25, 2018, could
result in massive fines (up to $4 billion using the example of Google). The
GDPR will mandate a completely new business model for these U.S. tech
companies that have been operating for well over a decade with very loose
restrictions under U.S. law. Will the GDPR be the end of Google and
Facebook or will it be embraced as the gold standard of how companies
ought to operate?