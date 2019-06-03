When it went into effect last May, GDPR was hailed as the most significant data-protection law ever enacted. Casual internet users in the United States know GDPR as the law that, around this time last year, introduced a new layer of red tape to web surfing. If it seems that an annoyingly persistent pop-up window or disclaimer bar detailing how a site uses tracking cookies is following you around the web, it’s not your imagination. It’s probably GDPR. It’s more obnoxiously pervasive in Europe, where the law has serious teeth. European lawmakers pushed for the heightened digital protections because they believed that, in this age of hack attacks and unscrupulous data collection, the average user was due some added data and privacy protections that the marketplace had failed to deliver.

The law grants EU citizens the right to be informed about how their personal data are being used, the right to have any misuses rectified, the right to data erasure, the right to be forgotten (an EU favorite), and the right to data portability. Provisions restrict the ability of employers, law-enforcement agencies, and other entities to make life-changing decisions by computer algorithm. There are even limits on the collection of biometric data, an issue roiling several U.S. cities. Under GDPR, for example, no state or private entity can collect facial-recognition data without consent. And even then they cannot use it in bulk for the purpose of criminal profiling. GDPR, or at least portions of it, continue to influence the writing and rewriting of data-privacy laws from California to Japan that will ultimately transform our daily digital interactions. And if you want to do business in the EU, and access its 500 million consumers, you have no choice but to comply. The potential fines for violations are staggering.

In some cases, the law has clearly given average people more leverage against the tech giants. Uber drivers in Great Britain used the data-protection law to sue the ride-hailing company this spring, forcing it to disclose the data it had on them, a way to double-check that they weren’t being shortchanged. And German authorities wielded GDPR to force Facebook to dial back its data-collection practice on Germans.

Nevertheless, the year-old law has played out somewhat differently in practice than its architects intended. Even though nearly 100,000 GDPR complaints have been filed so far, critics say enforcement is weak and sporadic in most countries. The Romanian government’s moves against Rise come despite GDPR provisions meant to protect free speech and the public’s right to know.

The Rise journalists remain in limbo. European parliamentarians in Brussels have criticized the case against the Rise Project and disputed the Romanian interpretation of GDPR enforcement. But, Rise’s Radu and various civil-society groups complain, no EU authority has formally intervened on the journalists’ behalf. The impasse has heightened fears that press-shy governments will weaponize GDPR and similar measures around the world.