First Page


Last Page


Document Type



This Article summarizes the key features of the European Union’s General Data Privacy Regulation (GDPR) that became effective on May 25, 2018. The stated purpose of the law is to give individuals greater control over personal information that is handled by companies and organizations. The Article argues that the GDPR is fundamentally flawed. Key terms within the GDPR are undefined; the burdens of the GDPR will fall heaviest on small businesses; the GDPR disrupts a valuable business model; the GDPR will stymie growth, innovation, and information sharing; and it may be the product of protectionist impulses rather than concerns for consumer welfare.