[CamTin]

These recently-discovered European "rights" are probably non-starters, but the ability to get a Google-takeout style package of your own data, and some reasonably protections regarding consent and the way your data is used would clearly Constitutional. We already force some industries to follow most of these precepts in other laws that haven't been challenged: credit agencies have to explain your credit score to you, HIPAA manages how medical data is used. The core of GDPR is really just expanding those laws to all companies.

The only sticky one is really the "right to be forgotten," which just isn't a right, and possibly has constitutional (1st amendment) problems.

IMO though, a "conservative GDPR" could get Republican backing by basically framing it as a question about property rights, which their base is all about: your data is valuable, and it's YOUR property, not Google's. Some of the other provisions could be sold as a "sunshine law" for big business.

Also resumably, given US politics, there would be plenty of exemptions for small businesses (and industries that have strong lobbying firms).

(note that I'm not a lawyer, so this may be bullshit)

[hannasanarion]

If you actually read up on the "right to be forgotten" you will see that "free speech" is always an exception to it. You cannot demand to be forgotten in order to censure others.

[methodover]

The American interpretation of “free speech” is much more broad than in the EU. Here, laws banning hate speech or flag burning or corporate campaign donations are unconstitutional for example. Libel lawsuits are much harder to pull off here as well.

A law requiring businesses and individuals to delete any personal data at the request of the data subject, as the GDPR requires, would have to be extremely narrowly written to survive constitutional muster here, I think.

If I do business with you and write down your name, the GDPR requires that I delete your name if you ask me to (and even if you don’t if our relationship ends). That wouldn’t survive a First Amendment challenge here.

[DanBC]

> If I do business with you and write down your name, the GDPR requires that I delete your name if you ask me to (and even if you don’t if our relationship ends).

No, it really really doesn't.

https://gdpr-info.eu/art-17-gdpr/

> The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:

> the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;

> the data subject withdraws consent on which the processing is based according to point (a) of Article 6(1), or point (a) of Article 9(2), and where there is no other legal ground for the processing;

> the data subject objects to the processing pursuant to Article 21(1) and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2);

> the personal data have been unlawfully processed;

> the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject;

> the personal data have been collected in relation to the offer of information society services referred to in Article 8(1).

[hannasanarion]

GDPR doesn't require that you do that. GDPR has other exceptions that you could plead very easily: undue hardship, archival, public interest, compliance with other laws, scientific research, and establishing legal claims. What would you need my name for if not one of those?

[methodover]

Maybe I want to remember your name because, let's say, I want to pray for all my customers every Sunday. Or perhaps I want to try and memorize all my customer's names so I can use your name when I see you come in my shop. Or perhaps to track patterns of purchases by my customers. Or perhaps because I think it's important to have a track record of everyone I've sold to, and when, for purposes to be discovered later down the line that I can't think of right now.

In America, I don't need a reason for writing your name down. In the EU on the other hand, all personal data needs to be deleted, unless a specific government-approved exemption applies, as you said.

Quoting the US Supreme Court, in Chicago v. Mosley, 1972:

> Above all else, the First Amendment means that government has no power to restrict expression because of its message, its ideas, its subject matter, or its content. To permit the continued building of our politics and culture, and to assure self-fulfillment for each individual, our people are guaranteed the right to express any thought, free from government censorship [1]

I'm pretty sure that if the GDPR was copied and pasted into a US law, the Right to be Forgotten would be struck down as unconstitutional very quickly.

1. https://supreme.justia.com/cases/federal/us/408/92/case.html