“At first, the GDPR was seen as a gift to investigative journalists” in Romania, said Raluca Radu, the Romanian journalism professor, but now there are doubts. “If the authorities, the politicians, think they can use GDPR when other legislation cannot help them personally,” this will have a chilling effect on the media. “I mean, 20 million euros. That’s a lot!”

Yet even when vengeful officials aren’t targeting media companies under the guise of privacy, laws like GDPR still impose a burden. European small businesses with any kind of web presence grumble about the expense of adding further measures to protect the data of customers, employees, and even any visitors that happen to venture onto their websites. (A small, Rome-based NGO with no customers whatsoever had to shell out 15,000 euros to become GDPR-compliant last year. “But it’s done with,” the director told me. “We’re up to date now.”)

But ad networks and the publishers who collect revenue from them are among those most put off by the EU law. As GDPR went into effect a year ago—on May 25, 2018—hundreds of American news outlets, including the Chicago Tribune and others owned by Tribune Publishing, decided that rather than go GDPR-complaint, they would simply block anyone coming to their sites from Europe. It stands as one of the largest-ever news blackouts in the Western world, and it’s still going on a year later. For Cubs and Bears fans marooned in Europe, the data-privacy rule has made it far more difficult to get decent back-home coverage of their beloved teams. When news outlets as large and as storied as the Tribune and its corporate siblings, such as The Baltimore Sun and the New York Daily News, feel obliged to bar European visitors from their websites, it’s evidence of how ambitious data-privacy rules could reshape the news industry if they spread.

To the extent that Americans come across as more laissez-faire on electronic privacy, that may have as much to do with give-away-the-keys convenience as it does with any particular zeal for the First Amendment. But in the wake of the Cambridge Analytica–Facebook data-breach scandal and other revelations about the tech industry’s collection of users’ personal information, a patchwork of data-protection laws is cropping up. The most significant is the California Consumer Privacy Act, which was born out of a ballot initiative last year. Scheduled to go into effect next year, the act borrows elements from GDPR, such as the right to have your personal data deleted and the right to know how it’s being used. It’s viewed as a fundamental transformation—a more European one, even—in America’s policy on privacy protection.

“From a practical standpoint, the California law will become the law of the land,” predicts Joseph Jerome, a privacy-policy counsel for the Center for Democracy & Technology, a digital-rights advocacy group. For a company with an online presence, “it doesn’t make a whole lot of sense to provide [protections] just to California residents. And I think you’d have some really horrible PR messaging for those companies that don’t want to offer those rights outside of California.” (To wit, a Tribune Publishing spokeswoman said the company intends to fully comply with the California measure from day one; the company is no closer to easing its GDPR blackout, however.)