Europe, Enacting New Privacy Laws, Becomes World’s Foremost Tech Watchdog

LONDON — The notices are flooding people’s inboxes en masse, from large technology companies including Facebook and Uber and even from parent teacher associations, children’s soccer clubs and yoga instructors. “Here is an update to our privacy policy,” they say.

All are acting because the European Union on Friday enacts the world’s toughest rules to protect people’s online data. And with the internet’s borderless nature, the regulations are set to have an outsize impact far beyond just Europe.

In Silicon Valley, Google, Facebook and other tech companies have been working for months to comply with the new rules, known as the General Data Protection Regulation. The law, which lets people request their online data and restricts how businesses obtain and handle the information, has set off a panic among small businesses and local organizations that have an internet presence.

Brazil, Japan and South Korea are set to follow Europe’s lead, with some having passed similar data protection laws. European officials are encouraging copycats by tying data protection to some trade deals and arguing that a unified global approach is the only way to crimp Silicon Valley’s power.

“We want to achieve the same level of restrictions that you have in Europe,” said Luiz Fernando Martins Castro, a lawyer based in São Paulo who advises the Brazilian government on internet policy. Castro said Europe was “pushing the matter and making people realize that we have to go forward.”

Europe is determined to cement its role as the world’s foremost tech watchdog — and the region is only getting started. Authorities in Brussels and in the European Union’s 28 member countries are also setting the bar for stricter enforcement of antitrust laws against tech behemoths and are paving the way for tougher tax policies on the companies.

The region’s proactive stance is a sharp divergence from the United States, which has taken little action over the years in regulating the tech industry. Most recently, the Trump administration has sought to cut taxes and roll back regulation, while pursuing an increasingly protectionist tack to shield tech companies from competition from China.

“The EU is more advanced than the U.S. in protecting consumer privacy, and what happens there could be a harbinger of the future,” said Michael Kearns, a computer science professor at the University of Pennsylvania, who has studied the data collection techniques of companies including Facebook and Google.

Europe’s new privacy measures, called GDPR for short, let people reduce the trail of information left when browsing social media, reading the news or shopping online. Individuals will be able to request the data that companies hold on them, and demand it be deleted.

Businesses must also more clearly detail how someone’s data is being handled, while clearing a higher bar to target advertising using personal information. Companies face fines if they do not comply, with tech giants risking penalties greater than $1 billion. Privacy groups preparing class action-style complaints under the new law may put even more legal pressure on companies.

European authorities have actively encouraged other countries to adopt similar laws to GDPR. Officials have been dispatched around the world to preach the tougher rules. Data protections are becoming part of trade deals, with the region ready to limit access to its market of 500 million consumers if countries do not rise to meet Europe’s standards.

“If we can export this to the world, I will be happy,” said Vera Jourova, the European commissioner in charge of consumer protection and privacy who helped draft GDPR. She said she planned to travel to Japan and South Korea in the next few weeks for talks about data protection. Regulating technology, she added, is a “global challenge.”

Europe’s privacy playbook is now playing out in Brazil, which has sought advice from Brussels on its own privacy bill. The bill closely mirrors Europe’s new regulations, including a requirement to get people’s consent before collecting personal data and special protections for information on political affiliation, religious beliefs, sexual orientation or health. Brazil has an incentive to draft tougher privacy laws: One provision of GDPR limits the data that companies can transfer outside the European Union unless that data goes to a country that meets Europe’s standards.

“There is almost a reproduction of the European market in our bill,” said Castro, a member of Brazil’s internet steering committee.

European officials have also been advising Brazilian authorities. Giovanni Buttarelli, the European data protection supervisor, is set to deliver a recorded video message at a policy event in Brazil next week. And last month, a senior data protection official in the European Commission testified before the Brazilian Senate committee drafting the country’s legislation.

“Many countries are interested in signing a trade agreement with the European Union, and then privacy becomes an important precondition,” Buttarelli said.

Europe’s fingerprints can be seen elsewhere in the world, too. Japan last year passed a data protection law creating a new independent online privacy board, and Tokyo and Brussels are finalizing the details of a data transfer deal. South Korea is considering new privacy rules, while Israel has adopted updated requirements for disclosures of data breaches — both share elements with the European rules.

Europe’s influence is not going unnoticed by America’s tech giants, which have long complained that Brussels unfairly focuses on them.

The new privacy rules are part of that “strong European tradition” of policing industries to protect the environment or public health, even if it does “constrain business,” said Margrethe Vestager, Europe’s top antitrust official.

To meet GDPR’s requirements, Facebook and Google have deployed hundreds of employees to overhaul how they give users access to their own privacy settings and to redesign certain products that may have sucked up too much user data. Facebook said it had roughly 1,000 people working on the initiative globally, including engineers, product managers and lawyers. In Brussels, the Silicon Valley companies are fast adding lobbyists to influence other European regulations before they spread. Google and Microsoft are among the five biggest spenders on lobbying in the European Union, with budgets of about 4.5 million euros, or $5.3 million, each, according to LobbyFacts.eu, which tracks such spending. Facebook, whose chief executive, Mark Zuckerberg, was in Brussels this week, doubled its lobbying budget last year to roughly 2.5 million euros, the watchdog site said.

Dean C. Garfield, president of the Information Technology Industry Council, a Washington-based trade group representing Apple, Facebook, Google and other companies, said his group was adding staff in Brussels because Europe was “driving and directing policy.”

“In the absence of another approach, it’s easier for other markets to follow what Europe has done,” Garfield said.

On Thursday, a group of Democratic senators announced a resolution to match GDPR, a sign of how U.S. policy may change if control of Congress shifts in November.

Whether Europe’s tough approach is actually crimping the global tech giants is unclear. The region’s regulators have hit U.S. companies with hefty fines over antitrust violations, the mishandling of user data and the payment of taxes, but Amazon, Apple, Google and Facebook have continued to grow and add customers.

Challenges remain over how GDPR will be enforced. National regulators across Europe will be charged with policing the regulations, but many have woefully fewer resources in comparison to the companies they will be overseeing. The data protection office in Ireland, for instance, where many tech giants have their regional headquarters, has a budget of just 7.5 million euros, or $8.8 million, but will be responsible for regulating some of the world’s biggest tech firms. That raises concerns that the companies will be able to avoid tough penalties.

Even if Europe convinces other countries to adopt its policies, it will be hard to ensure the laws work, said Omer Tene, a vice president at the International Association of Privacy Professionals, a trade group that tracks global privacy regulation.

“It’s one thing to have rules on the books,” Tene said. “It’s quite another thing to implement these rules on the ground.”