The Washington PostDemocracy Dies in Darkness

Europe, not the U.S., is now the most powerful regulator of Silicon Valley

Facebook and many other companies are updating their privacy policies and service terms to comply with European Union rules governing data and privacy. (Richard Drew/AP)

Europe implemented a sweeping overhaul of digital-privacy laws on Friday that has reshaped how technology companies handle customer data, creating a de-facto global standard that gives Americans new protections and the nation’s technology companies new headaches.

These major changes underscored the extent to which the European Union has emerged as the most powerful regulator of Silicon Valley, stepping in where Washington has failed — or simply been unwilling — to limit some of the United States’ most lucrative and politically influential companies.

The suite of new laws, collectively known as GDPR, for General Data Protection Regulation, gives users the right to demand the deletion of data and object to new forms of data collection while requiring that companies get explicit consent for how they collect, process and use data — practices that had been all but unfettered in the United States. Potential violators could face fines of up to 4 percent of global profits.

Although GDPR does not directly limit how tech companies treat customers outside of Europe, some technology companies have opted to adopt a single global standard, forcing a scramble in recent months to issue new privacy policies, tighten internal procedures and solicit new permissions from users. Even companies in other industries, for whom data collection is not the core of their businesses, have been forced to adapt.

“Ironically, many Americans are going to find themselves protected from a foreign law,” said Rohit Chopra, the new Democratic commissioner at the Federal Trade Commission, which for years has been the federal government’s most aggressive privacy regulator. “This is not something we are accustomed to.”

Europe’s moves have been fueled by rising distrust of Silicon Valley combined with deeply held cultural notions about personal privacy and a greater willingness to use governmental power to curb private-sector abuses.

American consumer advocates, long aware of this transatlantic split, have threatened to lodge legal complaints in the E.U. against the biggest American technology companies — including Amazon, Facebook, Google and Microsoft — to force them to change their business practices well beyond the confines of Europe.

“The path to privacy in the United States has to be fought through Europe,” said Jeff Chester, executive director of the ­Center for Digital Democracy, a privacy watchdog group.

GDPR is meant to give the European Union more teeth in enforcing individual privacy protection. Based on the notion of “privacy by default,” the law requires companies to ensure that they collect and store personal data safely and securely.

The first complaints came early Friday, in the hours after GDPR took effect, from Austrian privacy activist Max Schrems, who has successfully challenged Facebook in the past. Schrems alleged that Facebook and two of its services, WhatsApp and Instagram, as well as Google’s Android smartphone operating system, violate the GDPR because of how they obtain users’ consent.

“For us, this is very much the start,” said Ailidh Callander, a legal officer at Privacy International, a Britain-based privacy watchdog. “This is the new standard that many companies around the world need to meet, and we will be vigilant in how they implement it.”

Europeans have long demanded more robust protections of their privacy than Americans, a function both of their history and their attitudes about regulation. 

Grandparents in Western Europe remember Nazi-era intrusion. In Eastern Europe, Communist-era secret police have been gone for only a generation. Many citizens are far more jealous of their private lives than Americans, hesitating to hand data about themselves to governments and companies alike. 

In Germany, for example, no national census was taken between 1987 and 2011, in part because of bitter memories that population rolls were used to target Jews and others by the Nazis. German parents fret about posting pictures of their children because on Facebook they aren’t old enough to give their own consent for sharing an image publicly. 

Europeans are also more comfortable than Americans with robust government regulation of private companies, and the new privacy regulations grew from that attitude. European regulators often demand that a product be proved safe before it can be put on the market. American regulators often need proof that it is unsafe before they pull it off the shelves.

“I think there is a more natural tendency in Europe to want to set down the rules in a legal framework. People expect the authorities to provide that kind of guidance,” David O’Sullivan, E.U. ambassador to the United States, said in an interview. “In America, there is slightly more skepticism about the risk of too much government.”

Critics of Europe’s culture say that it stifles creativity, and they point to the rise of U.S. tech giants Facebook and Google — and the relative lack of equivalent European companies — as a natural outcome. But European advocates say that Americans place far too much faith in the companies to keep users’ interests in mind, and that E.U. governments are better at protecting their citizens. 

To American privacy advocates, the implementation of GDPR could not come at a more critical time. Last year, hackers broke into servers for Equifax, a credit-reporting agency, and accessed more than 140 million Americans’ names, addresses, Social Security numbers and other sensitive information. More recently, attacks have come to light involving fitness giant Under Armour, restaurant chain Chili’s and ride-hailing app Uber.

Facebook in March faced even sharper rebukes following reports that Cambridge Analytica, a political consultancy, had improperly gained access to personal data on 87 million Facebook users, prompting investigations in the United States as well as Europe.

On Friday, during a speech in Brussels touting GDPR, E.U. Justice Commissioner Vera Jourova called the incidents “a reminder that privacy is much more than just a luxury. It is a necessity.”

 GDPR replaces a set of data-protection rules dating to the 1990s. Even before GDPR had been approved, though, European regulators in recent years had repeatedly penalized U.S.-based companies for failing to protect citizens’ data, even slapping Facebook with a $122 million fine last year.

While U.S. tech companies have major operations in Europe, including lobbying shops in Brussels and other capitals, they do not have the same political clout as they enjoy in their home country, where they are key drivers of economic growth.

But the political mood appears to be shifting the United States as well. The April appearance of Facebook CEO Mark Zuckerberg on Capitol Hill generated an unusually bipartisan chorus of complaints from lawmakers, suggesting that Washington may eventually follow Europe’s lead in tightening rules against tech companies.

“Europe is now a preview of coming attractions to the United States, and as each day goes by, people are growing increasingly concerned about their privacy,” said Sen. Edward J. Markey (D-Mass.), a longtime advocate for privacy rules. “Public policy needs to catch up to meet the public’s demand.”

Birnbaum reported from Vienna. Quentin Ariès in Brussels and James McAuley in Paris contributed to this report.