Europe has been moving aggressively to impose order on the tech space. Already, it has inflicted painful penalties on Apple and Google for their business practices.
Now, technology companies are readying themselves for sweeping new privacy rules that will go into effect next month across the European Union. They could face billion-dollar fines if they fail to give European users far more control over their personal information.
Whether Congress follows the European model, as some lawmakers floated last week, or whether big tech companies determine it’s too cumbersome to treat the 500 million people of the European Union differently from the rest of the world, Europe is likely to keep setting the global pace for aggressive regulation.
“As a first mover, that has now become a baseline,” said Dean Garfield, the president of the Information Technology Industry Council, a Washington-based trade group for tech giants such as Apple, Amazon, Facebook and Google. Europe “is increasingly setting the norm.”
And Europeans have embraced the role.
“The E.U. is a real regulatory superpower, and it exports its values and its standards,” said Christopher Kuner, a director of the Brussels Privacy Hub at the Free University of Brussels.
At the center of the action is Helen Dixon, Ireland’s data protection commissioner. Because the European operations for many big technology companies are headquartered in low-tax Ireland, Dixon is set to become the top cop for U.S. tech giants that include Facebook, Google, Apple, LinkedIn and Airbnb when the new privacy regime comes into force on May 25. She will have the power to slap companies with fines of up to 4 percent of global revenue — which for Facebook could mean penalties of up to $1.6 billion.
“Their business model is around monetizing personal data, and this creates very significant challenges in terms of fundamental rights and freedoms of individuals,” Dixon said in an interview in her Dublin townhouse office. “It creates a type of surveillance and tracking of individuals across the Internet that undoubtedly needs regulation.”
Facebook’s latest scandal has been perfectly timed to draw attention to Europe’s long-planned privacy rules. On April 4, the company said “malicious actors” had used its search tools to match previously hacked email addresses and phone numbers to Facebook profiles. That follows the company’s report that Cambridge Analytica, a data analysis firm hired by President Trump during his 2016 campaign, improperly accessed 87 million Facebook users’ names, “likes” and other personal information — in many cases without their knowledge or consent. The matter has spawned investigations on both sides of the Atlantic.
In Europe, Dixon joins an elite rank of enforcers, many of whom happen to be women, holding power over the U.S. tech industry.
Her partners include Andrea Jelinek, an Austrian data protection regulator who is expected to lead a new board of E.U. consumer-privacy cops.
In the E.U. capital of Brussels, top justice official Vera Jourova has challenged Facebook in recent weeks over the Cambridge Analytica affair.
And then there’s Margrethe Vestager, the bloc’s competition chief. She thwacked Google with a nearly $3 billion fine and is forcing it to overhaul how it presents sponsored shopping results. She is making Apple pay $16 billion in back taxes to Ireland.
Vestager, who was in Washington on Friday, has said she is increasingly turning her attention to issues around user data — a development that has cheered privacy advocates and chilled technology companies, which complain they are being targeted for their success.
“It has become almost a habit of looking into data issues when we do a merger procedure, antitrust procedures,” Vestager told reporters.
“Data is an asset,” she said in a follow-up interview. “You can mine it; you can work it; you can do completely different things.” She said that regulators were treating data as a “completely different creature” than they did five years ago.
U.S. state officials have taken cues from her antitrust enforcement strategy. Josh Hawley, Missouri’s attorney general, mimicked her investigation into Google, for instance, and has demanded the company give him the same evidence.
“People like Josh Hawley don’t want European consumers enjoying better protections than Missourians, so when you have this disparity in how the law is being enforced, it puts pressure on every other jurisdiction to say, ‘What did we miss?’ ” said Luther Lowe, the vice president for government relations at Yelp, the reviews website. Yelp has been Google’s chief antagonist in the European Union.
The United States was caught somewhat flat-footed by the Facebook privacy scandal. Lawmakers have debated whether to enhance the government’s ability to investigate and penalize tech giants that misuse consumers’ most sensitive information. But Congress has so far failed to pass a single comprehensive privacy law for the digital age, stumbling in no small part because of partisan warfare and intense, well-funded lobbying efforts from Silicon Valley.
Still, lawmakers are clearly intrigued by what Europe is doing.
“Would you support legislation to back that general principle: that opt-in, that getting permission, is the standard?” Sen. Edward J. Markey (D-Mass.) asked Zuckerberg during the first of two days of hearings. “Europeans have passed that as a law. Facebook’s going to live with that law beginning on May 25. Would you support that as the law in the United States?”
Zuckerberg sought to reassure users in the United States that they will get the same privacy controls as Europeans after the new laws come into effect, although he allowed himself some wiggle room on the specifics.
“I think everyone in the world deserves good privacy protection,” Zuckerberg said. “Regardless of whether we implement the exact same regulation, I would guess that it would be somewhat different, because we have somewhat different sensibilities in the U.S. as to other countries.”
For their part, European policymakers have relished their trendsetting status.
“The U.S. public right now is realizing that maybe the Europeans have done something that is in their own interest,” said Jan Philipp Albrecht, a German member of the European Parliament who played a leading role in drafting the privacy regulations.
Now technology companies are bracing for the privacy rules to kick in.
In Ireland, the new powers will be a big change for a regulator who until recently was dinged for a lax approach to big technology companies.
Some critics say Irish officials were holding their punches because of the country’s tech-
dependent economic growth.
“I’m not sure how much there’s influence in it, how much there’s politics in it, and how much general consensus there is in Ireland in not regulating the big U.S. giants,” said Max Schrems, an Austrian privacy advocate who scored repeated legal victories against Dixon’s predecessor.
People who have watched Dixon work say her style can be conciliatory rather than confrontational. Critics say her office has not always been aggressive about defending citizens’ rights.
“You have a culture within the institution which relies on a limited use of statutory enforcement mechanisms and more on persuasion,” said T.J. McIntyre, a law professor who is the chairman of Digital Rights Ireland, a group that has challenged how the Irish government retains information about its citizens.
But observers say Dixon’s beefed-up resources and enforcement powers are likely to give her new ammunition as she pushes companies to fall in line.
Just four years ago, Ireland’s data protection office was a backwater, with 25 employees housed above a convenience store outside Dublin.
When Dixon took the reins in late 2014, she fought for more funding, quadrupled her staff and moved into the capital. The Georgian townhouse is a brisk walk away from the glassy new tech district that has sprung up around a once-scruffy dock area. Dixon plans to hire another 40 staffers this year.
“I don’t think the data protection authority was sufficiently staffed at the point where I came on board,” Dixon said. “I think it has been rectified.”
Still, enforcement may require a fight: Both Google and Apple have appealed Vestager’s judgments against them.
The new E.U. rules, known as the General Data Protection Regulation, or GDPR, will give individuals far more control over their personal data. Companies will have to spell out what they will use data for and give users clear choices about whether to agree. Individuals would be able to force companies to return data to them if they wanted to leave a service.
Vestager, the competition chief, said the aim is to ensure that Web users “feel they are somewhat in control” of their data.
She mentioned Facebook’s recent troubles with Cambridge Analytica.
“I think the situation is quite good, because very often when something happens that sort of turns people’s attention to an issue, you say, ‘Oh. It’s brand new. We have to regulate,’ ” she said. In this case, she said, Europe already has a legal framework that “actually, for real, allows the individual to enforce their rights.”
Romm reported from Washington. Quentin Ariès in Brussels contributed to this report.