As Europe’s data law takes effect, watchdogs go after tech companies

|     Tony Romm, Craig Timberg and Michael Birnbaum     |

EUROPE implemented a sweeping overhaul of digital privacy laws on Friday that has reshaped how technology companies handle customer data, creating a de-facto global standard that gives Americans new protections and the nation’s technology companies new headaches.

These major changes underscored the extent to which the European Union (EU) has emerged as the most powerful regulator of Silicon Valley, stepping in where Washington has failed – or simply been unwilling – to limit some of America’s most lucrative and politically influential companies.

The suite of new laws, collectively known as GDPR for General Data Protection Regulation, gives users the right to demand the deletion of data and object to new forms of data collection, while requiring that companies get explicit consent for how they collect, process and use data – practices that had been all but unfettered in the United States. Potential violators could face fines of up to four per cent of global profits.

Though GPDR does not directly limit how tech companies treat customers outside of Europe, some technology companies have opted to adopt a single global standard, forcing a scramble in recent months to issue new privacy policies, tighten internal procedures and solicit new permissions from users. Even companies in other industries, for whom data collection is not the core of their businesses, have been forced to adapt.

“Ironically, many Americans are going to find themselves protected from a foreign law,” said Rohit Chopra, the new Democratic commissioner at the Federal Trade Commission, which for years has been the federal government’s most aggressive privacy regulator. “This is not something we are accustomed to.”

Facebook’s Mark Zuckerberg speaks during a House hearing on April 11. – WP-BLOOMBERG

Europe’s moves have been fuelled by rising distrust of Silicon Valley combined with deeply held cultural notions about personal privacy and a greater willingness to use government power to curb private-sector abuses.

American consumer advocates, long aware of this trans-Atlantic split, have threatened to lodge legal complaints in the EU against the biggest American technology companies – including Amazon, Facebook, Google and Microsoft – to force them to change their business practices well beyond the confines of Europe.

“The path to privacy in the United States has to be fought through Europe,” said Jeff Chester of Center for Digital Democracy, a privacy watchdog group.

GDPR is meant to give the EU more teeth in enforcing individual privacy protection. Based on the notion of “privacy by default”, the law requires companies to ensure that they collect and store personal data safely and securely.

The first complaints came early Friday morning, in the first hours GDPR was in effect, from Austrian privacy activist Max Schrems, who has successfully challenged Facebook in the past. Schrems alleged that Facebook and two of its services, WhatsApp and Instagram, as well as Google’s Android smartphone operating system, violate the GDPR because of how they obtain users’ consent.

“For us this is very much the start,” said Ailidh Callander, a legal officer at Privacy International, a United Kingdom-based privacy watchdog. “This is the new standard that many companies around the world need to meet, and we will be vigilant in how they implement it.”

Europeans have long demanded more robust protections of their privacy than Americans, a function both of their history and their attitudes about regulation. – The Washington Post