You are here

Watchdogs go after tech companies as Europe's data law kicks in

GDPR gives users the right to demand the deletion of data and object to new forms of data collection


EUROPE on Friday implemented a sweeping overhaul of digital privacy laws, reshaping how technology companies handle customer data, creating a de-facto global standard that gives Americans new protections and the nation's technology companies, new headaches.

These major changes underscored the extent to which the European Union has emerged as the most powerful regulator of Silicon Valley, stepping in where Washington has failed - or been unwilling - to limit some of America's most lucrative and politically influential companies.

The suite of new laws, collectively known as GDPR for General Data Protection Regulation, gives users the right to demand the deletion of data and object to new forms of data collection, while requiring that companies get explicit consent for how they collect, process and use data - practices that had been all but unfettered in the US. Potential violators could face fines of up to 4 per cent of global profits.

Though GDPR does not directly limit how tech companies treat customers outside of Europe, some technology companies have opted to adopt a single global standard, forcing a scramble in recent months to issue new privacy policies, tighten internal procedures and solicit new permissions from users. Even companies in other industries, for whom data collection is not the core of their businesses, have been forced to adapt.

"Ironically, many Americans are going to find themselves protected from a foreign law," said Rohit Chopra, the new Democratic commissioner at the Federal Trade Commission, which for years has been the federal government's most aggressive privacy regulator. "This is not something we are accustomed to."

Europe's moves have been fuelled by rising distrust of Silicon Valley combined with deeply held cultural notions about personal privacy and a greater willingness to use government power to curb private-sector abuses.

American consumer advocates, long aware of this trans-Atlantic split, have threatened to lodge legal complaints in the EU against the biggest American technology companies - including Amazon, Facebook, Google and Microsoft - to force them to change their business practices well beyond the confines of Europe.

"The path to privacy in the US has to be fought through Europe," said Jeff Chester of privacy watchdog group Center for Digital Democracy.

GDPR is meant to give the EU more teeth in enforcing individual privacy protection. Based on the notion of "privacy by default", the law requires companies to ensure they collect and store personal data safely and securely.

The first complaints came early Friday morning, in the first hours GDPR was in effect, from Austrian privacy activist Max Schrems, who has successfully challenged Facebook in the past. He claimed that Facebook and two of its services, WhatsApp and Instagram, as well as Google's Android smartphone operating system, violate the GDPR because of how they obtain users' consent.

"For us, this is very much the start," said Ailidh Callander, a legal officer at Privacy International, a UK-based privacy watchdog. "This is the new standard that many companies around the world need to meet, and we will be vigilant in how they implement it."

Europeans have long demanded more robust protections of their privacy than Americans, a function both of their history and their attitudes about regulation. Many citizens are far more jealous of their private lives than Americans, hesitating to hand data about themselves both to governments and to companies.

Europeans are also more comfortable than Americans with robust government regulation of private companies, and the new privacy regulations grew from that attitude. European regulators often demand a product be proved safe before it can be put on the market. American regulators often need proof it's unsafe before they pull it off the shelves.

"I think there is a more natural tendency in Europe to want to set down the rules in a legal framework. People expect the authorities to provide that kind of guidance," said David O'Sullivan, ambassador of the EU to the US. "In America, there is slightly more scepticism about the risk of too much government."

Critics of Europe's culture say that it stifles creativity, and they point to the rise of US tech giants like Facebook and Google - and the relative lack of equivalent European companies - as a natural outcome. But European advocates say Americans place far too much faith in their companies to keep customers' interests in mind, and they say that EU governments are better protecting citizens.

To American privacy advocates, the implementation of GDPR couldn't come at a more critical time. Last year, hackers broke into servers for Equifax, a credit-reporting agency, and accessed more than 140 million Americans' names, addresses, Social Security numbers and other sensitive information. More recently, attacks have come to light involving fitness giant Under Armour, restaurant chain Chilis, and ride-hailing app Uber.

Facebook in March faced even sharper rebukes following reports that Cambridge Analytica, a political consultancy, had improperly gained access to personal data on 87 million Facebook users, prompting investigations in the US as well as Europe.

"The recent Facebook/Cambridge Analytica is a reminder that privacy is much more than just a luxury. It is a necessity," said Vera Jourova, the EU's justice commissioner.

GDPR replaces a set of data protection rules dating to the 1990s. Even before GDPR had been approved, though, European regulators in recent years had repeatedly penalised US-based companies for failing to protect citizens' data, even slapping Facebook with a US$122 million fine last year.

While major US tech companies have major operations in Europe, including lobbying shops in Brussels and other capitals, they don't have the same political clout as they enjoy in their home country, where they are key drivers of economic growth.

But the political mood appears to be shifting the US as well. The appearance of Facebook chief Mark Zuckerberg on Capitol Hill in April generated an unusually bipartisan chorus of complaints from lawmakers, suggesting that Washington may eventually follow Europe's lead in tightening rules against tech companies.

"Europe is now a preview of coming attractions to the US, and as each day goes by, people are growing increasingly concerned about their privacy," said Ed Markey, a long-time advocate for privacy rules. "Public policy needs to catch up to meet the public's demand." WP

BT is now on Telegram!

For daily updates on weekdays and specially selected content for the weekend. Subscribe to