BRUSSELS -- Europe implemented a sweeping overhaul of digital privacy laws on Friday that has reshaped how technology companies handle customer data, creating a global standard that gives Americans new protections and the nation's technology companies new headaches.
These major changes underscored the extent to which the European Union has emerged as the most powerful regulator of Silicon Valley, stepping in where Washington has failed -- or simply been unwilling -- to limit some of America's most lucrative and politically influential companies.
The suite of new laws, collectively known as the General Data Protection Regulation, gives users the right to demand the deletion of data and object to new forms of data collection, while requiring that companies get explicit consent for how they collect, process and use data -- practices that had been all but unfettered in the United States.
Facebook, Google and other such firms may be headquartered in Silicon Valley, but they have millions of users in Europe -- and so have to comply with the new rules. Violators face fines of up to $24 million or 4 percent of annual global revenue, whichever is greater.
Though the regulation does not directly limit how tech companies treat customers outside Europe, some technology companies have opted to adopted a single global standard, forcing a scramble in recent months to issue new privacy policies, tighten internal procedures and solicit new permissions from users. Even companies in other industries, for whom data collection is not the core of their businesses, have been forced to adapt.
"Ironically, many Americans are going to find themselves protected from a foreign law," said Rohit Chopra, the new Democratic commissioner at the Federal Trade Commission, which for years has been the federal government's most aggressive privacy regulator. "This is not something we are accustomed to."
Europe's moves have been fueled by rising distrust of Silicon Valley combined with deeply held cultural notions about personal privacy and a greater willingness to use government power to curb the private sector.
American consumer advocates, long aware of this trans-Atlantic split, have threatened to lodge legal complaints in the EU against the biggest American technology companies -- including Amazon, Facebook, Google and Microsoft -- to force them to change their business practices well beyond the confines of Europe.
"The path to privacy in the United States has to be fought through Europe," said Jeff Chester of the Center for Digital Democracy, a privacy watchdog group.
The regulation is meant to give the EU more teeth in enforcing individual privacy protection. Based on the notion of "privacy by default," the law requires companies to ensure that they collect and store personal data safely and securely.
The first complaints came early Friday, in the first hours the regulation was in effect, from Austrian privacy activist Max Schrems, who has successfully challenged Facebook in the past. Schrems alleged that Facebook and two of its services, WhatsApp and Instagram, as well as Google's Android smartphone operating system, violate the regulation because of how they obtain users' consent.
"For us this is very much the start," said Ailidh Callander, a legal officer at Privacy International, a United Kingdom-based privacy watchdog. "This is the new standard that many companies around the world need to meet, and we will be vigilant in how they implement it."
U.S. news outlets including the Chicago Tribune, Los Angeles Times and Arizona Daily Star abruptly blocked access to their websites from Europe on Friday, choosing to black out readers rather than comply with the law. The shutdowns came as a surprise to readers of the publications, because companies had two years to prepare for the new regulations.
The most notable blackouts were by news organizations tied to the American media company Tronc Inc. In addition to the Chicago Tribune and Los Angeles Times, newspapers including the New York Daily News, Orlando Sentinel and The Baltimore Sun were also unavailable to readers in Europe. (Tronc announced in February that it was selling the Los Angeles Times.)
The websites of many other U.S. news organizations, including The New York Times, USA Today and The Washington Post, were accessible from Europe. Some acknowledged the new privacy rules with large disclaimers and other information to explain what information was being gathered when a reader visits the site.
Europeans have long demanded more robust protections of their privacy than Americans, a function both of their history and their attitudes about regulation.
Grandparents in western Europe remember Nazi-era intrusion. In eastern Europe, communist-era secret police have been gone for only a generation. Many citizens are far more jealous of their private lives than Americans, hesitating to hand data about themselves both to governments and to companies.
In Germany, for example, no national census was taken between 1987 and 2011, in part because of bitter memories that population rolls were used to target Jews and others by the Nazis. German parents fret about posting pictures of their children because on Facebook they aren't old enough to give their own consent that their image be shared publicly.
Europeans are also more comfortable than Americans with robust government regulation of private companies, and the new privacy regulations grew from that attitude.
Critics of Europe's culture say that it stifles creativity, and they point to the rise of U.S. tech giants like Facebook and Google -- and the relative lack of equivalent European companies -- as a natural outcome.
To American privacy advocates, the implementation of the new rules couldn't come at a more critical time. Last year, hackers broke into servers for Equifax, a credit-reporting agency, and accessed more than 140 million Americans' names, addresses, Social Security numbers and other sensitive information. More recently, attacks have come to light involving fitness giant Under Armour, restaurant chain Chili's, and ride-hailing app Uber.
Facebook in March faced even sharper rebukes after reports that Cambridge Analytica, a political consultancy, had improperly gained access to personal data on 87 million Facebook users, prompting investigations in the United States as well as Europe.
"The recent Facebook/Cambridge Analytica is a reminder that privacy is much more than just a luxury. It is a necessity," said Vera Jourova, the EU's justice commissioner, during a speech Friday in Brussels touting the new rules.
Information for this article was contributed by Tony Romm, Craig Timberg, Michael Birnbaum, Quentin Aries and James McAuley of The Washington Post; and by Adam Satariano of The New York Times.
Business on 05/26/2018