The European Union on Friday puts the world’s toughest data privacy rules into effect. The regulations are set to have an outsize impact far beyond Europe.
LONDON — The notices are flooding people’s inboxes en masse, from large technology companies, including Facebook and Uber, and even from parent teacher associations, children’s soccer clubs and yoga instructors. “Here is an update to our privacy policy,” they say.
All are acting because the European Union on Friday enacts the world’s toughest rules to protect people’s online data. And with the internet’s borderless nature, the regulations are set to have an outsize impact far beyond Europe.
In Silicon Valley, Google, Facebook and other tech companies have been working for months to comply with the new rules, known as the General Data Protection Regulation. The law, which lets people request their online data and restricts how businesses obtain and handle the information, has set off a panic among small businesses and local organizations that have an internet presence.
Brazil, Japan and South Korea are set to follow Europe’s lead, with some having already passed similar data protection laws. European officials are encouraging copycats by tying data protection to some trade deals and arguing that a unified global approach is the only way to crimp Silicon Valley’s power.
“We want to achieve the same level of restrictions that you have in Europe,” said Luiz Fernando Martins Castro, a lawyer based in São Paulo who advises the Brazilian government on internet policy. Mr. Castro said Europe was “pushing the matter and making people realize that we have to go forward.”
Europe is determined to cement its role as the world’s foremost tech watchdog — and the region is only getting started. Authorities in Brussels and in the European Union’s 28 member countries are also setting the bar for stricter enforcement of antitrust laws against tech behemoths and are paving the way for tougher tax policies on the companies.
The region’s proactive stance is a sharp divergence from the United States, which has taken little action over the years in regulating the tech industry. Most recently, the Trump administration has sought to cut taxes and roll back regulation, while pursuing an increasingly protectionist tack to shield tech companies from competition from China.
“The E. U. is more advanced than the U. S. in protecting consumer privacy, and what happens there could be a harbinger of the future,” said Michael Kearns, a computer science professor at the University of Pennsylvania, who has studied the data collection techniques of companies including Facebook and Google.
Europe’s new privacy measures, called G. D. P. R. for short, let people reduce the trail of information left when browsing social media, reading the news or shopping online. Individuals will be able to request the data that companies hold on them, and demand it be deleted.
Businesses must also more clearly detail how someone’s data is being handled, while clearing a higher bar to target advertising using personal information. Companies face fines if they do not comply, with tech giants risking penalties greater than $1 billion. Privacy groups preparing class action-style complaints under the new law may put even more legal pressure on companies.
European authorities have actively encouraged other countries to adopt similar laws to G. D. P. R. Officials have been dispatched around the world to preach the tougher rules. Data protections are becoming part of trade deals, with the region ready to limit access to its market of 500 million consumers if countries do not rise to meet Europe’s standards.
“If we can export this to the world, I will be happy,” said Vera Jourova, the European commissioner in charge of consumer protection and privacy who helped draft G. D. P. R. She said she planned to travel to Japan and South Korea in the next few weeks for talks about data protection. Regulating technology, she added, is a “global challenge.”
Europe’s influence can be seen in Brazil, which has sought advice from Brussels on its own privacy legislation. The bill closely mirrors Europe’s new regulations, including a requirement to get people’s consent before collecting personal data and special protections for information on political affiliation, religious beliefs, sexual orientation or health.
Brazil has an incentive to draft tougher privacy laws: One provision of G. D. P. R. limits the data that companies can transfer outside the European Union unless that data goes to a country that meets Europe’s standards.
“There is almost a reproduction of the European market in our bill,” said Mr. Castro, a member of Brazil’s internet steering committee .
European officials have also been advising Brazilian authorities. Giovanni Buttarelli, the European data protection supervisor, is set to deliver a recorded video message at a policy event in Brazil next week. And last month, a senior data protection official in the European Commission testified before the Brazilian Senate committee drafting the country’s legislation.
“Many countries are interested in signing a trade agreement with the European Union, and then privacy becomes an important precondition,” said Mr. Buttarelli.
Europe’s fingerprints can be seen elsewhere in the world, too. Japan last year passed a data protection law creating a new independent online privacy board, and Tokyo and Brussels are finalizing the details of a data transfer deal. South Korea is considering new privacy rules, while Israel has adopted updated requirements for disclosures of data breaches — both share elements with the European rules.
Europe’s influence is not going unnoticed by America’s tech giants, which have long complained that Brussels unfairly focuses on them.
The new privacy rules are part of a “strong European tradition” of policing industries to protect the environment or public health, even if it does “constrain business,” said Margrethe Vestager, Europe’s top antitrust official.
To meet G. D. P. R.’s requirements, Facebook and Google have deployed large teams to overhaul how they give users access to their own privacy settings and to redesign certain products that may have sucked up too much user data. Facebook said it had roughly 1,000 people working on the initiative globally, including engineers, product managers and lawyers.
In Brussels, the Silicon Valley companies are fast adding lobbyists to influence other European regulations before they spread. Google and Microsoft are already among the five biggest spenders on lobbying in the European Union, with budgets of about 4.5 million euros, or $5.3 million, each, according to LobbyFacts.eu, which tracks such spending. Facebook, whose chief executive, Mark Zuckerberg, was in Brussels this week, doubled its lobbying budget last year to roughly €2.5 million, the watchdog site said.
