G.D.P.R., a New Privacy Law, Makes Europe World’s Leading Tech Watchdog

The notices are flooding people’s inboxes en masse, from large technology companies, including Facebook and Uber, and even from parent teacher associations, children’s soccer clubs and yoga instructors. “Here is an update to our privacy policy,” they say.

All are acting because the European Union on Friday enacts the world’s toughest rules to protect people’s online data. And with the internet’s borderless nature, the regulations are set to have an outsize impact far beyond Europe.

In Silicon Valley, Google, Facebook and other tech companies have been working for months to comply with the new rules, known as the General Data Protection Regulation. The law, which lets people request their online data and restricts how businesses obtain and handle the information, has set off a panic among small businesses and local organizations that have an internet presence.

Brazil, Japan and South Korea are set to follow Europe’s lead, with some having already passed similar data protection laws. European officials are encouraging copycats by tying data protection to some trade deals and arguing that a unified global approach is the only way to crimp Silicon Valley’s power.

“We want to achieve the same level of restrictions that you have in Europe,” said Luiz Fernando Martins Castro, a lawyer based in São Paulo who advises the Brazilian government on internet policy. Mr. Castro said Europe was “pushing the matter and making people realize that we have to go forward.”

Europe is determined to cement its role as the world’s foremost tech watchdog — and the region is only getting started. Authorities in Brussels and in the European Union’s 28 member countries are also setting the bar for stricter enforcement of antitrust laws against tech behemoths and are paving the way for tougher tax policies on the companies.

The region’s proactive stance is a sharp divergence from the United States, which has taken little action over the years in regulating the tech industry. Most recently, the Trump administration has sought to cut taxes and roll back regulation, while pursuing an increasingly protectionist tack to shield tech companies from competition from China.

“The E.U. is more advanced than the U.S. in protecting consumer privacy, and what happens there could be a harbinger of the future,” said Michael Kearns, a computer science professor at the University of Pennsylvania, who has studied the data collection techniques of companies including Facebook and Google.

Europe’s new privacy measures, called G.D.P.R. for short, let people reduce the trail of information left when browsing social media, reading the news or shopping online. Individuals will be able to request the data that companies hold on them, and demand it be deleted.

Businesses must also more clearly detail how someone’s data is being handled, while clearing a higher bar to target advertising using personal information. Companies face fines if they do not comply, with tech giants risking penalties greater than $1 billion. Privacy groups preparing class action-style complaints under the new law may put even more legal pressure on companies.

European authorities have actively encouraged other countries to adopt similar laws to G.D.P.R. Officials have been dispatched around the world to preach the tougher rules. Data protections are becoming part of trade deals, with the region ready to limit access to its market of 500 million consumers if countries do not rise to meet Europe’s standards.

“If we can export this to the world, I will be happy,” said Vera Jourova, the European commissioner in charge of consumer protection and privacy who helped draft G.D.P.R. She said she planned to travel to Japan and South Korea in the next few weeks for talks about data protection. Regulating technology, she added, is a “global challenge.”

Europe’s influence can be seen in Brazil, which has sought advice from Brussels on its own privacy legislation. The bill closely mirrors Europe’s new regulations, including a requirement to get people’s consent before collecting personal data and special protections for information on political affiliation, religious beliefs, sexual orientation or health.

Brazil has an incentive to draft tougher privacy laws: One provision of G.D.P.R. limits the data that companies can transfer outside the European Union unless that data goes to a country that meets Europe’s standards.

“Many countries are interested in signing a trade agreement with the European Union, and then privacy becomes an important precondition,” said Mr. Buttarelli.

Europe’s fingerprints can be seen elsewhere in the world, too. Japan last year passed a data protection law creating a new independent online privacy board, and Tokyo and Brussels are finalizing the details of a data transfer deal. South Korea is considering new privacy rules, while Israel has adopted updated requirements for disclosures of data breaches — both share elements with the European rules.

Europe’s influence is not going unnoticed by America’s tech giants, which have long complained that Brussels unfairly focuses on them.

The new privacy rules are part of a “strong European tradition” of policing industries to protect the environment or public health, even if it does “constrain business,” said Margrethe Vestager, Europe’s top antitrust official.

To meet G.D.P.R.’s requirements, Facebook and Google have deployed large teams to overhaul how they give users access to their own privacy settings and to redesign certain products that may have sucked up too much user data. Facebook said it had roughly 1,000 people working on the initiative globally, including engineers, product managers and lawyers.

In Brussels, the Silicon Valley companies are fast adding lobbyists to influence other European regulations before they spread. Google and Microsoft are already among the five biggest spenders on lobbying in the European Union, with budgets of about 4.5 million euros, or $5.3 million, each, according to LobbyFacts.eu, which tracks such spending. Facebook, whose chief executive, Mark Zuckerberg, was in Brussels this week, doubled its lobbying budget last year to roughly €2.5 million, the watchdog site said.

Dean C. Garfield, president of the Information Technology Industry Council, a Washington-based trade group representing Apple, Facebook, Google and other companies, said his group was adding staff in Brussels because Europe was “driving and directing policy.”

“In the absence of another approach, it’s easier for other markets to follow what Europe has done,” said Mr. Garfield.

On Thursday, a group of Democratic senators announced a resolution to match G.D.P.R., a sign of how United States policy may change if control of Congress shifts in November.

Whether Europe’s tough approach is actually crimping the global tech giants is unclear. The region’s regulators have hit American companies with hefty fines over antitrust violations, the mishandling of user data and the payment of taxes, but Amazon, Apple, Google and Facebook have continued to grow and add customers.

Challenges remain over how G.D.P.R. will be enforced. National regulators across Europe will be charged with policing the regulations, but many have woefully fewer resources than the companies they will be overseeing.

The data protection office in Ireland, for instance, where many tech giants have their regional headquarters, has a budget of just €7.5 million, or $8.8 million, but will be responsible for regulating some of the world’s biggest tech firms. That raises concerns that the companies will be able to avoid tough penalties.

Even if Europe persuades other countries to adopt its policies, it will be hard to ensure the laws work, said Omer Tene, a vice president at the International Association of Privacy Professionals, a trade group that tracks global privacy regulation.

“It’s one thing to have rules on the books,” said Mr. Tene. “It’s quite another thing to implement these rules on the ground.”

This article originally appeared on NYTimes.com