EU's new privacy rules to rein in tech giants' clout

Over the past two months, Google has started letting people around the world choose what data they want to share with its various products, including Gmail and
Google Docs. Amazon recently began improving the data encryption on its cloud storage service and simplified an agreement with customers over how it processes their information.

And on Sunday, Facebook rolled out a new global data privacy centre - a single page that allows users to organise who sees their posts and what types of ads they are served.

While these changes are rippling out worldwide, a major reason for these shifts comes from Europe: the tech giants are preparing for a stringent new set of data privacy rules in the region, called the General Data Protection Regulation.

Set to take effect May 25, the regulations restrict what types of personal data the tech companies can collect, store and use across the 28-member EU. Among their provisions, the rules enshrine the "right to be forgotten" into European law so people can ask companies to remove certain online data about them.

The rules also require anyone younger than 16 to obtain parental consent before using popular digital services. If companies do not comply, they could face fines totalling 4% of their annual revenue.

With the deadline for the new rules just a few months away, Silicon Valley's tech behemoths have been scrambling to get ready. Facebook and Google have deployed hundreds of people to make sense of the regulations.

Many of the companies have overhauled how they give users access to their own privacy settings. Some have redesigned certain products that suck up too much user data. And in some cases, companies have removed products entirely from the European market because they would violate the new privacy rules.

"Every person who works for us has, in some way, been involved in preparing the company for GDPR," said Doug Kramer, general counsel of CloudFlare, an internet performance and security company based in San Francisco that has tightened its data storage and processing practices. "GDPR is going to introduce very fundamental changes to the way the internet works for everyone."

The rush of activity is a reminder of how Europe has set the regulatory standard in reining in the immense power of tech giants, while other places - including the US - have largely taken a noninterventionist stance. The GDPR rules were approved in late 2015 after tech companies like Facebook ran into problems over data protection with national privacy watchdogs in various European countries.

European officials said the coming rules are forcing US tech giants to take a step back.

"There has not been any pushback from American companies," said Vera Jourov, European Commissioner for Justice, Consumers and Gender Equality. "If anything, they seem very eager to understand how exactly they can comply with the regulation."

Officials from Facebook, Google and other companies said in interviews that they had been working to give people more control over what data they share anyway. In the past, many of the companies fought back in European courts over privacy rules and declined to offer certain products in the region rather than redesign them to meet privacy standards.

The coming of the new rules has nonetheless pushed a huge scale of internal change, Gilad Golan, Google's director for security and data protection, said at a San Francisco event last month to introduce new security features. "When GDPR goes into effect in 2018, we will be ready," he said.

The biggest challenge, he said, has been preparing for the regulation's mandate that people in Europe must have control over how their digital data is organised. Google, he said, has had to go through each of its services - from Gmail to its Cloud storage services - to comply.

Since the new rules require individuals to give their consent before a company accesses data, for example, Google has had to redesign many consent agreements, as well as change underlying technology to make it easier to remove someone's data. "For a company with infrastructure of our size, it takes a lot of work," Golan said.

Facebook has also taken multiple steps to deal
with the coming rules. On Sunday, the company began offering a new privacy centre that puts user security settings on one page instead of dispersing them across different sections of the social network. While the company said the changes were separate from its preparations for the new European regulations, Facebook's chief operating officer, Sheryl Sandberg, connected the two in a speech in Brussels last week.

The new privacy centre would give Facebook a "very good foundation to meet all the requirements of the GDPR and to spur us on to continue investing in products and in educational tools to protect privacy," Sandberg said.

Rob Sherman, Facebook's deputy chief privacy officer, said the social network has also held a series of "Design Jams" where it invites designers and engineers to re-imagine how products look so people can more easily see and control their online data.

Taking a step back

With the new rules coming, Facebook also decided not to roll out some products in Europe that would violate the privacy laws.

In November, for instance, the company unveiled a programme that uses artificial intelligence to monitor Facebook users for signs of self-harm. But it did not open the programme to users in Europe, where the company would have had to ask people for permission to access sensitive health data, including about their mental state. It has also kept out of Europe facial recognition software that tracks when photos of users are posted across the platform.

Amazon, too, has made changes. In April, the company wrote a blog post outlining its efforts to comply with the new European regulations. The internet retailer said it would strengthen the encryption around the data it stores on its cloud storage services, and reaffirmed the rights of customers to choose which region - Europe or otherwise - where they want their data stored. Amazon declined to discuss the work.

Some US tech companies said they welcomed the new data protection rules.

"We embrace GDPR because it sets a strong standard for privacy and data protection rights, which is at the core of our business," Julie Brill, a corporate vice president and deputy general counsel at Microsoft, said in an interview. "We began work on GDPR as soon as it was adopted by the European Union. Our preparations for GDPR touch every part of our company."

How the biggest tech companies handle the regulations will most likely influence their smaller counterparts. Angelo Spenillo, general counsel for Siteimprove, which helps companies manage their presence online, said many little tech companies have been looking toward Google and Facebook for how user privacy and data will be managed online. "Where the bigger companies go, the smaller companies will follow suit," he said. "We're going to see real changes across the board."

Jourov said as the new rules take effect, countries outside Europe could begin demanding similar data protection measures for their citizens. "There will be a moment, especially as more and more people in the US find themselves uncomfortable with the channels monitoring their private lives," she said.