With the deadline for the new rules now just a few months away, Silicon Valley’s tech behemoths have been scrambling to get ready. Facebook and Google have deployed hundreds of people to make sense of the regulations. Many of the companies have overhauled how they give users access to their own privacy settings. Some have redesigned certain products that suck up too much user data. And in some cases, companies have removed products entirely from the European market because they would violate the new privacy rules.
“Every person who works for us has, in some way, been involved in preparing the company for G.D.P.R.,” said Doug Kramer, general counsel of CloudFlare, an internet performance and security company based in San Francisco that has tightened its data storage and processing practices. “G.D.P.R. is going to introduce very fundamental changes to the way the internet works for everyone.”
Credit Pool photo by Thibault Camus
The rush of activity is a reminder of how Europe has set the regulatory standard in reining in the immense power of tech giants, while other places — including the United States — have largely taken a noninterventionist stance. The G.D.P.R. rules were approved in late 2015 after tech companies like Facebook ran into problems over data protection with national privacy watchdogs in various European countries.
European officials said the coming rules are forcing American tech giants to take a step back.
“There has not been any pushback from American companies,” said Věra Jourová, the European Commissioner for Justice, Consumers and Gender Equality. “If anything, they seem very eager to understand how exactly they can comply with the regulation.”
Officials from Facebook, Google and other companies said in interviews that they had been working to give people more control over what data they share anyway. In the past, many of the companies fought back in European courts over privacy rules and declined to offer certain products in the region rather than redesign them to meet privacy standards.
The coming of the new rules has nonetheless pushed a huge scale of internal change, Gilad Golan, Google’s director for security and data protection, said at a San Francisco event last month to introduce new security features. “When G.D.P.R. goes into effect in 2018, we will be ready,” he said.
The biggest challenge, he said, has been preparing for the regulation’s mandate that people in Europe must have control over how their digital data is organized. Google, he said, has had to go through each of its services — from Gmail to its Cloud storage services — to comply. Since the new rules require individuals to give their consent before a company accesses data, for example, Google has had to redesign many consent agreements, as well as change underlying technology to make it easier to remove someone’s data.
“For a company with infrastructure of our size, it takes a lot of work,” Mr. Golan said.
Facebook has also taken multiple steps to deal with the coming rules. On Sunday, the company began offering a new privacy center that puts user security settings on one page instead of dispersing them across different sections of the social network. While the company said the changes was separate from its preparations for the new European regulations, Facebook’s chief operating officer, Sheryl Sandberg, connected the two in a speech in Brussels last week.
The new privacy center would give Facebook a “very good foundation to meet all the requirements of the G.D.P.R. and to spur us on to continue investing in products and in educational tools to protect privacy,” Ms. Sandberg said.
Rob Sherman, Facebook’s deputy chief privacy officer, said the social network has also held a series of “Design Jams” where it invites designers and engineers to reimagine how products look so that people can more easily see and control their online data.
Credit Lluis Gene/Agence France-Presse — Getty Images
With the new rules coming, Facebook also decided not to roll out some products in Europe that would violate the privacy laws.
Last November, for instance, the company unveiled a program that uses artificial intelligence to monitor Facebook users for signs of self-harm. But it did not open the program to users in Europe, where the company would have had to ask people for permission to access sensitive health data, including about their mental state. The social network has also kept out of Europe facial recognition software that tracks when photos of users are posted across the platform.
Amazon, too, has made changes. Last April, the company wrote a blog post outlining its efforts to comply with the new European regulations. The internet retailer said it would strengthen the encryption around the data it stores on its cloud storage services, and reaffirmed the rights of customers to choose which region — Europe or otherwise — where they want their data stored. Amazon declined to discuss the work.
Some American tech companies said they welcomed the new data protection rules.
“We embrace G.D.P.R. because it sets a strong standard for privacy and data protection rights, which is at the core of our business,” Julie Brill, a corporate vice president and deputy general counsel at Microsoft, said in an interview. “We began work on G.D.P.R. as soon as it was adopted by the European Union. Our preparations for G.D.P.R. touch every part of our company.”
How the biggest tech companies handle the regulations will most likely influence their smaller counterparts. Angelo Spenillo, general counsel for Siteimprove, which helps companies manage their presence online, said many little tech companies have been looking toward Google and Facebook for how user privacy and data will be managed online.
“Where the bigger companies go, the smaller companies will follow suit,” he said. “We’re going to see real changes across the board.”
Ms. Jourová said as the new rules take effect, countries outside Europe could begin demanding similar data protection measures for their citizens.
“There will be a moment, especially as more and more people in the U.S. find themselves uncomfortable with the channels monitoring their private lives,” she said.