In Europe, a regulatory vise tightens around big tech

In 2018, a new European law called the General Data Protection Regulation, or GDPR, took effect. With the stroke of a pen, a host of common online practices—used by everyone, from big tech companies like Google to small web publishers, for everything, from showing popup ads to requiring an email address to enter a website—suddenly became illegal in the European Union, or at least heavily regulated. Consent was required before any personal information could be collected or used—and the EU’s definition of personal information was considerably broader than the US definition. Elizabeth Denham, the information commissioner for the UK, called the GDPR “the biggest change to data protection law for a generation.” Others were less diplomatic: one critic described the law as a “clunky bureaucracy” and a regulatory minefield that shackled businesses with “unnecessary red tape.”

If tech platforms thought that the GDPR was the end of their problems in the EU, they were mistaken: the law was only the lip of a wave of European regulatory activity aimed at the online world, and specifically the behavior of digital giants like Meta, Google, and Apple. These new laws have targeted everything from alleged anti-competitive practices to the ways in which personal data is used to customize search results and news feeds. Brian Wieser, a technology analyst and former investment banker, told the Wall Street Journal recently that the laws are a “Glass-Steagall moment for big tech,” a reference to a Depression-era law that supporters believe was instrumental in reining in anti-competitive behavior by banks. As a result, Wieser said, tech platforms are going from “effectively no regulation to heavy regulation.”

More From CJR: