LONDON (AP) — Facebook CEO Mark Zuckerberg is promising to do a better job protecting user data following reports that a political consultant misused the personal information of millions of the company’s subscribers. The fact is, European regulators are already forcing him to do so.

A similar data breach in the future could make Facebook liable for fines of more than $1.6 billion under the European Union’s new General Data Protection Regulation, which will be enforced from May 25. The rules, approved two years ago, also make it easier for consumers to give and withdraw consent for the use of their data and apply to any company that uses the data of EU residents, no matter where it is based.

“For those of us who hold out no hope that our government will stand up for our rights, we are grateful to Europe,” said Siva Vaidhyanathan, a professor at the University of Virginia who studies technology and intellectual property. “I have great hopes that GDPR will serve as a model for ensuring that citizens have dignity and autonomy in the digital economy. I wish we had the forethought to stand up for the citizen’s rights in 1998 (the start of Google), but I’ll settle for 2018.”

The U.S. has generally taken a light touch approach to regulating internet companies, with concerns about stifling the technology-fed economic boom derailing President Barack Obama’s 2012 proposal for a privacy bill of rights. But Europe has been more aggressive.

EU authorities have in recent years taken aim at Google’s dominance among internet search engines and demanded back taxes from Apple and Amazon. The European Court of Justice in 2014 recognized “the right to be forgotten,” allowing people to demand search engines remove information about them if they can prove there’s no compelling reason for it to remain.

Now data protection is in the crosshairs of the 28-nation bloc, where history has made the right to privacy a fundamental guarantee. Nazi Germany’s use of personal information to target Jews hasn’t been forgotten, and the new Eastern European members have even fresher memories of spying and eavesdropping by their former communist governments.

But the Facebook scandal shows it can also be used for other purposes.

A whistleblower this month alleged that Cambridge Analytica improperly harvested information from over 50 million Facebook accounts to help Donald Trump win the 2016 presidential election. News reports have focused on the relationship between Cambridge Analytica CEO Alexander Nix, former Trump strategist Steve Bannon and billionaire computer scientist Robert Mercer, who bankrolled the operation.

Cambridge Analytica says none of the Facebook data was used in the Trump campaign. Facebook is investigating.

“The regulation is trying to balance the power between ourselves as individuals and organizations that use that data for a whole variety of services,” said David Reed, knowledge and strategy director at DataIQ, a London-based firm that provides research on data issues.

The EU’s new rules expand the reach of regulations to cover any company that processes the data of people living in the bloc, regardless of where the company is based. Earlier rules were ambiguous on this point, and international companies took advantage of that to skirt some regulation, the EU says.

While Facebook is based in Menlo Park, California, it has some 277 million daily users in Europe out of 1.4 billion globally.

The EU legislation also demands that consent forms are written in plain language anyone can understand. No more legalese across pages and pages of terms and conditions that few people read before clicking “I Agree.” The regulations also require that consent must be as easy to withdraw as it is to give.

To ensure compliance, there’s the potential for big fines. Under GDPR, organizations face fines of up to 20 million euros ($25 million) or 4 percent of annual global turnover — whichever is greater — for the most serious violations.

Facebook reported $40.65 billion in revenue last year. That means a serious violation could cost the company as much as $1.63 billion.

Even though GDPR doesn’t legally protect the data of people outside the EU, analysts expect many companies to apply the rules worldwide. Smaller firms are likely to decide it’s too expensive to run multiple compliance systems, though bigger firms like Facebook and Google may still decide to “bracket off” European operations, Vaidhyanathan said.

Sarah T. Roberts, a professor of information studies at UCLA, says the EU is formulating the rules of engagement, rather than allowing internet companies to dictate. While U.S.-based platforms were created in the image of Silicon Valley, that type of bravado and no-holds barred capitalism doesn’t go down well in Europe.

“Despite claims that cyberspace is not fettered to planet Earth, that is not true,” she said.

Facebook, for one, has taken notice, setting aside a page of its website to explain what the company is doing to comply with GDPR. “We’ve built tools to help people manage their data and understand their choices with respect to how we use their personal data,” it says.

But GDPR is not a panacea that will ensure everyone’s data is protected. Some analysts suggest the next step should be to ensure that everyone owns their own data and can sell it in exchange for services.

Pressure is building for increased regulation in the U.S., where members of Congress have called on Zuckerberg to testify about the Cambridge Analytica scandal.

The alleged conspiracy has captured the public imagination, focusing worldwide attention on data protection, Vaidhyanathan said.

“Cambridge Analytica’s story sounds like a spy novel,” he said. “It has a bond villain in Alexander Nix. It has a secretive billionaire genius in Robert Mercer. It has the evil sidekick in Steve Bannon. It is working for right-wing interests and it claims to be able to control our minds,” he said. “We needed a few Bond villains to make the story lively.”