Sundar Pichai: Google Supports an American Data Privacy Law

The tech world is buzzing after another round of executive grilling on the Hill. This time, Google CEO Sundar Pichai was in the House Judiciary hotseat for his company's data and algorithmic practices, after previously eschewing invitation to testify. Much of the congressional chorus was familiar: Republicans chastised Google for anti-conservative bias, Democrats hounded the search giant for insufficient actions against hate speech and Russian bots. Pichai was at turns acquiescent and evasive, as is typical of these now routine spectacles.

There were some unique bones of contention that stood out in this testimony.

Commentators noted Pichai's seeming discomfort with bipartisan questions about Google's much-derided "Project Dragonfly." The company reportedly had big plans for a renewed foray into the Chinese search market, complete with all of the surveillance bells and whistles necessary to maintain a good working relationship with the People's Republic of China. Pichai told the committee that Google has "no plans" to collaborate with the Chinese government, but later admitted that the company previously had "over 100" people working on the apparently scrapped super snooper.

Both parties were also keen to drill down on exactly what and how Google tracks data, particularly when it comes to our locations. Fueled by an earlier controversy over covert location tracking and a recent New York Times investigation into de-masking individual location data, representatives asked whether Google could tell when someone walked from one side of a room to the other, and whether Google could specify that person's identity. (Pichai responded that he didn't know the answer to either.)

What has gone less commented upon, however, was the Google CEO's admission that his company supports strong federal data privacy legislation.

Right now, the U.S. lacks dedicated data privacy legislation. The Federal Trade Commission (FTC) has become the top federal cop on the beat, investigating companies when their data practices are found to be deceptive or unfair, for instance when a company violates its own terms of service. Specialized agencies may promulgate their own data standards practices as well; the Securities and Exchange Commission issues guidelines for institutions handling financial data, for example.

Otherwise, data privacy oversight is largely state-based. A few states with strong data privacy laws can become the de facto standard for most of the country, as is the case with Illinois's biometric practices law and California's recent Consumer Privacy Act (CCPA), which is slated to go into effect in 2020.

There is a movement afoot to supplant the current patchwork of data standards with a single, federal focus.

Some privacy advocates want the US to take the tack of the European Union, whose stringent General Data Privacy Regulation (GDPR) went into effect earlier this year. Google may not be what comes to mind when you think of "privacy hawks," but the company is among these ranks for self-interested reasons.

The GDPR's many problems are by now well understood. The vague and expansive legislation has introduced regulatory uncertainty for businesses operating in member states. The combination of unclear wording and extreme financial penalties means that companies must spend billions of dollars to maybe be considered compliant.

This may be a headache for large firms, but hardly insurmountable: they have the deep pockets and armies of lawyers needed to stay on the right side of the law. But GDPR can be a death knell for small or not-yet-formed ventures, many of which are not even data-focused tech companies, who could never hope to spend enough money to comply.

Indeed, many companies and online platforms have decided to just shut their doors to Europe completely rather than risk the $25 million or 4 percent of annual revenue at stake for inadvertently running afoul of the GDPR. There are more unseen casualties as well. We will never know the developments that could have been that the GDPR prematurely quashed.

Consequently, the GDPR has had the unintended (but wholly predictable) consequence of consolidating market power behind the mega firms that privacy advocates hoped to take down. There is a reason that the GDPR earned its informal nickname of the "Google Data Protection Regulation": small adtech vendors lost dramatic EU market share after the GDPR was implemented. Only Google's market share increased.

It makes sense why Google would support another "GDPR" in the US. Last week, Pichai publicly confirmed these suspicions.

During the hearing, Rep. Eric Swalwell asked Pichai whether he thought the US should adopt a national GDPR-style data framework, requiring that users affirmatively "know, understand and consent" to all data usage. Pichai responded that he thought global regulatory harmonization is a good idea. But he didn't just offer vague platitudes: he said he actively supported the GDPR as a "well thought-out" law and thought it was a good idea to bring to the States.

Is anyone surprised? Although the company had to spend billions of dollars to try to be compliant with the GDPR, so did its competition. Google is one of the most well-capitalized companies in the world. It can afford compliance costs, its upstart competitors probably cannot. Furthermore, Google has already implemented a relatively strict interpretation of GDPR compliance, which means it may not have much more work to do for a similar stateside bill. It is easy to see why the company may want to replicate this process in the US.

There is another layer of congressional chicanery at hand. I mentioned that many groups desire a federal solution for data issues. Other tech companies, most notably Facebook, publicly support federal data legislation. But these companies support a voluntary standards-based approach to supplant the GDPR-style CCPA before it goes into effect in January of 2020.

Depending on the final wording, this approach could be vastly superior to the CCPA. But Google and other companies may actually prefer a GDPR-style "active consent" approach because it could handicap competitors like Facebook, whose trustworthiness among the public is at an all-time low.

Google may enjoy some good PR for seeming to support "strong data protections" in the US. But don't be fooled. As the experience with the GDPR suggests, implementing heavy federal data regulations will only redound to the search giant's benefit.