Now Microsoft Supports an American GDPR. Which Tech Giant Wouldn't?

Government-mandated privacy regulations will allow the most powerful companies to game it to their advantage.


Microsoft would like to wish the General Data Protection Regulation (GDPR) a very happy birthday. In fact, now that Europe's broad privacy regulations are a year old, the software giant thinks it's time we get a sibling in the states.

In a post on the company blog, Microsoft swoons that EU residents are now empowered to "control their personal information" and "use digital technologies to engage freely and safely with each other and through the world." Digital technologies like Microsoft's own "privacy dashboard," which did they mention was the first GDPR-style data control effort from a Silicon titan? Oh, you haven't heard of it? Well, they assure us that it is very good.

But it's not good enough. Microsoft cannot single-handedly save us. In fact no private company can. No, our asserted rights to privacy "will always fundamentally be a matter of law that falls to governments," Microsoft contends. In particular, the company says the U.S. federal government must catch up with the EU and mandate a single privacy framework.

Microsoft has been salivating over federal privacy regulations since at least around 2005. Now that data issues are such a cultural flashpoint, companies can make easy waves by publicly "standing for privacy."

Many tech companies say they "support a GDPR" in some way, although they have their separate reasons.

Facebook's Mark Zuckerberg famously called on Uncle Sam to bail his company from his own bad year of public relations in December. He hopes that federal privacy legislation will defang California's GDPR-style law before it takes effect in 2020.

Now, the California Consumer Protection Act (CCPA) is indeed a lousy law. But let's not pretend that Zuckerberg and company won't try to stuff as many goodies as possible into a federal preemption for their own benefit. Specifically, he wants government speech laws, political spending laws, and data portability guarantees (which means other platforms would be forced to fork over more data to his company).

Google, too, wants a GDPR with American characteristics. During his turn in the congressional hot seat last December, CEO Sundar Pichai praised the GDPR as a well-crafted law, and called on Congress to harmonize our laws with Europe's.

That's easy for him to say. The law earned its nickname, the "Google Data Protection Regulation," fairly. Small adtech vendors just can't stomach the risk of running afoul of these vague rules. One false move—or more likely, one peeved-off bureaucrat—could mean millions in fines, a death knell for smaller firms. The Googles of the world have the tools and lawyers to better shoulder risk. When the GDPR took effect last year, Google's ad share skyrocketed overnight.

Several privacy-focused technology ventures have signed on to support a beefed-up CCPA as the de facto law of the land. Because obviously. Their whole business model is to build a post-Googleized world. And they provide great products. But let's call this what it is: legal opportunism.

There is a similar dynamic with Microsoft. Advertising rakes in some $7 billion per year for the company. But this is a mere blip on the bottom line, constituting around 6 percent of Microsoft's $110 billion in annual revenues.

Microsoft makes its money on services: mostly software subscriptions and its enterprise cloud platform, Azure. Data is involved, but nowhere near to the extent of companies like Facebook and Google.

How convenient that a growing global consensus on the need to "do something" could cause problems for competitors' business models!

Let's look at Microsoft's ideas for an American GDPR. In the blog post, the company calls for rules "requiring assessments that weigh the benefits of data processing against potential privacy risks to those whose data is processed." That's pretty vague. We can assume those "processes" that don't pass muster will be legally prohibited.

The procedure would be fundamentally subjective: who defines the benefits? Who calculates the risks? What if you and I weight these things differently? Ludwig von Mises is rolling in his grave.

Microsoft must believe it will come up on the right side of this ordeal. They process less data in the first place, so the resulting "risks" spit out by this hypothetical rationalized formula will be lower. Google location tracking? Maybe not so much. See how it works? It's Bing's revenge!

I don't want to beat up on Microsoft too badly. Actually, few people do these days. Yesterday's favorite punching bag is today's unexpected darling. That mighty Microsoft has so far avoided much in the way of a "techlash" at all is by now a common techie cliché. After all, there is no "M" in "FAANG."

No one really hates Microsoft anymore because it's built a better development culture. I poked fun at the privacy dashboard, but the company has made real and impressive pivots.

Many were skeptical when "Micro$oft" announced it would support open source projects like Linux. And it seemed the end might have been nigh when it acquired GitHub, a popular open source code repository. Actually, things have turned out pretty well in both cases. Now, Microsoft wants to build a permissionless identification system on top of Bitcoin. These are three real tools to empower development and autonomy online.

The point is that such internal cultural shifts will do a lot more for real "data privacy" than the text of any number of GDPR permutations ever could.

There are good reasons to be upset with tech giants. They know this, so they react. Facebook has embraced encryption and cryptocurrency to wiggle its way out of its mess. Google's recent Chrome updates crack down on cookies and other pesky ad tech.

It doesn't solve everything, and these companies aren't making changes out of the goodness of their hearts. But it's real progress, and it comes without the economic and political baggage of exploitable legislation.

Alas, the allure of regulatory capture proves too tantalizing. Whether they aim to cement their own market dominance, upend rules they don't like, or handicap the competition, tech companies always support regulation for self-interested reasons.

By the time a federal proposal does hit the Hill, we can expect the usual suspects to voice their support for "GDPR principles." Of course, their lobbyists will be finessing the particulars of those principles to their liking behind the scenes.

If only the tech industry spent that energy doing what they do best: hiring engineers to build useful tools. Then we'd really be getting somewhere on data privacy.