Sweeping privacy rules in the European Union changed the way internet platforms, telecoms, publishers—really anyone who processes personal data—do business in the region earlier this year. It shook things up for tech giants like Google and Facebook that profit from using customer data to sell advertising.
Google, the world’s largest advertising platform, says it spent years preparing to comply with the privacy rules, known as the General Data Protection Regulation (GDPR), before they took effect in May 2018. Google’s chief privacy officer, Keith Enright, estimated that Google’s workforce spent ”hundreds of years of human time” to bring the company into compliance with GDPR. Enright made the remarks in a hearing with the US Senate Committee on Commerce, Science and Transportation on Wednesday (Sept. 26) that also included executives from AT&T, Amazon, Apple, Twitter, and Charter Communications.
When asked by Republican senator Michael Lee what the effort cost Google—hundreds, thousands, hundreds of thousands, or into the millions of dollars—Enright estimated that the sum was “orders of magnitude than any figures of you’ve mentioned,” which suggests it cost billions.
That’s not a crippling figure for a company like Google. Its advertising business brought in more than $95 billion in revenue (pdf) in 2017 for parent company Alphabet. About one-third Alphabet’s overall revenue, totaling about $110 billion last year, came from Europe, the Middle East, and Africa, the company reported.
The estimates could, however, be enough to give some US regulators pause when considering similar data privacy protections in the US. The primary concern, based on the hearing, is that federal regulation could be particularly burdensome for small and medium-sized companies that don’t have the funds or resources to comply. It’s been argued that the regulations in Europe might even have put Google and Facebook at an advantage over smaller competitors for that reason. Some of the lawmakers and executives at the hearing, including Amazon associate general counsel Andrew DeVore, also expressed concerns that privacy laws could divert funds away from innovation.
“It doesn’t mean all regulations are bad,” said Lee, the senator, adding that sometimes costs of regulations end up on consumers. “It does mean those are things we ought to take into account.”
Wednesday’s hearing is one in a series being held by the committee on the topic of data privacy. Another hearing with privacy advocates will take place next month.
Google CEO Sundar Pichai will also reportedly be in Washington this week fielding questions from Republican lawmakers about user privacy and other issues.