 Felly, gweithio amser fe, mae'n gweld i chi ddweud yma yng nghymru chi wnaeth i mi ddweud o'r wych, ond mae'n gweithio'r ddweud o'r wych, oherwydd mae nifer o'r ddweud o'r ddweud o'r ddweud. Felly, dyna dweud, mae'n mynd i joysau i Conor, ac efo'r ddweud i chi'n gweithio'r ddweud o'r ddweud o'r ddweud, fe fyddai'n gweithio'r ddweud, efallai eich ddweud o'r ddweud o'r IEEA, Felly, mae'n gwybod i'r wych ar gyfnod. Mae'r gweithio, y cael ei bwysig yn y gweithio. Mae'r cwestiyng o'r gweithio, mae'n gweithio ar y gweithio a'r gweithio'n gweithio, ac mae'n gweithio ar gyfer y llyfr trwysau Chatholmhwys. Felly, mae'n gweithio ar gweithio. Felly, a'i fwyaf i gydig yn ychydig i'r ddweud yn ymgyrch i'r enw yng Nghyrch, gyda'r gweithio argylchedd gweithio ar gyfer y gweithio. ac mae'n gweithio'r prydau i'r prydau pryddedig y Google. Yn ystod, mae'n gweithio'r pryddedig y Google a'r cyfnod gyda'r GDPR yn ymgyrch yn ymgyrch. Ac rwy'n ddweud i'r cyffredin, mae'n gweithio'r cyffredin, mae'n gweithio'r GDPR. Mae'n gweithio'r cyffredin yn ymgyrch. Mae'n gweithio'r brexit yn y moment. Mae'n gweithio'r cyffredin yn ymgyrch yn ymgyrch. Mae'n gweithio'r cyffredin yn ymgyrch yn ymgyrch, ond mae'n ddweud i'r prydau o'r gweithio gyda'r gweithio a dynelfu a cinfa a mynd i'r gwithio gyda'r GDPR. Felly, mae'n ffawr yn ogyrch yn siarad ganddysgwr. Mae'n gweithio'r c Siloedd, mae gennym eidiol yng Nghymru iawn i wneud i gydon nhw'n gweithio sy'n gweithio'r pryddedig ynghylch yn cael parwyddo 500 o'r rhan o'r credu o'r ffordd o'r cyfrifodau hwnnw. Mae'r ysgawdd hwnnw yn cyfrifodd 5 o'r cyfrifodau yma o'r llyfrwr o'r cyfrifodau a'r cyfrifodau yr hyn o'r cyfrifodau. Mae'n gofyn i'n gweithio, a'r casfodd amgylchedd gyda'r sgwpeth yma, ac mae'n gweithio'n gweithio ar y cyfrifodau. Mae'n gweithio ar y ddweudio. Good morning everybody. I'd like to thank Joyce and the IIEA for inviting me here today. Thank you all for coming out for the conversation. We really do appreciate the opportunity to have an open dialogue with folks about privacy, about data protection, about Google's experience, our journey in this space, as well as the global conversation around these issues as it develops. I'd say, just from a personal note, I have a tremendous affection for Ireland. My family has deep ties here. As I was saying to Joyce earlier, my grandmother was from Port McGee and my grandfather from Carseveen came over here a number of times as a kid. And I appreciate the fact that my work has given me the opportunity and the privilege to spend more time over here with Ireland as our central place of administration here in Europe. It's an incredibly important location for Google and I'll talk a little bit more about that as I go through my remarks. I'm sure that everyone is interested in hearing our thoughts and our experiences around how the privacy conversation is playing into broader questions about the future of technology, its impact on society, how it affects things like publishers, innovators, entrepreneurs, content creators on the internet. We at Google are fully committed to protecting the privacy of our users in Europe and elsewhere around the world. And we are supportive of strong privacy laws and regulations that provide for those protections while also providing for data-driven innovation, value creation, content creation and availability to help to grow and develop the internet that we've all come to know and love and that we rely upon increasingly every day in our life and in our work. For Google, one of the core principles with which we approach our work is that we build products and services for everyone and we have subsidized that work with an ad-supported business model. So, as many of you I'm sure are keenly aware, we offer great products that are used by billions of users around the world like search and maps and we're able to make those available to users everywhere on the planet irrespective of their economic condition by allowing publishers to deliver advertising to relevant users to fund the delivery of all those services. It's important to understand though that it's not, that's not the end of the conversation around the benefits of ad-supported business models to the internet. It also allows for free apps. It allows for an independent media to flourish. It allows for content creators all over the world to make their content available to the broadest possible audience all over the planet. We remain convinced that these goals of strong privacy protection and allowing products and services to be made available for free all over the world are entirely consistent and that they can be reconciled and we're making massive investments to demonstrate that in practice. We try to set the highest possible bars for things like transparency, control and security to really improve the ability of users to protect their privacy, to exercise their rights while still enjoying all the benefits of the internet and of technology. As people use our products and services, we try to gather real feedback from them. We try to listen to them, to our users all over the world, and we're using all of that intelligence to iterate on the controls that we make available to them so that we can put users in the driver's seat, have them optimize their experience of our products and services and really be confident that they understand what information about them is being collected, how it's being processed, how it's delivering value back to them in terms of the services that they're able to use. Again, just to reiterate, one of the things that I want to make sure folks are understanding is that this open and dynamic exchange of information on the internet, the free flow of information subject to these really strong and reliable privacy controls creates a much more diverse and inclusive digital economy. Users get rich content, new products and a wider access to knowledge than they would in the absence of that ecosystem. So as we think about how to advance the conversation about online privacy, we need to remain sensitive to the very real trade-offs that can take place if we move forward without an appropriate consideration of the decisions that we're making. All of that having been said, we are actively engaged in this dialogue about the future of technology here in Europe and around the world. We recognize that there is scrutiny and skepticism about advertising and about the data collection that's involved with ad services and their relationship with other services. And we fully recognize that we are a large part of that conversation and we are committed to actively engaging with interested stakeholders to inform the conversation so that people understand what's really at play as we explore these questions. And we will adapt our products and services as we go forward to make sure that we're doing the right thing for our users. Because ultimately user trust is an existential consideration for Google. If users trust our services, trust our brand and more generally trust the internet and trust technology, then that ecosystem will flourish and will continue to grow. We will be successful. Our users will realize more benefits from technology around the world and that will create opportunity and value for us and for many others who participate in that conversation and that ecosystem. In terms of my own history here at Google and the way that we've been thinking about privacy historically and what brings us to the point we're at today. When I joined Google just about eight years ago, we already had a very well-established privacy program, but it was one that was informed by missteps at times. We had made mistakes and we learned from those mistakes. One of the interesting benefits of being at the bleeding edge of technology and sometimes getting ahead of the conversation in terms of where privacy and data protection decisions ought to be made is that we have been in open engagement and dialogue with privacy regulators around the world for many, many years. Well in advance of the GDPR, we were already actively engaged with data protection authorities in member states across Europe in resolving privacy confusion and concerns that had raised from questions that anticipated the GDPR by many years. As a result of that, when the GDPR negotiations were well underway, rather than us facing it with a fear of some sort of revolutionary disruptive event, we saw the GDPR as a logical anticipated evolution in the conversation of how privacy and data protection for European users should be advanced as we moved into the coming years. That positioned us quite well in some respects. We faced a law which, as everyone reported, was raising the specter of elevated civil penalties, financial penalties, penalties for companies for non-compliance, and that definitely drew more executive attention for multinationals all over the world with clear designation that civil penalties could reach 4% of global annual turnover. That certainly created a larger conversation globally around privacy and data protection than had happened previously. But that didn't change things at Google, to be completely honest. We had been engaging with European data protection regulators on these privacy questions for decades in advance of the GDPR. As we looked at the way the law was evolving under the GDPR, we saw things that were very, very familiar with us, themes that had already been parts of our conversation for the preceding years, as well as some things that were ambiguous and unclear, and we knew we were going to be catalysts for future conversations as we rolled forward beyond 2018. Some of the areas that were extremely reassuring for us in the GDPR were things like clearer requirements around accountability, strong incentives for companies to have robust privacy programs in place, to have launch review processes in place, specifically around areas like high-risk processing, areas like data portability, and open legal acknowledgement that users have a right to take their data from one service provider to another, codified in law in the GDPR. That was a manifestation of a principle that harkened back to the earliest days of Google, where Google engineers absent any legal requirement, reached that conclusion first in the context of Gmail, saying, we did not want users to be using the Gmail product simply because it was too difficult to get their data out of Gmail and into a competitive product. By making leaving Gmail frictionless, we were actually incenting our own engineering and product teams to create the best, most compelling product for our users. There was a wide open conversation inside of Google, and we spoke about this regularly externally, saying, we are actively engineering to make it easy for users to leave, because if we do that, we're creating all the right incentives for products excellence inside of the company so that we're creating products that users don't want to leave. The GDPR picked that up and codified it, expanded it, and created great incentives for us and for other sophisticated companies to expand this notion of data portability, to look at more of the data that we maintain on behalf of our users and make it easier for them to take it in a useful format to any competing service. That's a really, really positive development. We'd like to recognize that from the GDPR, and we are inserting that same kind of advocacy into conversations about legal developments in the US and elsewhere in the world. We think this principle of data portability is really important. We think the notion of accountability, of having structures that are externally demonstrable, that you can look from company to company and recognize that they are building a privacy program, that they have individual executives who are accountable for its operation and maintenance. That they have the ability to respond to user complaints, user concerns, regulatory inquiries about privacy and data protection. Again, these are investments that Google had been making for years, and it's great to see legal frameworks evolving to not only reward that investment presently, but to bring the entire commercial ecosystem up to a certain baseline of excellence. We're looking forward to continuing to engage on that. As we face the GDPR, just some metrics and numbers to help folks understand the sheer scale of our commitment with that law, we had thousands of employees working on GDPR compliance through 2017 and 2018. Hundreds of human years were actually devoted to reviewing our entire product portfolio, identifying where there might be opportunities to improve our compliance with the new law, and then working with product teams with engineering to make any necessary updates to ensure that our products were optimized for compliance with this new and challenging set of legal requirements. We were the beneficiaries of the fact, as I had said, that we had interacted with regulators on many of these issues for decades in advance, so there was very little in the GDPR that I would say was surprising or new. But there are areas where compliance is extraordinarily challenging. One sort of very, very broad area that I'm sure there's a great deal of interest in is in this notion of the legal basis for processing of data in the context of a delivery of a given service. As I'm sure many of you are aware, we recently received an opinion from a French court that found that our consent flows in the context of some of our products were legally deficient under the GDPR standard, and we were hit with a 50 million Euro sanction for non-compliance. Now, interestingly, as we look at this, we disagree on the law, we disagree with the opinion that the court reached, but we recognize that there is ambiguity. In point of fact, as we were determining our GDPR compliance strategy, not only were we looking at the provisions of the regulation itself, but as we processed the regulatory guidance that we were receiving from the national authorities and from the commission, we tried to take what we believed was a conservative view because we wanted to make sure that we were managing risk appropriately. And still, at the level of at least one national authority, there is an allegation that we missed the mark. Now, we have chosen to appeal that ruling because we believe that the application and interpretation of the law by that court didn't reach the right outcome. We are optimistic that, upon review, we will be able to demonstrate that, in fact, the way that we obtain consent in the context of our products and services actually does reach an appropriate standard under the GDPR. But all of this is clear evidence that we remain in a period of considerable uncertainty for the foreseeable future. We fully expect that there will be ongoing engagement with regulators and, in some instances, there will be issues that are taken to the court probably all the way up to the highest court in Europe to resolve these latent ambiguities within the GDPR as the law evolves. And we hope and we remain optimistic that, as that conversation plays out, we will be able to drive great outcomes for European users by coming up with balanced pragmatic approaches that protect the fundamental European right to privacy, while allowing European innovators, European entrepreneurs, European publishers, European content creators to continue to reap the benefits of the internet ecosystem. And our role in that, both as a platform provider as well as a provider of many apps and services that deliver a lot of that value, is going to be leading the way in investments into best-in-class controls, best-in-class settings, user education, and making sure that we're doing everything we can to inform the conversation and help policymakers reach the best possible outcomes. I think it's important to recognize that throughout this entire revolution, my office, as I'd said, has engaged with national authorities across Europe. That has actually been an extraordinarily rewarding experience for me individually, for my team, and for Google's products and services. Before the GDPR was a law, we were actively engaging in various issues of dispute with national authorities across Europe. And I can say that, as a result of all of that engagement, our products and services are better. We have kept an open mind. We've tried to demonstrate an appropriate level of humility. We have an unwavering respect for European law and a commitment to complying with the laws of the jurisdictions in which our products and services are operating. And as a result of that ongoing dialogue, we, as I'd said, we were well prepared for much of the GDPR when it came into force. One specific high point of all that, the DPC here in Ireland, is of course of fundamental importance to us and to the world right now. Given that so many major tech companies, major companies generally, have Ireland, as we do, as their central place of administration, have the ODPC as their lead supervisory authority and, by extension, will see Ireland as their one-stop shop for purposes of GDPR compliance. Having the ODPC as their primary interlocutor with the rest of Europe on some of these really important fundamental questions of privacy and data protection law compliance. My experience with the DPC has been they're a tough regulator, but they're extremely thoughtful. They take the time to understand the issues thoroughly. They have always demonstrated a commitment to sitting down with industry to understanding the positions on the other side and reaching pragmatic solutions that are actually best for users. That's the kind of regulator that I find consistently produces great outcomes. We're looking forward to continuing our work with the DPC on issues of cross-border transfers, which is, of course, given our scale and given the nature of what we do, a great deal of our portfolio. We will also continue engaging with national authorities on issues of national interest, so I fully expect that we will continue having productive relationships with national authorities across Europe. While we, again, remain in many ways focused on Ireland and focused on the DPC because this is our place of central administration. This is the place where we have our one-stop shop under the GDPR. Extending it beyond Europe for a moment, I've talked a lot about the GDPR. One interesting aspect about the GDPR is GDPR as a catalyst. So it's not only a cluster of compliance obligations from multinational companies that are doing business here in Europe. It is also a game-changing consideration for legislation, regulation and policy formation all over the world. Anyone who's been paying attention for the last couple of years recognizes that the GDPR has started a new global conversation around the appropriate trajectory for privacy and data protection law. In the US, we've seen a number of developments across the past year. As many of you may be aware, we have a law in California that was passed, the CCPA, which comes into effect in the future and which right now it has been recognized even by its own drafters as having areas where it requires clarification and adjustment because the law was passed in a fairly unorthodox and rushed manner. So we and others are actively engaged in trying to make sure that the CCPA remains a strong law that provides a lot of privacy protection for covered users, but does not do so in a way that is not cognizant of the strong policy considerations around preserving opportunities for entrepreneurship, preserving opportunities to provide groundbreaking innovative products and services to users at low or no cost through ad-supported business models and otherwise. The passage of the CCPA in the US is really just a first signal in terms of US policy of many of the things that we're seeing coming next. I believe at last count I had heard there were 15 state bills introduced in 11 states. That number is probably already bigger than that because it's probably a weak sale. That means that there is a very real possibility we will have multiple state laws with differing requirements. Some of them are modeled after the GDPR. Some of them literally look like we're cutting and pasting provisions from the GDPR and incorporating them wholesale into US policy. It will be interesting to see the way that plays out. We're going to try to engage at the state level to drive as much uniformity, again protecting strong privacy protections while allowing industry to continue doing great things for users. In parallel with all of that there's a growing federal conversation in the US about having a uniform federal law that would resolve this potential conflict between the states and create a single rule of law across the United States. Political considerations make it very hard to call whether that is viable in the current legislative session or the next one. I think there's a lot of concern that we will not be able to establish enough uniformity of opinion and approach around a federal law to get that push through. But industry and civil society all have a very, very strong interest in making sure that in the US we create as much uniformity of law as we can providing very, very strong protections for users while also providing certainty and clarity for industry so that we can launch products that we know or have a high level of confidence are compliant with all of the legal requirements that we're facing. One major consideration in this entire conversation is how do we optimize US law such that while it needs to reflect an appropriate balance of rights and freedoms to fit within the US legislative paradigm we're also moving towards interoperability globally. The global economy is inextricably interconnected and much of it is being driven by data. So free flow of information, the ability for cross-border data transfers to be facilitated with legal certainty creates a lot of economic opportunity, generates a lot of value for users and for shareholders. And one of the ways that we can be advancing that value and promoting those interests is to do everything that we can as legal regimes are evolving in different parts of the world, recognizing we will never achieve uniformity, that they will never be identical because balances of rights and freedoms are affected by cultural considerations, legal traditions and other inputs. Moving towards principles of general interoperability is of tremendous benefit to stakeholders around the world. And we will do our best to make sure that that is part of the legislative conversation in the US especially at the federal level as we continue to push for a strong US federal privacy law that provides protections for US citizens that are comparable to and at least as strong to privacy protections that are available to users anywhere else in the world. With all of this, talking a little bit about some of the things that Google has done in demonstrating that we are not a company that's just slogans, we're not just talking about privacy, we're not just paying lip service to this being important to us. I think you can look at our track record and you can see that we are making massive investments to advance the privacy conversation and to really make things better for users and build trust in our platforms, in our service and in technology more generally. I talked a little bit about data portability. One of the great slides that we would show and we would do presentations about our GDPR compliance strategy is we would show a matrix of our products and services and those where data portability existed pre GDPR. And how that changed as we approached GDPR compliance and the GDPR effective date and you would see more and more product areas lighting up because this gave us an opportunity to really lean in and devote engineering resources to extending the data portability tools that we had historically made available for the subset of products and services where we thought users had the most compelling interest in taking their data with them. We really expanded that dramatically across our product portfolio. We're quite excited about that work. We also doubled down on major investments in the tools that we make available for users to manage their own privacy and to control their own data. If you haven't already I would encourage you all to take a look at the Google account controls that we make available. I really do believe that we are best in class in terms of surfacing in a really usable and accessible way information about the data that's associated with your Google account and giving very, very robust controls. So you can go in and at a line item level you can edit your own search history. You can turn off behavioral advertising altogether without suffering sort of a significant erosion in the quality of the service that you're receiving. You can turn off various kinds of data collection and processing across our portfolio of products and services and we continue to iterate on this in Google account. We want to make it as accessible as we possibly can, as meaningful and as powerful so that users recognize that they are in control of their Google experience and the way that we process and collect information from and about them is really at their control. We do not want to make these decisions for them. We want users to be making these decisions for themselves. Some of the other things that we're quite proud of, if you look at things like our security and privacy checkup, I have a product manager that I work very, very closely with who oversees most of our portfolio of privacy products. The metaphor that he often uses when he's describing our approach to privacy settings is we want to make these settings resemble a well-lit room. We want to invite users into them. So recognizing that just a few short years ago, if users were interested in privacy and if they wanted to understand how their information was being collected and used, the primary avenue for them to do that was to go to a wall of text, right, to a legacy privacy policy that was multiple pages of scrollable text. It was a fair criticism that many people found them impenetrable. They felt like you needed a legal education or training to discern them, to understand them, and that was not an acceptable state of affairs for us. So we've made major, major investments in this area where we updated our privacy policy dramatically so that we have included videos for key sections. We've done a great deal of user research and testing all over the world where we send teams out and we have them sit down with users in different geographies from different backgrounds, watch them navigate our privacy policy, watch them navigate the controls and settings, and then take their feedback. Did they understand what they read when they made changes to their settings? Was the result of those changes consistent with their expectation? Did they do the things that they meant to do? Or did we have opportunities to continue clarifying and improving? And based on the feedback of all this research, we are relentlessly making additional updates and improvements because we want to make sure that users are having an experience of Google's products and services that's actually consistent with their expectations. Another thing that we've done is sort of made a passing reference to our security and privacy checkup. We have not just built this great suite of settings and controls to put users back in control. We are actively trying to invite users into it. So, we have made billions of impressions over the last several years where we are using some of the most expensive real estate on the internet right on the Google.com homepage to invite users in to better understand their security settings and their privacy settings to walk them through on a step-by-step basis at their convenience on their own time to make these changes to actually bolt down their privacy to restrict the amount of users on the internet. We are trying to educate them on the consequences of those changes. How will their experience of products change? Will their ads become less relevant? Are they okay with that? Is that a reasonable value exchange for them? Turn off behavioral advertising, perhaps get less relevant ads, turn off information sharing between certain products and services, perhaps those products and services might become less useful in somewhere or another. We're really working hard to make sure that we're educating users on the consequences of their choices and then making those choices as accessible and simple as we possibly can. And you're going to see more and more from us in that regard in coming months and years because we really do think that leading the way in terms of world-class transparency choice and control is going to be essential, especially as we navigate, as I had said, this continued period of uncertainty and ambiguity around how do we get consent exactly right. We think we are doing best in class right now. We think we are setting the high water mark for industry in achieving the right level of consent from users in the context of many of our products and services. But this is not static and this isn't a problem that we think that we are going to solve at a point in time and then walk away from it. Privacy for Google is going to be an active, engaging conversation with our users from this point forward. I don't expect that's ever going to change and I'm excited about that. I'm excited about the challenge. I'm excited about my own leadership's engagement on this. I can say I sit on a group called the Privacy and Data Protection Office Steering Committee at Google. That includes me and a number of Sundar Pachai's direct reports. This is the senior most executive team at Google and we are now meeting weekly because this notion of user trust, this notion of privacy and security is so fundamental to the success of the company. Not just as a matter of regulatory or legal compliance, but as a matter of making sure that we are getting our relationship with our users right and that we are delivering to them the value that they want from their use of our products and services. And we're doing it in a way that they are comfortable with and they feel good about. I'm excited about the fact that I get to be part of that conversation with our users and that I feel this unfaltering support from our senior most leadership of the organization to make sure that we're making the right investments, that they're sustained investments, that we're doing them over time and that we're not becoming calcified. We're going to be flexible. We're going to work with regulators and policymakers around the world to understand their expectations to negotiate the best possible outcomes for users. It's going to be a very, very exciting journey over the next couple of years for folks who are practicing in the area of privacy and data protection, but I'm optimistic. I am fundamentally optimistic about technology, about the positive change that it could affect in users' lives all over the world. I am a strong proponent of Google's moral mission, our philosophical mission to bring the benefits of technology to users irrespective of their economic condition, irrespective of what kind of hardware they buy. We want them to realize the benefits of search, the benefits of maps, the benefits of all the different products and services that the internet ecosystem can bring to bear. I'm enthusiastic about stepping into this and making sure that Google is a force for positive change in this space.