Jump to Content
Security & Identity

Providing transparency into government requests for enterprise data

May 5, 2020
Pablo Chavez

Vice President, Government Affairs & Public Policy, Google Cloud

At Google Cloud, we’re committed to being transparent about when governments request our enterprise customers’ data. Today, to continue our company-wide efforts to build trust through transparency, Google published its semi-annual Requests for user information transparency report.

This version of the report represents an important step forward. For the first time, it breaks out the number of government requests we received for Google Cloud Platform and G Suite Enterprise Cloud customer data. Last October, we committed to publish this information in early 2020, and future transparency reports will continue to include it.

Let’s take a look at some of the data and takeaways from the report before looking at how we’re working to improve your control over, and visibility into, your data. 

Key Transparency Report takeaways for customers 

Now that we’re breaking out information on the government requests for data we received, we have four initial observations. These observations are based on the total number of government requests for user information (81,785) across all of Google we received from July 2019 to December 2019. 

First, the number of requests targeting enterprises (282) represents a very small percentage (0.3%) of the overall number of requests we received. Second, for requests relating to G Suite Enterprise Cloud customers, we produced data in a very small number of cases (152). In each case, we reviewed the requests to ensure they were consistent with our policies and practices outlined below, and applicable law. Third, we didn’t produce any Google Cloud Platform Enterprise Cloud customer data in response to government requests. Finally, with regard to public sector customers, we didn’t identify any requests that appeared to be from a national government seeking information about another national government. If we were to receive such a request in the future, we would redirect the requesting government to the customer and object to the request if necessary.

Moving forward, we trust that this enterprise-focused information will help address questions about how often governments are coming to Google to request access to enterprise customer data. 

Advocacy in support of customer control

Breaking out Google Cloud Platform and G Suite Enterprise Cloud customer data in our transparency report is part of our larger commitment to advancing customers’ control of their data in the cloud. We also advocate extensively, and litigate when necessary, to protect the interests of our enterprise customers. 

We continue to advocate for five global principles for governments to follow when making requests for enterprise data stored in the cloud: 

  • Approach enterprises directly 

  • Promote transparency

  • Protect customer rights 

  • Support strong security 

  • Streamline government rules for compelled production 

On the litigation side, in the United States Court of Appeals for the Second Circuit, our legal challenge to protect a customer's right to know when its data is accessed has progressed. We recently filed our reply brief to counter the government's arguments on secrecy and notice.

Improving technical controls in our cloud

We believe that customers should have the strongest levels of control over data stored in the cloud. To support that mission, we’ve  developed industry-leading product capabilities that enhance your control over your data and provide expanded visibility into when and how your data is accessed. Some of our recent product updates in these areas include: 

  • External Key Manager, which is now generally available, lets customers encrypt data with encryption keys that are stored and managed in a third-party key management system that is run outside Google.

  • Key Access Justifications (alpha for GCE/PD and Big Query) provides customers with a justification every time their externally hosted keys are needed to decrypt data and gives them the opportunity to approve or deny such requests. 

These products provide unprecedented levels of control over data in the cloud, and we’ll continue to update them based on customer needs. 

We are committed to building trust through transparency, and to helping to ensure our customers’ control over their data through legal and technical means. To learn more about our efforts, check out our whitepaper, “Government requests for customer data: controlling access to your data in Google Cloud.”

Posted in