Advancing customer control in the cloud
Thomas Kurian
CEO, Google Cloud
At Google, we know that transparency plays a critical role in earning and maintaining customer trust when it comes to customer data. That is why Google Cloud has taken steps to develop industry-leading product capabilities that enhance the control that our customers have over their data, and that give customers visibility into when and how their data is accessed. We think it is important to be clear at the outset about where we stand: our customers own their data and have the right to control access to it.
The CLOUD Act and the recently announced U.S./UK Agreement do not change our position and have not changed how we at Google address government requests to disclose enterprise customer data. Our team reviews and evaluates each and every one of the requests we receive for legal validity and appropriate scope, as well as for compliance with international human rights standards, our own policies, and applicable law. We do not provide "backdoor" direct access to any government and we do not hesitate to protect customer interests.
Today, we are announcing three new updates: a set of new principles, a recent court submission on this topic, and additions to our Transparency Report. Together, these efforts reflect our core belief that customers should have no less control over data stored with a cloud provider than they would if the data were stored in their own data centers.
Taking a principled approach to government advocacy
We have developed five principles that guide our advocacy efforts and help inform a more modern approach to enterprise data security policies worldwide. We look forward to working with governments, partners, customers, and others in the coming months to promote these principles where they exist and advocate for their enactment in jurisdictions that have not yet adopted them.
Approach enterprises directly. In the course of a legitimate legal investigation, if stored content or communications are sought, governments should request customer content directly from enterprises. Enterprises already expect this when running workloads on premises, so this is consistent with that process. This approach is also generally aligned with US government policy and European policy proposals.
Promote transparency. Enterprise customers should have a right to know when governments seek disclosure of their information and the public should understand how often governments are making these requests. Governments should support transparency efforts by providers and put forward their own transparency initiatives to ensure that administrative powers are being used responsibly.
Protect customer rights. Governments should follow legal process and provide clear paths for enterprises or providers to challenge requests for data. At a minimum, governments should provide direct notification to customers when they seek to compel service providers to disclose data. Google has opposed indefinite non-disclosure orders and has fought for the right to notify customers of government requests for data.
Support strong security. We will continue to innovate to provide customers with the best technology to protect the security and privacy of their information, including technical solutions that give customers greater control of their own data. Google will continue to support regulatory and legal reforms that promote rather than undermine such innovation.
Streamline government rules. Government engagement on a bilateral basis and in multilateral forums is critical for modernizing laws and establishing rules governing compelling the production of electronic evidence across borders in a manner that respects international norms and sovereignty. Google has supported these efforts and will continue to do so—including resolving potential conflicts of law and protecting the privacy and security of our customers.
We think that putting these principles into practice will help drive greater transparency surrounding customer control and government requests to disclose enterprise customer data. These principles also provide a consistent and lasting framework that will help both enterprises and governments develop predictable and normalized approaches to digital data.
Backing up our principles in court
In early 2019 we filed a legal challenge to protect a customer's right to know when its data is accessed, in a case that was recently partially unsealed by the United States Court of Appeals for the Second Circuit. Our lawsuit challenged two gag orders that restricted our right to speak about the US Government’s request to access enterprise customers’ data for a criminal investigation. It builds on our support for litigation to oppose indefinite non-disclosure orders. While there are valid reasons for governments to request access to data, it is also important to be transparent with customers about these requests.
Publishing more information about government requests for enterprise data
Early next year, we will begin to publish in our semi-annual transparency report the number of government requests we receive for Google Cloud Platform and G Suite enterprise customer data. The publication of this information is an important milestone in our efforts to improve transparency and help address broader uncertainty about how often governments are coming to Google to request access to enterprise customer data.
The story doesn’t end here. The three announcements we are making today demonstrate our continued commitment to helping our customers through both innovating in our technologies and advocating with governments. We will continue to evolve our products to offer even better customer controls and work with others to help drive forward policies that protect our customers’ data.