Google agrees groundbreaking compliance measures in settlement with DOJ over lost data

Fallout from investigation into criminal crypto exchange leads to major commitment from search giant.

Google has settled a dispute with the US Department of Justice over its failure to comply with legal obligations relating to data held on a crypto exchange that was closed down for criminal activity. The dispute has led to a change in legislation and the establishment of a new compliance role.

The search giant has reportedly already spent $90m on improving its legal process compliance program, and has agreed “to ensure timely and complete responses to legal process such as subpoenas and search warrants, as required under the Stored Communications Act (SCA)”.

Third-party monitor

The agreement also establishes what the DOJ terms “a first-of-its-kind Independent Compliance Professional” (ICP) to be retained as an outside third party to monitor Google’s efforts in meeting its compliance obligations.

The settlement relates to a search warrant served on Google in 2016 demanding the company hand over data relating to the crypto exchange BTC-e. The exchange was the subject of a major criminal investigation over money-laundering, and was shut down in 2017.

Google halted efforts to execute the warrant after a Court of Appeal ruling that said SCA search warrants did not reach data stored outside the US. The search company said that because of the way its optimization algorithms worked in moving data around the world, it could not define what information it was required to give up.

By the time Congress clarified that data stored overseas was covered, data the warrant sought had been lost.

Congress eventually intervened, passing the CLOUD act which specified all related data in cases such as this should be handed over, regardless of where it was stored. Google had, in the meantime, tried to develop new tools that would prevent such data from being repatriated. But by the time Congress clarified that data stored overseas was covered, data the warrant sought had been lost.

The settlement sees Google commit to “numerous improvements to its legal process compliance program, as set forth in the filed agreement,” says the DOJ in a statement. “The improvements are tailored to ensure that Google complies with its legal obligations to respond to lawful court orders.”

Five actions

Actions to be taken by Google include:

  • Maintaining sufficient staffing levels to support enhancements to the program.
  • Allocating engineering resources to support legal process compliance.
  • Implementing processes and procedures to ensure timely response to legal process.
  • Generating a compliance timeline record for missed deadlines.
  • Developing tools to retrieve data in response to legal process, and develop plans for legal process responses relating to new product launches.

In addition, the ICP will be required to “verify the accuracy of assertions in all reports contemplated by the agreement and evaluate Google’s assessment of its compliance with the enhancements to Google’s Legal Process Compliance Program set forth in the agreement”. And Google must “assemble periodic reports and updates regarding its Legal Process Compliance Program and its implementation of the enhancements set forth in the agreement”.

These reports are to be provided to the US Government, the Google Compliance Steering Committee, and The audit and Compliance Committee of the alphabet Board of Directors.