Google agrees to legal compliance monitor under novel DOJ settlement

The agreement seeks to ensure Google responds efficiently to subpoenas and search warrants, as required under the Stored Communications Act (SCA), the DOJ announced Tuesday.

The agency in 2016 approached Google with a search warrant related to a criminal investigation of a rogue cryptocurrency exchange, BTC-e. The DOJ received the warrant under the SCA, but Google refused to hand over all relevant communications, arguing the law pertained only to data stored in the United States.

In 2018, Congress clarified the law applies to data stored overseas by U.S. providers. When the DOJ returned to Google for the data, the company said it was lost.

“The warrant underlying this agreement was sought in connection with a significant criminal investigation,” said U.S. Attorney Stephanie Hinds for the Northern District of California in a press release. “This agreement will help to ensure that, moving forward, Google will maintain the technical capability and resources necessary to comply with lawful warrants and orders, such as the one at issue in this case, that are critical to federal criminal investigations.”

Under the stipulated agreement, Google must put in place procedures to ensure its timely response to legal requests and keep record of all missed deadlines, which will be available for the DOJ to review by request. The company estimated in the agreement it has already spent more than $90 million to improve its legal compliance program.

Google must create tools to allow it to quickly retrieve data requested in government investigations. It must ensure any new products follow the compliance requirements.

Google must have adequate staffing in its legal compliance department and allocate the necessary engineering resources to enable swift responses to legal requests.

The outside compliance expert Google hires will monitor the company “fulfills its legal obligations” under the agreement, the DOJ said.

“This agreement demonstrates the department’s resolve in ensuring that technology companies, such as Google, provide prompt and complete responses to legal process to ensure public safety and bring offenders to justice,” stated Assistant Attorney General Kenneth Polite Jr. of the DOJ’s Criminal Division.

The compliance professional must evaluate the company’s legal compliance policies and procedures and verify any assertions Google makes about the veracity of its legal compliance program. The expert also will help Google assemble reports and updates for the DOJ about its progress in enhancing its legal compliance program. These reports will be provided to a Google compliance steering committee, as well as the audit and compliance committee of its parent company Alphabet’s board of directors.

The agreement makes clear Google can continue to keep user data private, as allowed under the law, and doesn’t give the DOJ access to Google user data.

Alphabet did not respond to a request for comment.