- Google disclosed more than all other internet and mobile ecosystem companies evaluated—apart from top-ranked Microsoft—about policies and practices affecting privacy and freedom of expression, but still fell short in key areas.
- The company continued to lag behind its peers for weak governance and oversight over its impact on human rights, including freedom of expression and privacy.
- Google was less transparent about its security policies than many of its peers, and failed to disclose anything about its policies for handling data breaches.
Google tied with Verizon Media1 for the second-highest score among internet and mobile ecosystem companies, behind Microsoft.2 The company’s ranking dropped from first to second place in this year’s Index, due to the addition of the Google Drive cloud service to the evaluation, which had less clear disclosure and pulled down Google’s overall score.3 As a member of the Global Network Initiative (GNI), Google remained one of the stronger performers in the Index, disclosing more than most of its peers about policies and practices affecting freedom of expression and privacy. It was among a limited number of companies to improve its disclosure of policies affecting freedom of expression and, as in previous years, it was among the most transparent about how it handles government requests to remove content, deactivate accounts, or hand over user data. But there is ample room for improvement: Google failed to adequately disclose what user information it shares and also failed to give users clear options to control what data it collects and shares. It lacked transparency about what it does to keep user data secure, and provided no information whatsoever about its policies for responding to data breaches. It also failed to provide adequate redress mechanisms for users to communicate human rights grievances and obtain appropriate remedy.
Google LLC, a subsidiary of Alphabet Inc., is a global technology company with services that include Google Search, Gmail, YouTube, and Google Cloud. It also offers consumer hardware products and systems software, like its open-source mobile operating system, Android.
Market cap: USD 860.7 billion4 (Alphabet Inc.)
- Improve remedy: Google should be more accountable to users by providing clear and accessible channels for users to communicate human rights grievances and obtain appropriate remedy.
- Do more to protect privacy: Google should clarify what information it collects and shares, and for what purpose—and give users clear options to control what data is collected and shared about them.
- Clarify security practices: Google should disclose more about its processes for keeping user information secure and how it responds to data breaches.
For the third year in a row, Google continued to lag behind its peers in the Governance category, disclosing less about its governance and oversight over human rights issues than other members of GNI. While it made some progress by specifying that the board indeed has oversight over privacy issues at the company (G2)—which it had consistently failed to clarify since re-organizing under Alphabet in 2015—it remained opaque about governance of its freedom of expression and privacy commitments in other areas. Google stood out for its lack of clear and accessible channels for users to communicate human rights grievances and obtain appropriate remedy (G6). It failed to disclose if the scope of its risk assessments include evaluation of possible harms associated with enforcing its terms of service, its use of automated decision-making technologies, or its targeted advertising policies and practices (G4).
G2. Governance and management oversight
Google updated its disclosure about board-level oversight over privacy issues within the company after the company's reorganization under Alphabet.
Freedom of Expression
Google disclosed more than any of its peers about policies and practices affecting freedom of expression—it was among the few internet and mobile ecosystem companies to make improvements in this category—but still lacked transparency in key areas. The company’s lead in this category was primarily due to stronger transparency about its handling of government requests to remove content or deactivate accounts (F5-F6): it disclosed more about its processes and compliance with these requests than any other company apart from Verizon Media. Google also had relatively strong disclosure of its rules and enforcement processes compared to its peers—only Microsoft’s and Facebook’s terms were more clear—and it clarified that YouTube gives government agencies special status when flagging content that violates YouTube's rules (F3). Google also improved disclosure of its commitment to notify users when it restricts Gmail accounts (F8).
Although it took important steps to improve, Google’s transparency about the actions it took to enforce its own terms of service remained uneven (F4). In April 2018, YouTube released its first Community Guidelines Enforcement Report, which contained more comprehensive data about content the company removed for violating its rules (F4).5 However, Google disclosed nothing about actions it took to enforce its rules for other services. It also disclosed almost no data about its compliance with private requests to remove content or disable accounts—revealing significantly less information than Verizon Media, Twitter, Kakao, Microsoft, and Facebook (F7).
F1. Access to terms of service
Google provided the terms of service for Android mobile ecosystem in both English and Spanish.
F3. Process for terms of service enforcement
YouTube clarified that it gives government agencies special status when flagging content that violates YouTube's rules.
F4. Data about terms of service enforcement
YouTube disclosed more data about the nature and volume of content and accounts it restricted due to violations of its rules.
F8. User notification about content and account restriction
Google clarified a commitment to notify users when it restricts their account.
F11. Identity policy
Google improved its real name policies for developers.
Google tied with Apple for the second-best privacy score among internet and mobile ecosystem companies, after Microsoft. Its higher score in this category was a result of its strong disclosure of how it handles government requests for user information (P10, P11). Notably, Google made a clear commitment to challenge overbroad government requests, and provided clear examples and guidance of how it handles these types of requests (P10). Like other U.S. companies, Google did not divulge the exact number of requests received for user data under Foreign Intelligence Surveillance Act (FISA) requests or National Security Letters (NSLs), or the actions it took in response to these requests, since it is prohibited by law from doing so.6
Google lacked transparency about its handling of user data—despite revealing more information than most of its peers. It gave some information about what user information it collects (P3) but revealed less about what data it shares (P4). It improved its disclosure of its retention periods for some types of user information, but failed to disclose how long it retains each type of information collected, or whether it deletes all user information after users terminate their account (P6). Google also lost points for its vague disclosure of whether Android mobile users have the ability to turn off location data: the company previously stated that Android users could control whether the company collected location data through a setting at the device level. However, Google’s revised policy on managing location history stated that some location data may still be collected even when location history is turned off (P7).
Google was also less transparent about its security policies and practices, disclosing less than Apple, Microsoft, Kakao, and Yandex (P13-P18). While it earned the highest score for disclosing ways for users to keep their accounts secure (P17), it failed to disclose anything about its policies for handling data breaches (P15). Google disclosed that it encrypts user traffic by default, but did not provide an option for users to end-to-end encrypt their private content or communications for Gmail, YouTube, or Google Drive (P16).
P2. Changes to privacy policies
P6. Retention of user information
Google clarified how long it retains some user data.
P7. Users’ control over their own user information
For the Android mobile ecosystem, Google revised information about managing location data at the device level, disclosing that some services may still save users' data even if location data is turned off.
P17. Account security (internet, software, and device companies)
Google clarified that Android users can view their recent account activity.
 For Google’s performance in the 2018 Index, see: rankingdigitalrights.org/index2018/companies/google
 Bloomberg Markets, Accessed April 18, 2019, www.bloomberg.com/quote/GOOGL:US
 YouTube Community Guidelines Enforcement Report, transparencyreport.google.com/youtube-policy/removals?hl=en
 “USA FREEDOM Act of 2015,” Pub. L. No. 114–23 (2015), www.congress.gov/bill/114th-congress/house-bill/2048