Priya Gupta
Associate Editor
Loyola University Chicago School of Law, JD 2024

In an action to keep company executives in check, the Justice Department (DOJ), created a policy where executives and compliance chiefs sign and personally attest to the effectiveness of their compliance programs. The individuals would therefore be held personally liable for their roles in the company’s wrongdoing. The DOJ and Google had a pending dispute, which was due to Google’s non-compliance with assisting authorities in an investigation. The DOJ and Google reached an agreement, with a stipulation attached, resolving the dispute over Google’s loss of data responsive to a 2016 search warrant. In the stipulation, Google has said that it has spent over 90 million dollars on additional systems and resources to improve its compliance programs, including an agreement to allow an Independent Compliance Professional to serve as a third party to monitor that Google is fulfilling its compliance legal obligations. This policy, as already seen in the settlement with Google, is forcing compliance to become a top-tier concern for big companies or face serious consequences.

The reasoning behind the policy

In order to hold company executives accountable for any possible role in their companies’ wrongdoing, the DOJ enacted a policy that forces companies’ chief executives and compliance chiefs to sign and personally attest to the effectiveness of their compliance programs. This policy would make chief executives and compliance chiefs personally liable if their compliance is not up to the standard they attested to. The DOJ would hold individuals accountable for their actions in the company’s wrongdoing, it is unclear how specifically the DOJ would hold them personally liable but it is likely to be monetary fines or legal action.

The policy’s first use was in a resolution in May between the DOJ and Glencore PLC. The DOJ is also concerned with compliance as a general issue and the deputy chief has stated that if a company that is trying to settle has their compliance leader as a low-ranking individual, they may pressure companies to give them more power.

What has Google agreed to?

In 2016, the United States obtained a search warrant under the Stored Communications Act (SCA) to gain access to data maintained by Google that related to an investigation into money laundering within the criminal cryptocurrency exchange. Under the SCA, providers such as Google are required to disclose customer communications when served with a warrant. Google and the DOJ litigated whether the warrant could reach data that was stored overseas and by the time the court found that it did, the data in question had been lost.

To settle and resolve the matter with the DOJ, Google agreed to implement major changes to its compliance program. Google will be required to upgrade its legal process compliance program to ensure that they are in compliance with its legal obligations and responses to investigations and court orders. Google is also implementing processes to ensure timely responses, generating a compliance timeliness record for missed deadlines, methods to retrieve data in response to legal processes, and developing legal response plans for new product launches. Google has already spent over 90 million dollars on its revamp, including an increase in staffing to help implement its updated compliance program. Lastly, Google has agreed to allow an Independent Compliance Professional to verify the accuracy of their reports and assertions made to the DOJ with regards to its compliance with their stipulated agreement.

How will this impact other companies?

Companies will only be impacted by this agreement if they falsely certify that they are in compliance with their policies when, in actuality, they are engaged in wrongdoing. As companies have varying sizes and role hierarchies, the DOJ has stated that the certifications required will be tailored to the structures of the entities involved. The agreement with Google has shown that the DOJ is serious about making sure companies provide resources to law enforcement and give prompt responses to the legal processes. An important note is that the agreement between the United States and Google does not give the government access to user data, meaning that the data not involved in current legal processes will never be seen by the government. Therefore, companies and users are still protected by the DOJ’s policy- which seeks only to keep higher execs accountable for their non-compliance.