<div class=”col-lg-9 content-page left-side”>
<section class=”section-a-single-resolutions resolutions-info top-content”>
<div class=”resolutions-contain”>
<div class=”top-content”>
<h4>Resolution Details</h4>
</div>
<div class=”bottom-content”>
<div class=”row-info”>
<strong>Company:</strong>
<p>Amazon.com, Inc.</p>
</div>
<div class=”row-info”>
<strong>Year:</strong>
<p>2026 </p>
</div>
<div class=”row-info”>
<strong>Issue Area:</strong>
<p>Human Rights & Worker Rights </p>
</div>
<div class=”row-info”>
<strong>Focus Area:</strong>
<p>Data Privacy/Surveillance/Cyber Security </p>
</div>
<div class=”row-info”>
<strong>Status:</strong>
<p>Filed</p>
</div>
<div class=”row-info”>
</a>
</div>
</div>
</div>
</section>
<section class=”section-b-single-resolutions content-blocks”>
<div class=”top-content editor-block”>
<div class=”content-block”>
<div class=”main-content”>
<h2>Resolution Text</h2>
<p><strong>RESOLVED</strong>: Shareholders request the Board of Directors issue public reporting, prepared at reasonable cost and omitting proprietary information, assessing operational, reputational, regulatory and legal risks to Alphabet, Inc. (the Company) arising from gaps in the Company’s policies, controls, and oversight systems of customer and user data processed through Google Services and Google Cloud. The report should evaluate how governance gaps could lead Google’s products, infrastructure, or cloud services to facilitate surveillance, censorship, profiling, and targeting in contexts of governmental overreach and recommend risk-mitigation measures.</p>
<p>Alphabet’s business model depends heavily on the processing and storage of user and enterprise customer data across Google Services and Google Cloud. When customers misuse Google products, or when the Company’s own data-governance practices contradict their terms of service, Alphabet risk exposure includes:<br>● Operational risk when misuse triggers regulatory intervention, including mandated tool restrictions, audits, or requirements to modify or localize cloud infrastructure. For example, Google settled a lawsuit in 2023 alleging that the Company collected personal information from users browsing with Chrome’s “incognito mode.”1<br>● Reputational risks tied to data access and misuse in jurisdictions with expansive government access to personal data. Misuse of Google Cloud infrastructure can lead to violations of service-level agreements or data-processing terms if cloud tools are misused by customers or accessed by government actors beyond terms of service. For example, Google’s participation in Project Nimbus may not align with its data-governance principles that prohibit uses that “violate, or encourage the violation of, the legal rights of others,” or for any “invasive” purpose, or anything “that can cause death, serious harm, or injury to individuals or groups of individuals.”2 By accepting alert mechanisms and contract terms that limit Google’s ability to restrict governmental use of its cloud services, the Company appears to conflict with its acceptable use policy.3<br>● Regulatory penalties leading to fines under the European Union’s General Data Protection Regulation (GDPR) of up to 4% of global annual revenue.4Google has already faced major GDPR actions, including a €50 million fine from France’s data protection authority for inadequate transparency and consent processes.5<br>● Litigation and class-action exposure when data is collected, processed, or accessed in ways inconsistent with user expectations or product disclosures. For example, in 2025, a U.S. federal jury ordered Google to pay US$425 million in damages for violating the privacy rights of almost 100 million users who alleged Google continued collecting device and usage data after they disabled tracking settings.6</p>
<p>Alphabet’s current risk disclosures address data security, government access, and reputational exposure but do not discuss downstream risks associated with customer deployments of Google Cloud or scenarios in which government access requirements or custom contracting terms may substantially increase risk. Shareholders would benefit from greater transparency into Google’s protocol to comply with its own privacy and data protection standards.</p>
<p>1 https://www.theguardian.com/technology/2024/apr/01/google-destroying-browsing-data-privacy-lawsuit<br>2 https://cloud.google.com/terms/aup<br>3 https://www.theguardian.com/us-news/2025/oct/29/google-amazon-israel-contract-secret-code<br>4 https://gdpr-info.eu/issues/fines-penalties/<br>5 https://www.edpb.europa.eu/news/national-news/2019/cnils-restricted-committee-imposes-financial-penalty-50-million-euros_en<br>6 https://news.bloomberglaw.com/class-action/google-violated-privacy-of-nearly-100-million-users-jury-finds</p>
</div>
</div>
</div>
<div class=”middle-content editor-block”>
<div class=”content-block”>
<div class=”main-content”>
</div>
</div>
</div>
</section>
</div>
<aside class=”col-xl-3 right-side”>
<div class=”column-contain”>
<div class=”position-groups”>
<div class=”row bs-1col node node–type-resolution node–view-mode-resolution-filers-only”>
<div class=”col-sm-12 col-md-8 bs-region bs-region–main”>
<div class=”views-element-container form-group”>
<div class=”view view-eva view-filers view-id-filers view-display-id-entity_view_3 js-view-dom-id-047a7428c3bdb8d1fc4457bd00b856442fb1fac1a86a8f5ad0de27719c0e4d50″>
<div class=”view-content”>
<h3>Lead Filer</h3>
<div class=”views-row”>
<div class=”views-field views-field-nothing”><span class=”field-content”> Marcela Pinilla</span></div><div class=”views-field views-field-title views-field-field-shareholder”><span class=”field-content”>Zevin Asset Management</span></div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</aside>