Loading the catalogue…
Loading the catalogue…
Google conducts its AI model development through Google DeepMind, a subsidiary of Alphabet, headquartered in Mountain View, California. The organisation is fully exposed to US jurisdiction under the CLOUD Act and FISA Section 702, meaning US authorities can compel access to data processed anywhere in the world — a structural risk that cannot be mitigated contractually for EU regulated customers. On the compliance side, Google is among the more proactive large labs: it signed the EU GPAI Code of Practice as an early signatory in July 2025, holds ISO/IEC 42001:2023 (AI Management System) certification, publishes detailed model cards for the Gemma open-weights family, and maintains a published EU AI Act compliance programme through Google Cloud. The key risks for EU enterprises are pervasive CLOUD Act exposure with no EU-sovereign inference path on Stav, a sustained pattern of EU privacy enforcement (including a €325 million CNIL fine in September 2025), and an active US antitrust remedies order affecting Gemini distribution that remains under appeal.
Full CLOUD Act and FISA Section 702 exposure. Google LLC is a US-incorporated entity; US authorities can compel access to training data, model weights, and inference outputs globally — including data processed through Gemini API or Google Cloud AI services — without notifying EU data subjects. This is a structural risk that cannot be remediated by contractual measures (SCCs, DPA) alone.
Sustained and escalating GDPR/ePrivacy enforcement history: French CNIL fined Google three times for consent violations (€50M in 2019, €150M in 2021, €325M in September 2025). The 2025 fine — the largest CNIL action against Google to date — came with a compliance order and €100,000 daily penalties for non-compliance, and was triggered by Gmail ad display without consent and invalid cookie consent. The pattern of escalating fines indicates continuing regulatory risk.
Systemic risk designation under EU AI Act Article 51 for Gemini models (>10²⁵ FLOPs threshold). This triggers additional obligations including adversarial testing, incident reporting to the EU AI Office, and cybersecurity measures proportionate to systemic risk. Commission enforcement of these obligations begins 2 August 2026. Non-compliance by the provider could expose EU deployers using Gemini as a GPAI model to downstream liability.
Active and unresolved US antitrust proceedings: the September 2025 DOJ remedies order prohibiting exclusive Gemini distribution contracts is under cross-appeal by both Google and the DOJ at the DC Circuit. Oral arguments expected late 2026–early 2027. A separate ad-tech antitrust liability finding (April 2025) has triggered multiple private follow-on lawsuits. Final remedies scope is uncertain and could alter how Gemini reaches EU enterprise customers through third-party channels.
No publicly documented opt-out or removal mechanism for data subjects whose personal data may have been included in Gemma or Gemini pre-training corpora. This represents a potential gap under GDPR Article 17 (right to erasure) and Article 21 (right to object) for EU enterprises deploying models in regulated contexts, particularly healthcare, finance, and legal sectors.
Google expressed reservations about specific GPAI Code of Practice provisions relating to trade secrets and EU copyright law departures. While a full signatory, interpretation disputes on these specific provisions with the EU AI Office are possible, which could complicate compliance assessments for Gemini in regulated EU deployments.
Stav AI Act assessment
Editorial assessment, not legal advice. Stav's risk ratings, scores, and verdicts are our own analysis of publicly available information and may be incomplete or out of date. Verify independently before making compliance or procurement decisions.
The catalogue lists every family Stav knows about — including families we don’t yet host, so the picture stays authoritative.
Families served on Stav
Model compliance cards
Signed the EU GPAI Code of Practice (all three chapters: Transparency, Copyright, Safety and Security) as an early signatory when the Code was finalised on 10 July 2025, alongside Anthropic, Microsoft, OpenAI, IBM, Mistral AI, Cohere, and others. Signing the Safety and Security chapter implies acceptance of systemic-risk obligations under Article 55 of the EU AI Act.
ISO/IEC 42001:2023 (AI Management System) certification for Google Cloud Platform, Google Workspace, and Gemini App — one of the most AI-specific and EU AI Act-relevant certifications currently available; directly relevant to Article 53 GPAI transparency obligations.
Comprehensive security certification stack: ISO/IEC 27001:2022, ISO 27017, ISO 27018, ISO 27701, and SOC 2 (third-party audited, regular cycle) for Google Cloud — industry-leading certification coverage for enterprise regulated-sector deployments.
Detailed model cards published for all Gemma model families (Gemma 1 through 4 and 3n) covering architecture, training data categories, safety evaluations, red-teaming results, and prohibited use policies. Annual AI Transparency Report published since 2019. Both represent proactive disclosure well above the minimum required by the EU AI Act.
Operates one of the industry's longest-running and most comprehensive bug bounty programmes (Google VRP at bughunters.google.com), recently extended to cover generative AI vulnerabilities. Published Secure AI Framework (SAIF) for AI-specific security guidance.
Gemma 4 released under Apache 2.0 licence (April 2026) — the most permissive open-source licence used to date for the Gemma family, enabling EU enterprise customers to self-host, fine-tune, and redistribute without royalty obligations, eliminating CLOUD Act exposure on the inference leg when deployed on EU-sovereign infrastructure.
Privacy policy review
Creator profile
Google — operating its AI research through the wholly-owned subsidiary Google DeepMind — is a US-domiciled, CLOUD Act- and FISA 702-exposed organisation, making data sovereignty a primary concern for EU regulated customers. On the compliance side, it has taken materially positive steps: it became an early signatory to the EU GPAI Code of Practice, holds ISO/IEC 42001:2023 certification for Google Cloud Platform, Workspace, and Gemini, publishes detailed model cards for all Gemma releases, and has published AI principles annually since 2018. The principal EU risk signals are ongoing active GDPR enforcement actions (a CNIL cookie-consent fine issued in 2025), two US federal antitrust findings of illegal monopolisation in search and ad-tech whose remedies now explicitly extend to Gemini AI products, and the inherent jurisdictional exposure that means any data processed through Google APIs is reachable by US government orders.
Stav editorial summary
Google is a United States entity. Training data and weights produced under United States-jurisdiction are covered by the CLOUD Act.
Exposed on training. Inference is unaffected when hosted on Stav infrastructure inside the EEA.
Stav compliance has not yet scored Google. Scores are published once the policy review and infrastructure assessment complete.
Findings
Citations gathered when the Compliance Curator last reviewed this creator’s public-facing documents. Grouped by source so the picture stays auditable.
“Alphabet Inc. is an American multinational technology conglomerate holding company headquartered in Mountain View, California. It was created through ...”
“Pichai Sundararajan (born June 10, 1972), better known as Sundar Pichai (pronounced: /ˈsʊndɜːr pɪˈtʃeɪ/), is an Indian–American business executive who...”
“Google DeepMind, trading as Google DeepMind or simply DeepMind, is a British-American artificial intelligence (AI) research laboratory which serves as...”
Alphabet Inc. is an American multinational technology conglomerate holding company headquartered in Mountain View, California. It was created through ...
Pichai Sundararajan (born June 10, 1972), better known as Sundar Pichai (pronounced: /ˈsʊndɜːr pɪˈtʃeɪ/), is an Indian–American business executive who...
Google DeepMind, trading as Google DeepMind or simply DeepMind, is a British-American artificial intelligence (AI) research laboratory which serves as...
DeepMind researchers could no longer operate in the abstract: “Now the technology development is completely coupled with the product itself,” says Kor...
Google's decision to sign the EU's AI Code of Practice marks a pivotal moment in artificial intelligence governance.
Indeed, within weeks of the Code’s publication, dozens of tech firms – including Amazon, Google, Microsoft, OpenAI, Anthropic and others – had volunta...
We were among the first organizations to publish AI principles in 2018, and have published an annual transparency report since 2019. We consistently r...
Published dedicated EU AI Act compliance programme through Google Cloud, including proactive blog posts (July 2024 and July 2025), compliance page at cloud.google.com/security/compliance/eu-ai-act, and commitment to updating all model compliance artefacts ahead of the August 2026 enforcement commencement date.
Strong open-source community engagement: Gemma 4 released with support across Transformers, llama.cpp, MLX, WebGPU, and Rust frameworks in collaboration with HuggingFace; Kaggle integration provides accessible fine-tuning environment; Google AI for Developers portal active with documentation and tutorials.
Alphabet is a financially robust, publicly listed entity with a consistent AI-first strategy and active model release cadence. Google DeepMind is operating at scale under unified leadership (Demis Hassabis) with regular Gemma and Gemini releases — not contracting. No layoffs or operational disruptions affecting the AI research division reported.
Published safeguards & certifications
“We were among the first organizations to publish AI principles in 2018, and have published an annual transparency report since 2019. We consistently r...”
“We're thrilled to announce that Google Cloud has achieved an accredited ISO/IEC 42001:2023 certification for our AI management system.”
“This release includes open-weights models in both pre-trained and instruction-tuned variants. ”
“Google’s Vulnerability Reward Program paid a record $17M in 2025, up 40%, rewarding 700+ ethical hackers for reporting critical vulnerabilities.Google...”
“Google's decision to sign the EU's AI Code of Practice marks a pivotal moment in artificial intelligence governance. ”
“Today the Antitrust Division of the Department of Justice prevailed in its second monopolization case against Google. In United States et al. v. Googl...”
“Google this week announced a new dedicated AI Vulnerability Reward Program (VRP) that builds on the 2023 Abuse VRP extension covering issues and vulne...”
“Perhaps the most forward-looking aspect of Judge Mehta’s September 2025 ruling was its explicit extension to generative AI products. The remedies proh...”
“Google fined $379M by CNIL for invalid cookie consent; failure to comply risks €100K daily penalty.”
“DeepMind researchers could no longer operate in the abstract: “Now the technology development is completely coupled with the product itself,” says Kor...”
“Indeed, within weeks of the Code’s publication, dozens of tech firms – including Amazon, Google, Microsoft, OpenAI, Anthropic and others – had volunta...”
Google’s Vulnerability Reward Program paid a record $17M in 2025, up 40%, rewarding 700+ ethical hackers for reporting critical vulnerabilities.Google...
Google this week announced a new dedicated AI Vulnerability Reward Program (VRP) that builds on the 2023 Abuse VRP extension covering issues and vulne...
We're thrilled to announce that Google Cloud has achieved an accredited ISO/IEC 42001:2023 certification for our AI management system.
Google fined $379M by CNIL for invalid cookie consent; failure to comply risks €100K daily penalty.
Today the Antitrust Division of the Department of Justice prevailed in its second monopolization case against Google. In United States et al. v. Googl...
Perhaps the most forward-looking aspect of Judge Mehta’s September 2025 ruling was its explicit extension to generative AI products. The remedies proh...
This release includes open-weights models in both pre-trained and instruction-tuned variants.