Alphabet?s business model depends heavily on the processing and storage of user and enterprise customer data across Google Services and Google Cloud. When customers misuse Google products, or when the Company?s own data-governance practices contradict their terms of service, Alphabet risk exposure includes: ? Operational risk when misuse triggers regulatory intervention, including mandated tool restrictions, audits, or requirements to modify or localize cloud infrastructure. For example, Google settled a lawsuit in 2023 alleging that the Company collected personal information from users browsing with Chrome?s ?incognito mode.?1 ? Reputational risks tied to data access and misuse in jurisdictions with expansive government access to personal data. Misuse of Google Cloud infrastructure can lead to violations of service-level agreements or data-processing terms if cloud tools are misused by customers or accessed by government actors beyond terms of service. For example, Google?s participation in Project Nimbus may not align with its data-governance principles that prohibit uses that ?violate, or encourage the violation of, the legal rights of others,? or for any ?invasive? purpose, or anything ?that can cause death, serious harm, or injury to individuals or groups of individuals.?2 By accepting alert mechanisms and contract terms that limit Google?s ability to restrict governmental use of its cloud services, the Company appears to conflict with its acceptable use policy.3 ? Regulatory penalties leading to fines under the European Union?s General Data Protection Regulation (GDPR) of up to 4% of global annual revenue.4Google has already faced major GDPR actions, including a ?50 million fine from France?s data protection authority for inadequate transparency and consent processes.5 ? Litigation and class-action exposure when data is collected, processed, or accessed in ways inconsistent with user expectations or product disclosures. For example, in 2025, a U.S. federal jury ordered Google to pay US$425 million in damages for violating the privacy rights of almost 100 million users who alleged Google continued collecting device and usage data after they disabled tracking settings.6 Alphabet?s current risk disclosures address data security, government access, and reputational exposure but do not discuss downstream risks associated with customer deployments of Google Cloud or scenarios in which government access requirements or custom contracting terms may substantially increase risk. Shareholders would benefit from greater transparency into Google?s protocol to comply with its own privacy and data protection standards.   1 https://www.theguardian.com/technology/2024/apr/01/google-destroying-browsing-data-privacy-lawsuit 2 https://cloud.google.com/terms/aup 3 https://www.theguardian.com/us-news/2025/oct/29/google-amazon-israel-contract-secret-code 4 https://gdpr-info.eu/issues/fines-penalties/ 5 https://www.edpb.europa.eu/news/national-news/2019/cnils-restricted-committee-imposes-financial-penalty-50-million-euros_en 6 https://news.bloomberglaw.com/class-action/google-violated-privacy-of-nearly-100-million-users-jury-finds