Part One: Law Enforcement Requests Overview

Does your company handle customer data? If so, there’s a chance you have received a Law Enforcement request for data, such as a subpoena, court order or warrant. And if not, there’s a chance you soon will.

In today’s world, it’s nearly impossible to run a business without being online. Therefore, almost all companies have digital data. Because of this, many receive Law Enforcement (LE) requests related to active cases. For example:

• In 2021, Microsoft received 27,809 requests covering 44,650 accounts.
• In 2020, Adobe received 26 international requests and 114 US requests.
• From January 1 through June 30 of 2021, Amazon received 30,118 requests from global law enforcement, excluding AWS.

Law Enforcement requests are complicated. This is because there are many different types of requests for different types of data, and they are all managed under different laws.

Why is information requested?

Many times, law enforcement has a legitimate need for data in order to protect citizens. While investigating a criminal case, they may need access to digital evidence. So, law enforcement can request user data, with reasonable suspicion or probable cause, if it is determined to be relevant to an investigation.

What information can LE request?

The ABA House of Delegates approved the Criminal Justice Standards on Law Enforcement Access to Third Party Records in February 2012. It says law enforcement can request information such as “the content of communications; medical diagnoses, treatments, and conditions; Internet browsings; financial transactions; physical locations; bookstore and library purchases, loans, and browsings; other store purchases and browsings; and media viewing preferences.”

According to Microsoft, LE can request “non-content data” which includes basic subscriber information, such as an email address, name, state, country, ZIP code, IP address information, Xbox Gamertags and billing information.

LE can also request “content data.” This may include the content of an email, text or chat log. It can also include stored photos and videos.

As you can see, law enforcement has the right to request many different kinds of data, but the data they receive depends on what type of request they submit.

What are the different types of requests?

For this blog, we will focus on U.S. Law Enforcement requests. See the list below for a brief explanation of the various types of requests:

• Subpoena – A subpoena is the most common request type. It is a legally enforceable command to produce records such as subscriber information. Subpoenas can be submitted by a clerk of courts, an attorney or by law enforcement.
• Court Order – Courts can legally order the production of records and the disclosure of records for any non-content information.
• Search Warrant – A judge or magistrate issues search warrants for content data. It is a legally enforceable command that allows for search and seizure of specific evidence.
• Non-disclosure Order – Many legal requests include a non-disclosure or gag order. This prevents the entity from informing the user about the data request.
• A Mutual Legal Assistance Treaty (MLAT) is a process for members of foreign law enforcement to request data for use in enforcing public or criminal laws.
• U.S. National Security Letters are similar to subpoenas but relate to national security investigations.

What laws affect legal requests?

Privacy and security are paramount in the digital age. So, many laws affect when and how information is requested and shared with authorities. Following are just a few laws and regulations that affect the Law Enforcement request process.

• The Electronic Communications Privacy Act (ECPA) of 1986 provides protection for communications made or stored and applies to telephone and electronically-stored data.
• The Communications Assistance for Law Enforcement Act (CALEA) is a U.S. wiretapping act that applies to telecommunication companies.
• The General Data Protection Regulation (GDPR) is a legal framework for the collection and processing of personal information in the European Union.
• The Clarifying Lawful Overseas Use of Data (CLOUD) Act is an amendment to the Stored Communications Act. It allows U.S. law enforcement to assist foreign authorities in obtaining information from U.S.-based global providers.
• The Health Insurance Portability and Accountability Act of 1996 (HIPAA) relates to the protection of medical records and patient health information.
• The Family Educational Rights and Privacy Act (FERPA) protects the privacy of student records and provides parents with rights to their children’s education records.

Learn More

Interested in learning more about data privacy laws? Check out our blogs on Data Privacy Laws and Their Contributions and the CCPA.

In conclusion, Law Enforcement requests can be complicated, from the types of content to the types of requests, and the multiple laws that govern them. When your company receives legal requests, do you know if they follow the correct legal process? Do you have a point of contact for handling the request? Do you know if you are over- or under-disclosing data? How are you keeping track and making sure you are handling all requests in a timely manner?

Over this series of blogs, we will provide some tips on working with law enforcement and providing the correct information as dictated by law. Having a well-functioning Law Enforcement Request program can help you maintain your customers’ privacy, avoid any legal issues from non-compliance and assist in making the world a safer place.