toggle accessibility mode

Service Providers, Subpoenas, and the GDPR

By John DiGiacomo

Hi everyone. My name is John Di Giacomo and I am an attorney and a partner with Revision Legal, which is an internet and intellectual property law firm. And in that role I represent a lot of service providers. These service providers range from software as a service providers, app makers, social network owners, and through that representation I see a lot of law enforcement requests. And I wanted to make this video to discuss how we look at these types of requests from law enforcement agencies and to explain the bodies of law that applied to these requests.

Now typically a request from a law enforcement agency, whether it is a local police department, a state police agency, or one of the many letter agencies, such as the FBI or the Secret Service or the DOJ, these will be either subpoenas, court orders or warrants. And in the case of law enforcement requests, there are really two types of information that law enforcement agencies seek. They either seek the content of communications or they will seek customer records.

And in both of these cases, the main body of law is a federal statute called the Stored Communications Act. And the purpose of that statute is to provide certain protections for communications and to explain the situations in which communications or customer records can be disclosed.

So let’s talk a bit about those scenarios. So let’s for example talk about a service provider that receives a subpoena. Now, when a service provider receives a subpoena, it can disclose communications or disclosed customer records under certain scenarios. A service provider can voluntarily disclose the content of communications in certain scenarios, such as where the party do the communications agree, when there is consent, as it’s necessary to provide the service. When there is an allegation of child pornography, a service provider can disclose that information those content communications to the National Center for Missing and Exploited Children or to law enforcement voluntarily only when those communications are obtained inadvertently and where the service provider believes that the communications pertained to the commission of a crime.

So a service provider cannot voluntarily provide communications to a law enforcement officer even in response to a subpoena. A service provider can, however, disclose customer records in response to a subpoena. So there are certain in which a service provider can disclose customer records voluntarily. Those are similarly consent where it’s necessary to provide the service to a governmental agency where there is what we called exigent circumstances. So those scenarios in which there is an emergency involving death or a serious injury, or again, to the National Center for Missing and Exploited Children, if there is an allegation that there might be child porn or a child sexually exploited material on the service.

Now there are certain scenarios in which communications or content records are required to be disclosed. So if a service provider receives a warrant, then the service provider must disclose the content of communications to the government agency, to the law enforcement agency without prior notice. A service provider can also disclose the content of communications of a user to the government with prior notice in the case of an administrative subpoena or a court order. So this is an important distinction. Again, a service provider, a receiving a warrant, can provide the content of communications of the user to a law enforcement officer without prior notice, but in the case of a administrative subpoena or a court order, the government must give prior notice to the user that is requesting the content of its communications.

Now in the case of customer records, a service provider is required to disclose customer records with a warrant, with a court order, and with the consent of the subscriber. Those are the three scenarios in which a service provider must disclose customer records. So if the law enforcement agency sends a warrant to the service provider and the service provider has information relating to a user, it must disclose customer records.

Well what are those? They are things like the email address, the user name, the phone number associated with the account, in some cases things like Google IDs or Apple advertising IDs, the geo-location, anything that is a non-content record that is associated with that user account. Now upon receiving law enforcement requests, service providers must retain evidence for a period of 90 days. So if there is an indication that there might be some type of requests coming from a law enforcement agency, service providers have a duty to ensure internally that any records associated with the user are preserved for a period of 90 days.

Now, one question that we get frequently now with the implementation of the General Data Protection Regulation in the European Union is what do I have to do when I am a European service provider operating in the United States? Well, under the GDPR, particularly the article 48, basically it’s an open question as to whether or not a service provider has the authority to transfer user information or the content of communications to a law enforcement agency located in the United States. But article 48 does provide an exception for a judgment of a court or a decision of an administrative authority, but those are really things that you find at the end of the case. They are not the discovery process, like a subpoena or a warrant that you find in the beginning or in the middle of the case.

Now, article six of the GDPR says that transfers can be made when they are necessary for important reasons of public interests. So in the case of, for example, a threatened school shooting, a service provider might be able to use the language of article six of the GDPR to disclose information about the user because it is necessary for important reasons of public interest.

Now the US recognized that this might be a problem and they recently amended the Stored Communications Act with an additional statute called the Cloud Act. It says that a provider may file a motion to quash a subpoena, an order or a warrant if the subscriber is not a US citizen or where there is a risk of violation of the GDPR.

So the big question, when you’re a European based service provider is do I believe that this disclosure will violate the GDPR or is this user a US citizen? If the user is a European citizen, it’s pretty clear that it’s going to violate GDPR. So the answer is you probably can’t disclose it. If it’s a US citizen, but there’s a question over whether or not GDPR applies because of the nature of the request, ultimately, you have to make the decision as to whether or not you’re going to disclose it or within 14 days, a very short time period, file a motion to quash the warrant, order, or subpoena.

Now, this is obviously a lot of information and I just wanted to give a basic overview of how this process works and how we think about these things from the prospective of an attorney who represents the service provider. But if you have questions, you should obviously talk to your own counsel. This is obviously just a very general overview. So thank you for watching. I appreciate you taking the time to watch this video. If you need any more information from us, feel free to ask us. Like the video, spread it around and reach out if you have any further questions. Thank you.

Put Revision Legal on your side