I received a request for user data from a police force. Do I have to comply?

Can’t a butcher or a banker do more harm than a telco? Public authorities inevitably seek to be able to access end user and communications data. Requests may be for user personal data under data protection laws or criminal or civil evidence rules. And legal intercept rules may apply to a much wider group than just providers of electronic communications services.

I received a request for user data from a police force. Do I have to comply?

Can’t a butcher or a banker do more harm than a telco? Despite demonopolization, communications still remains subject to various national level restrictions and controls. National security and fighting crime are part of the reason. Public authorities inevitably (and increasingly) seek to be able to access end user and communications data.

The most frequent data requests you may receive may be for user personal data. These do not depend on communications laws but on data protection laws – or in some cases criminal or civil procedural rules for the production of evidence. Where serious crimes appear to be involved, the temptation may be to comply easily. On the other hand, you are subject to data protection and privacy/communications secrecy laws and need to balance the rights and interests of your users, no matter what they may be accused of. Law enforcement entities should always follow the correct procedures e.g. serving formal notice signed by an officer of the correct level. Cross border requests from police forces in other territories there are additional requirements and the proper channel will usually be via the law enforcement authorities in your country. Bad requests are quite frequent – see Google’s transparency report (and on the same page there are links also to other major companies’ reports) – in 2013 it only complied with 65% of requests (and for some countries, a much lower proportion). Non-compliant requests may range from the ever-so-friendly “hi [first name], I’m a police officer” email to the stunningly blackmailish “we have your marketing director in the station and he’s not leaving till we get the data” (this really happened – but I stress not in an EU country).

If you are a provider of electronic communications services (usually defined as consisting in the conveyance of signals on electronic communications networks) then you may be subject in addition to data retention requirements – e.g. covering traffic data relating to the source, destination, date, time and duration (but not content) of communications – and authorities may demand this data in a similar way. The EU Data Retention Directive was annulled – but most Member States retain legislation in this area, though with greater deference to fundamental rights.

However, also be aware that legal intercept regulations are more technologically neutral – see 2001 Council Resolution on law enforcement operational needs with respect to public telecommunication networks and services:

“This document applies to all telecommunications services, circuit and packet switched, fixed and mobile networks and services. For fixed networks this includes, for example, PSTN and ISDN (Integrated Services Digital Network). For packet switched networks and services this includes, for example, GPRS, UMTS (Universal Mobile Telecommunications System), xDSL, TETRA (Trans European Trunk RAdio standard), Email/message services and other Internet telecommunications services. For PLMN this includes, for example, GSM (Global System for Mobile communications), CDMA, IS41, AMPS, GPRS, UMTS, TETRA. It also applies to S-PCS (Satellite Personal Communication Systems).”

So, for example, under the UK’s 2000 Regulation of Investigatory Powers Act (RIPA) legislation, interception can apply in relation to providers of a “telecommunications service” which means “any service that consists in the provision of access to, and of facilities for making use of, any telecommunication system (whether or not one provided by the person providing the service)”.

The takeaway is that intercept rules may apply to a much wider group than just providers of electronic communications services. So for example, most mobile applications would not fall within the definition of electronic communications services – however, applying the above definitions they might be required to comply with legal intercept warrant.

What do you do?

1) decide what your policy will be: Usually you will want to assess each case individually. On the other hand, if your service depends to great extent on user trust and pro-privacy PR and you are prepared to resist bad or borderline requests (and pay for those battles), then you should make ready for that. Or you might prefer the path of least resistance and have a default of complying habitually with any request, though this could alienate users and even encourage requests…

2) review your privacy statement: ensure that it is tailored to your attitudes and values but also realistic – if you say “we never provide your data to any third party” then there will be more explaining to do than if we add “except in order to comply with applicable laws or a request or order of a court or regulator, or from law enforcement or other public authority”. Unless this causes a high degree of resistance from users then this drafting still permits you to take each case on its merits.

3) know how to respond to different requests: in practice, if you reply firmly showing you know what you are doing, then fishing or speculative requests may disappear. If you show you tend to comply without analysis, then you may get drawn into multiple or follow-up requests. Then it is a question of dealing with the proper requests (not going beyond their terms or the law); and taking a reasonable view on any less than correct requests.

The onus should be on the requester to follow the rules and get it right – but that doesn’t always happen. Resisting requests on principle should not only be the domain of big-budget multinationals although, even if your marketing director has not been illegally detained, there may still be times where the benefits of complying outweigh the costs of resisting on purely formal grounds. In any event, a suitably flexible privacy statement and some basic preparation of standard responses for the most common situations may make all these situations easier to handle.