How Google handles government requests for user information
Government agencies from around the world ask Google to disclose user information. We carefully review each request to make sure that it satisfies applicable laws. If a request asks for too much information, we try to narrow it, and in some cases we object to producing any information at all. We share the number and types of requests that we receive in our Transparency Report.
The way that we respond to a request depends on your Google service provider – for most of our services that’s either Google LLC, a US company operating under US law, or Google Ireland Limited, an Irish company operating under Irish law. To find which is your service provider, review Google’s Terms of Service or check with your account administrator if your Google Account is managed by an organisation.
When we receive a request from a government agency, we send an email to the user account before disclosing information. If the account is managed by an organisation, we’ll give notice to the account administrator.
We won’t give notice when legally prohibited under the terms of the request. We’ll provide notice after a legal prohibition is lifted, such as when a statutory or court-ordered gag period has expired.
We might not give notice if the account has been disabled or hijacked. And we might not give notice in the case of emergencies, such as threats to a child’s safety or threats to someone’s life, in which case we’ll provide notice if we learn that the emergency has passed.
Requests from US government agencies in civil, administrative and criminal cases
The Fourth Amendment to the US Constitution and the Electronic Communications Privacy Act (ECPA) restrict the government’s ability to force a provider to disclose user information. US authorities must at least do the following:
- In all cases: Issue a subpoena to compel disclosure of basic subscriber registration information and certain IP addresses
- In criminal cases
- Get a court order to compel disclosure of non-content records, such as the To, From, CC, BCC and Timestamp fields in emails
- Get a search warrant to compel disclosure of the content of communications, such as email messages, documents and photos
Requests from US government agencies in cases that involve national security
In investigations related to national security, the US government may use a National Security Letter (NSL) or one of the authorities granted under the Foreign Intelligence Surveillance Act (FISA) to compel Google to provide user information.
- An NSL doesn’t require judicial authorisation and can only be used to compel us to provide limited subscriber information.
- FISA orders and authorisations can be used to compel electronic surveillance and the disclosure of stored data, including content from services like Gmail, Drive and Photos.
Requests from government authorities outside the US
Google LLC sometimes receives data disclosure requests from government authorities outside of the US. When we receive one of these requests, we may provide user information if doing so is consistent with all of the following:
- US law, which means that the access and disclosure is permitted under applicable US law, such as the Electronic Communications Privacy Act (ECPA)
- Law of the requesting country which means that we require the authority to follow the same due process and legal requirements that would apply if the request were made to a local provider of a similar service
- International norms which means that we only provide data in response to requests that satisfy the Global Network Initiative’s Principles on Freedom of Expression and Privacy and its associated implementation guidelines
- Google’s policies which include any applicable Terms of Service and Privacy Policies, as well as policies related to the protection of freedom of expression
Because Google Ireland is responsible for providing the majority of Google services in the European Economic Area and Switzerland, it also receives requests for user information.
Requests from Irish government agencies
Google Ireland considers Irish law when evaluating requests for user information by an Irish agency. Irish law requires that Irish law enforcement authorities obtain a judicially-authorised order to compel Google Ireland to provide user information.
Requests from government authorities outside Ireland
Google Ireland offers services to users located throughout the European Economic Area and Switzerland, and we sometimes receive data disclosure requests from government authorities outside of Ireland. In this case, we may provide user data if doing so is consistent with all of the following:
- Irish law, which means that the access and disclosure is permitted under applicable Irish law, such as the Irish Criminal Justice Act
- European Union (EU) law applicable in Ireland, which means any EU laws applicable in Ireland including the General Data Protection Regulation (GDPR)
- Law of the requesting country which means that we require the authority to follow the same due process and legal requirements that would apply if the request were made to a local provider of a similar service
- International norms which means that we only provide data in response to requests that satisfy the Global Network Initiative’s Principles on Freedom of Expression and Privacy and its associated implementation guidelines
- Google’s policies which include any applicable Terms of Service and Privacy Policies, as well as policies related to the protection of freedom of expression
If we reasonably believe that we can prevent someone from dying or from suffering serious physical harm, we may provide information to a government agency – for example, in the case of bomb threats, school shootings, kidnappings, suicide prevention and missing persons cases. We still consider these requests in light of applicable laws and our policies.