> For a legal warrant you have to have probable cause that a specific person committed a crime. You can't just search everybody and see what sticks, that's blatantly unconstitutional.
Sure, though it’s worth noting that nothing prohibits the police from walking down the street and asking people. Those people don’t have to talk to the police, but…
Google will fight warrants like this. AT&T doesn’t. Other companies have varying policies on this.
Obviously, one can’t assume data is not available to law enforcement merely because the police would need a warrant to get it over a possessor’s objections.
I think something everyone should be aware of as well: there is no legal requirement that Google not hand over this data to police. A warrant is needed to force Google to hand over such data, but they don't need anything at all to ask Google nicely. And if Google decides it's in their best interest to comply without a warrant, they are the legal owner of the data, so ...
> there is no legal requirement that Google not hand over this data to police.
This isn't really true. The Electronic Communications Privacy Act prohibits third parties from sharing electronic communications without a warrant. It doesn't matter if they are the legal owner of the data, if it is about a third party that has fourth amendment protections.
IANAL, but the way I understood ECPA it only really protects communication while in transit, and both stored communications and data disclosed to third parties isn't really protected, depending on the context.
Search history, and Google's analytics about you, are a gray area, because you are communicating with Google, not using Google as a transport layer with an expectation of privacy.
Like, if the FBI asked me for my text messages with person X, I can hand them over if I want since they are my communications, but if they want the texts from my phone company they are legally protected. Using search is like texting Google.
Stored communications, data stored electronically is protected as well under the wiretap act. Search history, location history is covered, it requires a warrant.
I wonder if this is true for me as a EU citizen. Per the GDPR, companies can use personal data without consent when there is a legal requirement, but I think they can't just hand it out without consent when they just feel like it.
Maybe that is where the warrant comes in, to make it plausible that it is required?
I guess we'll find out when they arrest the first EU citizen based on this data.
The GDPR states that there is a list of purposes which allows member states law to restrict the scope of the GDPR[0]. One of these purposes is "the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security".
German law uses this to allow "non-public" controllers/processors (aka companies) to give data to German (and EU) law enforcement[1]. The police still needs to specify legal grounds, e.g. the investigation of a concrete alleged crime, and "drag net" investigations are generally not legal. The controller/processor has no obligation to give data to the police if they just ask, but it can if the police request is narrow enough and names the legal grounds. If there is a court order, that's another matter, then the company is obligated to provide the data.
But what about the US law enforcement wanting data about some German citizen within the scope of the GDPR and German law? A service provider is not allowed to give US law enforcement such data[2][3], but in this case the US law enforcement will usually use the mutual legal assistance treaty (MLAT) between the US and Germany to ask the German police for help, and the German police will then essentially ask for the data and (provided there are legal grounds) the service provider is allowed to pass data to the German police, which passes it back to the US law enforcement.
Legislation in other EU member states is mostly quite similar.
[3] But it really becomes complicated when the service provider is under US jurisdiction (in this example). Then the service provider is caught between competing law of two different jurisdictions and is in the unfortunate position to decide what law to break.
IANAL but the answer appears to be no. Even an actual warrant doesn't count. Legal processing has to be required by the law of an EU member state, US court rulings don't count
That's not to say I know how a Google would react to a US warrant about an EU citizen (especially given the CLOUD act https://en.wikipedia.org/wiki/CLOUD_Act) but from what I can tell it's not permitted under GDPR
How many keyword-search warrants have they fought? The article seems to suggest google has been providing data to the us government in the past and that this is an on-going collaboration.
Sure, though it’s worth noting that nothing prohibits the police from walking down the street and asking people. Those people don’t have to talk to the police, but…
Google will fight warrants like this. AT&T doesn’t. Other companies have varying policies on this.
Obviously, one can’t assume data is not available to law enforcement merely because the police would need a warrant to get it over a possessor’s objections.