P11. Data about third-party requests for user information

The company should regularly publish data about government and other third-party requests for user information.

Elements
  1. Does the company list the number of requests it receives by country?
  2. Does the company list the number of requests it receives for stored user information and for real-time communications access?
  3. Does the company list the number of accounts affected?
  4. Does the company list whether a demand sought communications content or non-content or both?
  5. Does the company identify the specific legal authority or type of legal process through which law enforcement and national security demands are made?
  6. Does the company include requests that come from court orders?
  7. Does the company list the number of requests it receives from private parties?
  8. Does the company list the number of requests it complied with, broken down by category of demand?
  9. Does the company list what types of government requests it is prohibited by law from disclosing?
  10. Does the company report this data at least once per year?
  11. Can the data reported by the company be exported as a structured data file?
Research guidance

Companies frequently receive requests from third parties to hand over user information. These requests can come from government agencies or courts (both domestic and foreign), as well as through private processes (i.e. non-governmental and non-judicial processes). We expect companies to regularly publish data about the number and type of such requests they receive, and the number of such requests with which they comply. Companies should disclose data about requests they receive by country, including from their home and foreign governments, as well as from law enforcement, courts and private processes. We also expect company disclosure to indicate the number of accounts affected by these requests and to delineate by category the requests with which the company has complied. We recognize that companies are sometimes not allowed to disclose requests for user information made by governments. However, in these cases, we expect companies to report what types of government requests they are not allowed to disclose by law. Companies should also report this data once a year and should ensure the data can be exported in structured data file.

In some cases, the law might prevent a company from disclosing information referenced in this indicator. For example, we expect companies to publish exact numbers rather than ranges of numbers. We acknowledge that laws sometimes prevent companies from doing so, and researchers will document situations where this is the case. But a company will lose points if it fails to meet all elements. This represents a situation where the law causes companies to fall short of best practice, and we encourage companies to advocate for laws that enable them to fully respect users’ rights to freedom of expression and privacy.

Potential sources:

  • Company transparency report