A company that receives a gag order from a federal magistrate used to face a very easy choice: Comply or risk being held in contempt. It is therefore unsurprising that most companies have reflexively complied with gag orders and that prosecutors, facing little resistance from courts or companies, have sought such orders almost as a matter of course.
But that is all changing. Companies now have to worry about complying, not just with U.S. legal process, but with worldwide data privacy regulations.
Europe, in particular, has taken aim at U.S. gag orders. The European Commission recently approved standard contractual clauses, or SCCs. They would require U.S.-based companies that receive data from the EU to notify the transferring entity — the data exporter in the parlance of the General Data Protection Regulation — and the data subject of any U.S. government requests for the data.
If a gag order prohibits the U.S.-based company from providing such notice, the SCCs would require the company to use its best efforts to obtain a waiver from the gag order with a view to communicating as much information as possible, as soon as possible, and to document such efforts.[1]
Combine this with the recent criticism that technology companies have received for reportedly complying with gag orders concerning U.S. Department of Justice requests for data related to congressional members and staff, and the decision of how to respond to a gag order now looks much more complex. Here's a primer on how companies can navigate this increasingly complex terrain.
Background on Gag Orders
The Stored Communications Act regulates the government's ability to obtain data from a company that constitutes an electronic communication service or a remote computing service within the meaning of the statute. Section 2703 allows the government to issue subpoenas and to obtain search warrants and other legal process for data held by such companies.
Section 2705(b) permits courts to issue gag orders, officially known as nondisclosure orders, or NDOs, to prevent companies from notifying their customers of the existence of legal process issued under Section 2703.
To obtain an NDO, the government must show reason to believe that notification will result in:
- Danger to life or physical safety;
- Flight from prosecution;
- Destruction of evidence;
- Intimidation of witnesses; or
- Serious jeopardy to an investigation or undue delay of a trial.
Section 2705(b) does not explicitly cap the duration of NDOs, stating only that they may be issued for such period as the court deems appropriate.
The DOJ, however, issued a memorandum limiting the use of NDOs.[2] It requires that prosecutors:
- Conduct an "individualized and meaningful" assessment of the need for an NDO and only seek an NDO when circumstances require;
- Tailor NDO applications to include specific facts that satisfy the particular legal bases specified in Section 2705(b), rather than relying on boilerplate statutory language; and
- Refrain from seeking an NDO lasting over one year unless justified by exceptional circumstances. Prosecutors may seek to renew NDOs after one year if the facts continue to support nondisclosure.
Challenging a Gag Order in Court
Challenging an NDO is not easy. Recipients of such orders often have little information with which to question the magistrate's finding that disclosure may compromise a criminal investigation. The provider does not receive a copy of the government's application for the NDO. Rather, it only receives the NDO itself, which typically just parrots the language of Section 2705(b).
Apple Inc. illustrated the dilemma faced by many providers in response to revelations in June that it complied with a subpoena and NDO concerning data of congressional staff members. Apple explained publicly that, because the subpoena and NDO provided no information on the nature of the investigation, it would have been virtually impossible for Apple to dispute the court's findings.
Moreover, major technology companies receive thousands of data requests from law enforcement every week, making it difficult to meaningfully review, much less challenge, every NDO.
Still, there are some red flags that can be gleaned from the NDO itself, from the accompanying legal process or from the provider's own records that might indicate that an NDO is ripe for challenge.
1. The NDO exceeds one year in duration.
Several courts have held that NDOs of indefinite duration violate the First Amendment. Because NDOs impose a content-based prior restraint on the provider's speech, these courts subjected NDOs to strict scrutiny. And while the government's need for secrecy may be compelling in some cases, that interest will always expire at some point; therefore, an indefinite ban will never be narrowly tailored, courts have held.
Similarly, setting an expiration date, with the possibility of an extension upon a showing of continued need, will always constitute a less restrictive means of furthering the government's interest in protecting its investigation than an indefinite NDO.
Whether a court would uphold NDOs that last for a definite period of over a year is less clear. DOJ policy prohibits such NDOs, absent extraordinary circumstances, and several courts have suggested that 180 days might be a better default period.
Despite this guidance, it is not uncommon for courts to grant two-year NDOs, particularly in categories of cases that are considered especially sensitive, such as national security cases. But the subject matter of an investigation says very little about the length of time secrecy will be needed in any particular case. A company that receives an NDO lasting more than a year should consider challenging the government to justify why the extended period is necessary.
2. The NDO relates to an enterprise customer and does not permit disclosure to the enterprise's legal counsel and top executives.
DOJ guidance counsels against seeking data from an enterprise's cloud service provider, unless there is reason to believe the enterprise is "principally devoted to criminal conduct" or otherwise unwilling to comply with legal process.[3]
The guidance recognizes that the migration of business emails and other sensitive corporate documents from onsite storage to third-party cloud service providers has created a loophole under the SCA. It means that the government can now obtain a business's most sensitive information directly from its cloud provider, without the targeted company's knowledge, simply by obtaining legal process and an NDO under the SCA.
Providers should consider challenging any NDO that prohibits notification to an enterprise customer. To be sure, DOJ guidance is not legally binding, and in some cases, the government may have legitimate reasons to fear that notification to an enterprise might compromise the investigation.
Still, it may be worth challenging the government to show why there is not a single person in the enterprise who could be trusted with notification. As part of this challenge, a company may consider proposing the less restrictive means suggested by the DOJ, including serving preservation requests on the cloud provider before notifying the enterprise and limiting notice to particular trusted persons in the enterprise.
3. The NDO relates to a public investigation.
It is not uncommon for NDOs to relate to investigations that are already public. This may occur when the government has already indicted the target of the request or a related person, or otherwise officially confirmed the investigation, or where the existence of the investigation has been reported in the press.
While NDOs themselves rarely identify the nature of the investigation, some information may be gleaned from the accompanying subpoena, search warrant or 2703(d) order. Providers should try to determine whether an NDO appears to relate to a public investigation. If it does, this may be a basis to challenge the government to explain why there is nonetheless still a compelling need for secrecy.
4. The company is not subject to the SCA.
The SCA only applies to companies that constitute an electronic communication service or a remote computing service under the statute. As more and more companies provide their customers with internet access or the ability to communicate over the company's app, the reach of the SCA grows ever larger.
Indeed, the government has argued, successfully in some cases, that the SCA applies not only to companies whose primary business involves providing internet services but to any company that provides its customers with internet access or a chat function.
Companies that are not primarily and obviously engaged in providing electronic communication or storage to the public should consider whether to challenge process under the SCA, including NDOs, on the ground that the company is not covered by the statute.
How Providers Can Guard Against NDOs Going Forward
There are a number of steps that companies can take to protect themselves and their customers from NDOs.
Companies, in particular providers subject to the SCA, could consider implementing a policy of challenging government data requests and NDOs in certain specified circumstances. Microsoft Corp., for instance, has committed to challenging "every government request for public sector or enterprise customer data ... where there is a lawful basis for doing so."[4]
Companies could also include as part of the policy that they will challenge any NDO over a certain length of time or that relates to particularly sensitive accounts. Such policies may deter government overreach — prosecutors are well aware of each company's legal process policies, if published, and are less likely to push the envelope if they expect pushback. In addition, any policy showing a commitment to data protection could help a company comply with the GDPR and its data transfer provisions.
Companies, in particular providers subject to the SCA, could also consider formalizing a policy of disclosing government data requests to their customers whenever they are legally permitted to do so. In addition to demonstrating a commitment to privacy, these policies can help a company establish standing to challenge an NDO.
Companies could include a provision in relevant customer contracts with providers to provide notice to customers of government requests for their data. While contractual agreements obviously cannot trump a lawful court order, they can provide a more specific basis to challenge an NDO, both in negotiations with prosecutors and, if necessary, in litigation.
Indeed, lawyers for Google LLC and The New York Times Co. credited a contractual provision requiring Google to inform the Times of government data requests for its successful challenge to a recent NDO.
Companies might even consider adopting a policy of challenging every NDO that relates to data transferred from the EU. Such a policy may be necessary to comply with the SCCs' requirement that a data importer agree to "use its best efforts to obtain a waiver" of any NDO that would prevent the importer from disclosing a government request for data transferred pursuant to the SCC. Challenging every NDO concerning European data is not as difficult as it might seem.
A company can challenge an NDO without a particular reason to believe it was improperly issued. Rather, the company can simply demonstrate that the NDO implicates its First Amendment rights and, under strict scrutiny, the burden then shifts to the government to provide facts justifying the speech restriction.
Through this process, the provider's counsel may learn additional information with which to challenge the NDO. Even if the challenge fails, the provider's willingness to litigate on behalf of its customers may earn it goodwill with both its customers and with European data protection authorities.
[1] Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32021D0914&from=EN.
[2] "Policy Regarding Applications for Protective Orders Pursuant to 18 U.S.C. § 2705(b)," https://www.justice.gov/criminal-ccips/page/file/1005791/download.
[3] "Seeking Enterprise Customer Data Held by Cloud Service Providers," Computer Crime and Intellectual Property Section, Criminal Division, U.S. Department of Justice. December 2017, https://www.justice.gov/criminal-ccips/file/1017511/download.
[4] Brill, Julie. "New steps to defend your data," Microsoft on the Issues, November 19, 2020, https://blogs.microsoft.com/on-the-issues/2020/11/19/defending-your-data-edpb-gdpr/.