Statement: Protective Role of the Stored Communications Act

A recent ruling by a California court has significantly weakened the privacy protections granted under the Stored Communications Act (SCA) to user data stored with service providers in the U.S. The ruling came in connection with a homicide case in which the defendant sought access to the victim’s electronic communications stored by Snap and Meta as part of their legal defense. Both companies refused to comply with the subpoenas, citing the SCA’s prohibition on disclosing such data. However, the court ruled that user data employed by service providers for their own business operations falls outside the SCA’s protections. While the decision affirms the defendant’s right to a fair trial by granting access to potentially exculpatory evidence, it does so at the expense of weakening privacy protections relied upon by billions of users worldwide. The decision is currently under appeal before the Supreme Court.

Designed to protect electronic communications from unauthorized access, the SCA prohibits service providers from disclosing user data to third parties without proper legal authorization. This legal framework serves as a critical safeguard for billions of users worldwide, particularly against politically motivated or malicious prosecutions by authoritarian regimes.

The aforementioned ruling has profound implications, particularly for individuals in the Global South, where digital privacy is already under threat due to pervasive state surveillance. If upheld, the decision could expose users to increased risks of governmental overreach. An overview of existing legal frameworks in the Global South, alongside recent transparency reports from major technology companies, highlights the growing threat of excessive data requests from countries with expanding surveillance regimes. The SCA plays a crucial role in resisting these requests and often serves as the last line of defense against government overreach. 

Several Global South nations have enacted legislation dramatically expanding government authority to access user data. Countries like Pakistan, Türkiye, and Thailand have expansive surveillance laws in place that compel tech companies to hand over user data under vague national security justifications. Pakistan’s Prevention of Electronic Crimes Act grants authorities sweeping powers to target journalists, activists, and civil society groups. Türkiye’s Social Media Law mandates local data storage for easy government access, and Thailand’s Computer-Related Crime Act is widely used to suppress dissent. These laws provide broad discretion for governments to demand data, often without judicial oversight, and rely on vague definitions, enabling governments to exploit them for greater digital control. 

Transparency data from January-June 2024 for Pakistan, Türkiye, and Thailand reveals that while Meta must sometimes comply with government data requests, it was able to protect user data in 18% to 47% of cases across these jurisdictions. More striking are Google and TikTok’s figures, with compliance often below 10%—particularly for non-emergency requests. Tech companies strategically leverage SCA protections to resist overreaching demands from these regimes.

The SCA’s protective value is even more evident in jurisdictions where data requests have historically been low. Egypt, Iraq, and Oman collectively made only 17 requests to Meta in early 2024, with Iraq and Oman receiving no compliance and Egypt facing a 67% rejection rate. Google and TikTok show similar patterns, with near-zero compliance except for emergency requests. This minimal engagement suggests that these governments recognize the SCA’s safeguards render speculative or politically driven data requests ineffective. Without these protections, governments that have previously shown restraint may escalate their demands, as companies would no longer have a legal basis to push back.

The lower court’s adoption of the “business purpose” theory, if upheld, would also create a two-tiered system where fundamental rights are determined by economic privilege. This would disproportionately impact users in the Global South, leaving billions vulnerable to state surveillance and political repression. To prevent this possibility, alternative legal frameworks must be explored—ones that balance the right to a fair trial with necessary privacy protections.

Government Data Requests & Compliance Rates (Jan – June 2024)

Notes

1. Regular Requests: These are formal, non-urgent requests made by governments to technology companies for user data. Such requests are not tied to life-threatening situations and typically follow standard legal processes . 
2. Emergency Requests: These are government requests made in situations involving serious physical danger, where the disclosure of information is necessary to prevent the emergency.
3. Local Subsidiary Requests: These are requests directed to a local subsidiary of the service provider rather than the parent company.
4. Oman (Google): The most recent government request to Google was made in 2018, and it was denied. 
5. Oman (Tiktok): No government requests were made to TikTok during the reporting period (January–June 2024).