When a company stores data about its users, chances are that the police will sooner or later request some of those data. Which issues should you look out for?

1. Only answer to written orders, no oral requests. Sometimes the police calls with a request to provide certain data. You’re not obliged to co-operate. Also a request which does not clearly spell out its legal basis, does not have to be answered.

2. Investigate whether the request has the right legal basis. The powers of the police are very narrowly defined. The police may for example not request customer address details on the basis of the same provision which allows for requesting the contents of an email. So if, for example, a request relates to the contents of an email, but it refers to the legal basis for requesting address details, then a company does not have to answer the request.

3. Investigate whether it is clear what data is being requested. The police may only request specifically described data: fishing expeditions, such as ‘all IP-addressses of all visitors of your site in week 47’, will quite likely not be precise enough and can be challenged in court.

4. Investigate whether the requested data affect source protection or other interests. It is possible that there is a public interest in keeping requested data confidential. Releasing data could for example lead to revealing a journalistic source. The right to privacy can also be a reason to not hand over data. If you consider not complying with a request, then it is wise to ask for legal advice to identify the risks.

For questions, please contact Ot van Daalen, +31 6 5438 6680, ot.vandaalen@digitaldefence.net.