US vs. non-US requests
Because Google is a US-based company, the firm falls squarely under US law, which makes it difficult for it to ignore a request from its home government.
The company explained that under one particular strand of US law, requests for "stored data" can be made, but that requests can also fall under different areas of law--including the Patriot Act, among others. Because Google is effectively a data-storage company, in that it stores your data online so you can access it at any point in any location, most of its requests fall under a specific "stored data" law.
"By far the most common is the subpoena, followed by search warrants. A federal statute called the Electronic Communications Privacy Act," the same law that, "known as ECPA, regulates how a government agency can use these types of legal process to compel companies like Google to disclose information about users. This law was passed in 1986, before the web as we know it today even existed. It has failed to keep pace with how people use the Internet today."
While ECPA can allow a government agency to compel the disclosure of certain kinds of data with a subpoena or an ECPA court order, "Google requires an ECPA search warrant for contents of Gmail and other services based on the Fourth Amendment to the US Constitution, which prohibits unreasonable search and seizure."
Google works with the Digital Due Process Coalition, a group that "[seeks] updates to this important law so it guarantees the level of privacy that you should reasonably expect when using our services."
EU law makes it difficult--though not impossible--for Google to hand over data to non-EU countries.
If Google was based in the European Union (EU), however, the situation would be slightly difficult. It's not easy for a European-based firm to hand over data to a country's government that doesn't have the same strict data-protection rules as the 27 member-state bloc of the European Union.
However, in some "emergency cases," the search giant will "voluntarily disclose user information to government agencies when we believe that doing so is necessary to prevent death or serious physical harm to someone." If a US or foreign law-enforcement agency tells Google that a case involves "kidnapping or bomb threats," for example, Google said the "law allows us to make these exceptions" and help authorities if the request is valid and an immediate threat to life exists.
How Google responds to foreign, non-US governments
But outside the US, Google doesn't really have the same level of requirement to hand over data to foreign governments or law-enforcement agencies--particularly if Google doesn't have a physical presence in the country of that requesting state.
Mutual Legal Assistance (MLA) allows a government to seek help from a foreign government where that person or company resides, because they have no jurisdictional power.
In this case, it means a foreign government--like the UK, France, or Germany, for example--would have to put in an "MLA request" to the US Department of Justice requesting help. The government agency would then knock on Google's big-data door as it has jurisdictional power.
MLA treaties exist between most countries in the world, but not all. This means it can keep some countries at a distance in order to protect other governments from harming their own citizens, such as in Syria, for example.
"If US law is implicated in the investigation, a US agency may open its own investigation and provide non-US investigators with evidence gathered. Google may also disclose data in response to emergency disclosure requests when we believe that doing so is necessary to prevent death or serious physical harm to someone," the FAQ noted.
If a non-US agency goes through a diplomatic channel such as an MLA request, "Google would produce the same information as if the request originated directly from a US agency."
However, Google will still occasionally hand over data under "emergency requests" to foreign governments on a "voluntary basis." Also, the company may provide user data to foreign, non-US governments if that government's request is "consistent with international norms," which allows Google to flat-out deny countries that may use that data to crack down on dissidents or political activists--ahem, China.
But MLA isn't the only option for foreign governments
"There are many ways that other countries can obtain information from companies like Google outside of the [mutual legal assistance] process, including joint investigations between US and local law enforcement, emergency disclosure requests, and others."
The "others" bit is interesting, however. Some foreign governments have laws that could force Google, and other companies based in the US and around the world, into performing actions in which it must do locally, rather than where it's headquartered in the US. For instance, the UK government could invoke the Terrorism Act or the Regulation of Investigatory Powers Act (RIPA) against Google UK, which could force the UK-based subsidiary into handing over local data, and prevent it from telling its parent company.
It could also work in reverse, with the US government forcing a Google subsidiary in the UK or Europe to hand over data belonging to an EU citizen--in spite of strong European data-protection laws--back to the US without that person's knowledge. But, Google will "sometimes fight to give users notice of a data request by seeking to lift gag orders or unseal search warrants." With some areas of US law, that would still be nigh on impossible.
These cases are hypothetical, but entirely possible--and if they do happen, very rare.
The bottom line
Google has done something extraordinary here. Through leaked documents and law-enforcement guides, it has been previously disclosed how some companies--Facebook comes to mind--deals with requests from law-enforcement agencies.
But it's very rare for a company as large as Google to openly admit that not only does data get requested by governments around the world, but that it actively gives that data away where it is all but forced to by local and international law. Google's pioneered the Transparency Report for many years, whereas Microsoft recently found itself.
The move should be applauded. That said, the company can only do so much. It can say "how," but not "why."
Speaking to NPR, Drummond said that Google still can't disclose "whether fraud cases generate more requests than, say, national security." He added: "The problem is, in the vast majority of cases, we don't know. Right? And the government isn't required to tell us what they're investigating."