Adobe Law Enforcement Guidelines

 

Last updated: August 5, 2021

 

As a service provider, Adobe is legally required to turn over user data that it hosts when it receives valid legal process from government authorities with proper jurisdiction. While we have full respect for the seriousness of law enforcement investigations, Adobe believes in users’ rights to due process and transparency, and because of this philosophy we don’t give governments direct or unfettered access to user data. Every request we receive is carefully reviewed by the Adobe Trust & Safety team to determine the validity of the legal process, to assess the proportionality of the request, and to ensure compliance with international data protection commitments made by Adobe.

 

These guidelines apply to user data hosted by Adobe, whether it relates to software purchases or installation, or user data hosted by one of Adobe's many online services.

 

Valid Legal Process Is Required

Our response to valid legal process depends, in part, on the user’s relationship with Adobe. For users who reside in North America, their relationship is with Adobe Inc. For users outside of North America, the relationship is with Adobe Ireland. All Adobe users are subject to our Terms of Use and Privacy Policy.

 

Adobe Users in North America

For Adobe users in North America, disclosure is governed by U.S. law, including the Federal Stored Communications Act (“SCA”), 18 U.S.C. §§ 2701-2712 . In general, we will turn over “basic subscriber” records (e.g., name, length of service, billing information, email address, registration IP address, and so on) in response to a valid subpoena that is issued in connection with an official criminal investigation. However, we require a search warrant issued upon a showing of probable cause under relevant state or federal law before we will turn over user content stored on our servers, such as photos, videos, documents, or email messages.

If a government authority outside North America issues a request for a North American user (and it is consistent with Adobe’s policies), we may respond in the following circumstances: First, if the request is issued by a U.S. court by way of a mutual legal assistance treaty (MLAT) or a letter rogatory. Second, if the request is consistent with (a) Adobe’s policies, (b) the laws of the requesting country, and (c) the principles of necessity and proportionality.

 

Adobe Users Outside North America

For Adobe users outside of North America, any requests must be addressed to Adobe Ireland. Disclosure is governed by Irish law, and any EU laws applicable in Ireland, including the General Data Protection Regulation (GDPR). A Mutual Legal Assistance Treaty request or letter rogatory may be required to compel the disclosure of user records under Irish law.

 

Preservation Requests

When we receive a preservation request from an agency investigating a crime, Adobe will preserve then-existing user data for 90 days in anticipation of receiving valid legal process. We require the request to be:

  • Issued and signed by or on behalf of a government entity, and
  • On official letterhead.

 

Data Retention

The length of time Adobe keeps different types of user data varies depending upon the nature of the service and type of data at issue (please see Adobe’s Privacy Policy for more information).

 

Provide Specific Information

We cannot comply with overly vague or broad requests. At a minimum, we typically need the Adobe ID of the user whose data you seek (or an email address associated with a registered Adobe ID), the name of the service or services at issue (e.g., Acrobat Sign, Behance, etc.), and a specific statement of the type of information sought.

For more information on the categories of data that may be available in response to a valid legal request, please refer our Privacy Policy (specifically, the section What information does Adobe collect about me?).

 

Notice to Users

It is Adobe policy to give notice to our users (and enclose a redacted copy of the request) whenever a government agency seeks access to their information unless we are legally prohibited from doing so. This is also true for requests pertaining to enterprise accounts (if the account is managed by an organization, we’ll give notice to the enterprise customer). For requests pertaining to enterprise customers, we seek to redirect the requestor directly to the enterprise customer.

 

For requests where U.S. law applies, make sure any Non-Disclosure Order (NDO) you serve on Adobe is time-limited and expires on a specific date or after a specific period (such as 90 or 180 days). For example, if we receive an NDO under 18 U.S.C § 2705(b), we will delay notice for the time period specified in the order and then notify the user once the order expires. Indefinite NDOs are not constitutionally valid in the U.S., and we challenge them in court. For requests subject to laws outside the U.S., we review and analyze our obligations on a case-by-case basis.
As a courtesy, we generally try to provide notice to the requesting party one week before the NDO is set to expire. Ultimately it is up to the requesting party to calendar the nondisclosure period and notify Adobe of any extensions. Once the statutory period has ended, Adobe provides notice to our users when they are the subject of an NDO.

 

Exceptions Allowing for Voluntary Disclosure

 

Emergency Requests

If law enforcement provides Adobe with information that gives us a reasonable, good faith belief that there is a risk of imminent harm (i.e., death or serious physical injury) to a person, and that we have information in our possession that may avert that harm, we may choose to disclose limited information when we have to protect human life, provided that such disclosure is consistent with Adobe’s policies and applicable law.

When issuing an emergency request, please provide the following information:

  1. The requesting agency and name of the law enforcement officer.
  2. A detailed description of the nature of the emergency and why the emergency is imminent (and, if known, the target of the threat).
  3. The email address associated with a registered Adobe ID of the subject account whose information is necessary to prevent the emergency.
  4. The specific information requested and why that information is necessary to prevent the emergency.
  5. All other available details or context regarding the circumstances.
  6. The signature of the submitting law enforcement officer.

Requests Related to Fraudulent Purchases

If the requesting party is based outside of North America and the request relates solely to the fraudulent purchase of goods or services on Adobe , Adobe Ireland may voluntarily and at its sole discretion, disclose basic purchase and delivery data where we have been provided with (a) legal process that is valid in the jurisdiction where the purchase was made, (b) facts indicating that someone has paid Adobe with a stolen credit card, and (c) we can verify there has been a chargeback or other indication of fraudulent activity on our end. All such requests must be made to Adobe Ireland using the contact information below and accompanied by an English language translation.

 

Preventing Child Exploitation

We report any images that appear to involve child exploitation to the National Center for Missing and Exploited Children (NCMEC). If you are a law enforcement agent reporting a child exploitation or child safety matter where there is a good faith belief that there is imminent harm, please let us know by following the procedure for reporting an Emergency Request (outlined above) so that we can address the matter as quickly as possible.

 

Cost Reimbursement

By law, we are entitled to recover costs associated with responding to requests for information. Fees apply on a “per Adobe ID” or per account basis. If your request is unusually broad or burdensome, additional fees may apply. It is Adobe policy to waive fees in matters involving child exploitation or imminent harm.

 

Service of Legal Process

Legal process can be served in-person or mailed to the appropriate Adobe office, or via fax as outlined below.

 

North America

Preservation requests, subpoenas, court orders, or search warrants seeking data regarding Adobe's North American users may be personally served at, mailed to, or faxed to our San Francisco office:

Adobe Inc.

Attn: Law Enforcement Requests

345 Park Ave.

San Jose, CA 95110

Fax: +1 415-723-7869

 

Outside of North America

All law enforcement requests seeking data regarding Adobe users outside of North America are administered by Adobe Ireland and therefore governed by Irish law (and must issue formal legal assistance requests through the Irish Department of Justice). Law enforcement requests should be addressed to, and Irish law enforcement may serve legal process on Adobe Ireland directly at the address below:

Adobe Systems Software Ireland Limited

Attn: Law Enforcement Requests

4-6 Riverwalk, City West Business Campus

Saggart, Dublin 24, Ireland

Fax: +353 1 686-5636

 

General Contact Information

Adobe's Law Enforcement Response Hotline: +1 415-832-7614

U.S. Law Enforcement Response Fax Line: +1 415-723-7869