Oracle Cloud Law Enforcement Data Request: Police & Government Guide
How police, prosecutors and government investigators request data from Oracle Cloud Infrastructure: the processor-vs-controller model, redirect-to-customer policy, what Oracle holds directly, US legal thresholds, customer notice and foreign (MLAT) requests.
This guide offers general, practical orientation for law-enforcement officers, prosecutors and government investigators who need data held by or through Oracle Cloud Infrastructure (OCI). It is not legal advice. Process must always be obtained and served under your own jurisdiction's legal authority, and the steps below are a starting framework, not a substitute for your agency's legal counsel or Oracle's own current guidance.
- For customer content, Oracle generally points you to its enterprise customer (the data controller): the organisation that runs the OCI tenancy decides, stores and can access its own data, so it is usually the faster and more complete source.
- Oracle acts mainly as a data processor and says it generally has no insight into what customers store in their cloud services.
- Oracle holds account-level records directly: subscriber, billing and subscription data, and certain service logs tied to the tenancy.
- Oracle is US-based, so US legal process (the Stored Communications Act) and, for foreign agencies, MLAT or a qualifying CLOUD Act agreement, typically apply.
- Oracle's policy is to notify the affected customer and to challenge requests that are not legally valid and binding, unless notice is lawfully prohibited.
The processor-vs-controller distinction
Like AWS, Microsoft Azure and Google Cloud, Oracle Cloud Infrastructure is an enterprise infrastructure-as-a-service platform. The enterprise customer that operates the OCI tenancy is the data controller: it decides what data to collect, how it is processed, and which region it is stored in. Oracle is the data processor, hosting that data on the customer's instructions. Oracle states that, as a cloud provider, it generally has no insight into the content customers store in their cloud services.
The practical consequence for investigators: if you are after the content a customer organisation stores in OCI (databases, application data, files, mailboxes hosted on its instances), the customer is almost always the right and better target. Oracle's stated policy is to use reasonable efforts to redirect the requesting authority to the customer, because the customer is best placed to identify and produce its own data. Where the suspect is an individual or organisation that is itself an Oracle customer, serve that customer directly.
What Oracle holds directly
Oracle retains the records created by the commercial relationship with the account holder, rather than the customer's stored content. In general terms that means:
- Cloud account / subscriber identity: the registered organisation or person, contacts and administrator details.
- Billing and payment records, and subscription / service-order history.
- Certain service and operational logs tied to the tenancy that Oracle generates as the provider (availability and retention vary by service).
Oracle does not publish a granular, field-by-field data inventory for law enforcement, and its public law-enforcement material is comparatively thin. Treat the categories above as the realistic envelope of what Oracle itself can produce, and be specific in your request about the account identifiers (tenancy OCID, account email, order number) you can supply.
US legal thresholds
Oracle is a US company, so disclosure of records to law enforcement is generally analysed under the US Stored Communications Act (SCA). As a working guide, the SCA scales the legal instrument to the sensitivity of the data:
- Subpoena (administrative or grand jury): generally used for basic subscriber and billing records.
- Court order (often a "2703(d)" order): for non-content transactional and log records.
- Search warrant based on probable cause: for stored content. In practice Oracle will normally redirect content requests to the customer regardless.
Oracle says it assesses every request on a case-by-case basis to confirm it is legally valid and binding, and will resist or challenge requests that are not. Domestic US agencies should serve valid process; the precise instrument is a matter for your prosecutor.
Preservation vs production
Preservation and production are distinct steps. A preservation request asks Oracle to retain existing records so they are not lost to routine deletion while you obtain legal process; it does not itself compel disclosure. Production is the compelled handover of records under a subpoena, order or warrant. Oracle's transparency reporting recognises preservation requests as a category. Send a preservation request early, with precise account identifiers and a clear scope, then follow with the appropriate compulsory instrument.
Customer-notice policy
Oracle's stated policy is to promptly inform the affected customer of a request and, for content, to redirect the authority to that customer, unless Oracle is prohibited by law from giving notice. Where you need non-disclosure to protect a criminal investigation, you must obtain the appropriate legal prohibition (for example a non-disclosure order accompanying your process). Oracle has stated that if it is barred from notifying the customer it will ask the requesting authority to waive that prohibition, so build the legal basis for secrecy into your request rather than assuming confidentiality by default.
Foreign law enforcement and MLAT
Because Oracle is US-based, agencies outside the United States generally cannot compel Oracle directly. The traditional route is a Mutual Legal Assistance Treaty (MLAT) request or letter rogatory channelled through the US Department of Justice, which is reviewed by a US court. A faster alternative exists only where a qualifying bilateral CLOUD Act agreement is in force (for example the US-UK agreement, in force since October 2022). Oracle has stated that the CLOUD Act does not change how it handles disclosure requests. For European deployments, Oracle's EU Sovereign Cloud has dedicated EU legal teams that review each access request under applicable EU law. Foreign investigators should still consider whether the relevant customer organisation in their own jurisdiction can produce the data directly, which often avoids the MLAT delay entirely.
Suggested workflow
- Identify whether you need account-level records (Oracle) or stored content (almost always the customer). Where possible, serve the customer organisation directly.
- Gather precise identifiers: tenancy/account OCID, registered email, organisation name, order or invoice numbers, and the exact data and date range sought.
- Send a preservation request immediately to stop routine deletion while you obtain process.
- Obtain the correct legal instrument for the data category (subpoena, court order, or warrant), and a non-disclosure order if secrecy is required.
- Serve valid legal process on Oracle through its legal channels; foreign agencies route via MLAT or a qualifying CLOUD Act agreement.
- Expect Oracle to validate the request, notify the customer unless lawfully prohibited, and for content to redirect you to the customer.
Who holds what, and how to get it
| What you want | Who holds it | How to get it |
|---|---|---|
| Customer content (databases, files, application/email data in the tenancy) | The enterprise customer (data controller) | Serve the customer organisation directly; Oracle will generally redirect you to them |
| Account / subscriber identity | Oracle | Subpoena or applicable legal process to Oracle Legal |
| Billing, payment and subscription records | Oracle | Subpoena or applicable legal process to Oracle Legal |
| Provider-side service / operational logs | Oracle (availability varies by service) | Court order or warrant as appropriate; specify service and date range |
| Preservation of existing records | Oracle | Written preservation request with precise identifiers |
| Data sought by a non-US agency | Oracle (US) or the customer | MLAT / letter rogatory via US DOJ, or a qualifying CLOUD Act agreement; or serve the customer in your jurisdiction |
Frequently asked questions
Can I get a customer's data straight from Oracle? Usually not for stored content. Oracle treats that content as the customer's and will generally redirect you to the customer, who controls and can access it. Oracle will produce account, billing and subscription records it holds directly under valid process.
Will Oracle tell the customer about my request? Yes by default. Oracle's policy is to notify the affected customer unless it is lawfully prohibited. If you need secrecy, obtain a non-disclosure order and serve it with your process.
I am outside the United States. How do I compel Oracle? Generally through an MLAT request or letter rogatory via the US DOJ, or a qualifying CLOUD Act agreement where one is in force. Often the quickest path is to serve the relevant customer organisation in your own jurisdiction.
Does a preservation request mean I will receive the data? No. Preservation only stops records being deleted. You still need a subpoena, court order or warrant to compel production.
Related guides
- Cloud evidence: getting data from AWS, Azure and Google Cloud
- Microsoft 365 and Google Workspace: an investigator's guide to SaaS audit logs
- Cloudflare law enforcement data request: police & government guide
For the full directory of platform law-enforcement request portals, see our LERS portal hub.