2020 Report
Compelled Disclosure
In 2020, Shopify received a total of 543 requests. We objected to 326 (60% of these requests). We could notify data subjects in 40% of the cases where we produced.
This report includes data from January 1, 2020 to December 31, 2020.
Our Guiding Principles
Shopify is committed to protecting the privacy of our merchants, customers, partners, and everyone who entrusts us with their personal information. We believe that merchants own their personal information and the personal information of their customers. We are publishing this Transparency Report to:
Make commerce better for everyone by building consumer confidence through transparency, as recommended by the Office of the Privacy Commissioner of Canada.
Support an informed public debate on privacy rights by joining other members of our industry in reporting on government and other legal requests for access to data.
Comply with the spirit of and the principles underlying PIPEDA (the Canadian federal private sector privacy law), the GDPR (the European Union’s data protection regulation), and the CCPA (the California Consumer Privacy Act).
Our Process
To protect the privacy of our merchants, customers, and partners, we follow the below process upon receipt of a request to produce information about a merchant, a merchant’s customer, or a partner:
We will refuse to disclose personal information without a subpoena or court order issued by a body that has jurisdiction over Shopify.
Legal requests must be addressed to the correct Shopify entity (such as Shopify Inc. or Shopify International Limited).
We will always notify affected individuals before we disclose information, unless prohibited by law, and minimize the amount of personal information that we disclose.
We review the following factors to ensure that each order is legally and procedurally valid, broken down by heading below:
Jurisdiction and authority of requester
Type of legal request
Shopify entity and type of information requested
In 2020, we received legal requests for information from twenty countries.
As outlined in our Guidelines on Legal Requests for Information, we will only respond to enforceable subpoenas or court orders issued by: (a) bodies that have jurisdiction over the specific Shopify entity from which information is being requested; and (b) the authority to compel the production of information.
If the requesting body does not have jurisdiction over the relevant Shopify entity, we require that they follow the Mutual Legal Assistance Treaty or Hague Evidence Convention (“Letters Rogatory”) processes.
2020 received requests by country Information Requests by Country Requests Received Australia 5 Austria 1 Belgium 1 Brazil 2 Canada 17 Denmark 2 England 3 France 228 Germany 45 Hong Kong SAR 3 India 3 Ireland 1 Italy 9 Mexico 1 Singapore 6 South Korea 1 Spain 46 Switzerland 4 UK 8 USA 158 In 2020, we received different types of legal requests for information, including Grand Jury Subpoenas, Summons, Preservation Orders, Information Subpoenas, and Certifications of Trustee in Bankruptcy. We did not receive any national security letters, FISA orders, or other classified requests in 2020.
2020 received requests types Type of Data Request Number received Civil Investigative Demand 5 Consent Order 1 Demand to Furnish Information 1 Grand Jury Subpoena 53 Informal Request 2 Information Subpoena 4 Judicial Request 5 Law Enforcement 303 Preservation Order 32 Request For Information 1 Search Warrant 6 Summons 6 Temporary Restraining Order (TRO) 2 Other 1