Why are we allowing emergency data requests in ANY case? If something is truly life or death, surely a judge won't mind being woken up at 3am if there's a kidnapping or imminent threat.
If your security model is "the underfunded police department in rural Brazil must secure their emails", you are absolutely screwing your users and don't give a damn about their privacy.
Valid court order or no data. This is the only way.
Companies indeed should be standing up more for their user's rights. At the same time, the situation isn't really companies itching to hand over data to law enforcement. Law enforcement demanding access to data without warrants or any meaningful accountability measures is the core of the problem. They're very complicit in this whole deal, and in no ways a victim.
There's actually zero legal reason any of those companies need to comply with emergency data requests.
Refuse them and ask for a court order. If a cop comes to your house and asks to take a look around without a warrant you are under no obligation to comply. These weak and spineless corporations and people like Alex Stamos who vehemently support emergency data leaks (he blames rural police for not having good security, while he presides over a security disaster) are to blame 100%.
Seems obvious to me that a ‘no court order no data’ is the only sane rule here.