That's actually as it should be
If I were the head of a company with custody of other people's data, I would only allow those data to be divulged to the authorities upon receipt of a valid search warrant or other applicable court order (reserving the right to appeal if my lawyers have serious doubts as to said order's legality), or with the written permission of the owner of those data. No exceptions. My position would be the same with regard to confidential data on customers or employees. In those cases, the company is the steward of the data, not their owner and should act accordingly.