Any lab, any matching service served with a subpoena will be legally required to comply.
The issue with GEDmatch is that, by all accounts, they explicitly chose not to fight that request, not even to legally delay.
GEDmatch was required "to provide the requested data to Detective Michael Fields within 20 business days" according to the warrant. Hence, Curtis Rogers had 26 to 28 days to respond. And he has not contested the accuracy of the New York Times' reporting. So on the balance of probabilities, and given widely acknowledged proclivities (e.g. "the GEDmatch operators are very much in favor of police use of their database and have actively encouraged their users to allow it"), I'm about 99% certain that they did not present one iota of resistance, but rather saw this as an opportunity to cooperate further with law enforcement and as an excuse to ignore the issue of user consent.
There was, having read the warrant, room to challenge the assertions of law enforcement, as the warrant does contain false information. Yet Curtis Rogers chose to comply without resistance or any action to protect GEDmatch users. So we now come to this statement:
You stated elsewhere that
GedMatch is no worse than other companies when faced with a subpoena.
You're very wrong here, Laura.
I think that people are assuming other labs do not comply but I think you should read their terms and conditions before jumping to that conclusion.
Yes, they comply with the law insofar as they are obliged to comply. However, because police sometimes rely on false or misleading statements as in the situation with the GEDmatch warrant, those warrants can be successfully fought. The police are not always honest. And warrants are filed by one side without adequate advocacy for privacy. Hence they can often be challenged. Other companies have chosen to resist police data requests in the courts and been successful in doing so.
From 23andMe's November 2019 response to the GEDmatch warrant news:
[...] Perhaps just as disturbing is GEDmatch’s apparent lack of scrutiny and challenge of the validity of the warrant issued. According to reporting by the New York Times, the company opened up its database to law enforcement within 24 hours of the judge’s decision. Given this timing, it does not appear that GEDmatch exhausted all legal avenues to challenge the warrant. In contrast, if we had received a warrant, we would use every legal remedy possible.[...]
In our 13 year history, 23andMe has never turned over any customer data to law enforcement or any other government agency. Protecting the security and privacy of our customers’ information is at the core of what we do as a business. Unfortunately, not all businesses adhere to these same principles. That is in part why we warn our customers about uploading their genetic data to third-party, public websites like GEDmatch.
https://blog.23andme.com/news/our-stance-on-protecting-customers-data/
And earlier in a 2016 post:
Since our founding a decade ago, 23andMe has only received requests from law enforcement for information regarding five of our more than 1.2 million customers.
In each of these cases, 23andMe successfully resisted the request and protected our customers’ data from release to law enforcement.
https://blog.23andme.com/23andme-and-you/23andprivacy-your-data-law-enforcement/
What about Ancestry DNA?
[...] Following the issuance of the search warrant, GEDmatch opened its database of nearly one million users — beyond those who had consented to such access — within 24 hours. Ancestry believes that GEDmatch could have done more to protect the privacy of its users, by pushing back on the warrant or even challenging it in court. Their failure to do so is highly irresponsible, and deeply concerning to all of us here at Ancestry. GEDmatch’s actions stand in stark contrast to our values and commitment to our customers.
We want to be clear – protecting our customers’ privacy and being good stewards of their data is our highest priority. Not only will we not share customer information with law enforcement unless compelled to by valid legal process, such as a court order or search warrant, we will also always advocate for our customers’ privacy and seek to narrow the scope of any compelled disclosure, or even eliminate it entirely. You can find more information on our privacy philosophy here.
https://blogs.ancestry.com/ancestry/2019/11/08/your-privacy-is-our-top-priority/
So we have demonstrated that 23andMe and Ancestry have both taken active measures in order to only comply in the most limited scope possible, or to have the scope reduced to zero. GEDmatch does the opposite. They did not fight the warrant; they immediately caved; they gave the police full access. Therefore, GEDmatch is objectively worse at respecting and guarding customer privacy and yes, "worse when faced with a subpoena" to borrow your words.
GEDmatch also had the option to sell their company to others, outside of the United States, thereby providing it with the safeguard of being in jurisdiction with greater legal protections for individual data privacy. There wasn't anything preventing this from happening. But they very intentionally chose an American, FBI-approved, FBI-collaborating DNA forensics company as their choice of partner.