I get that everyone’s imagining the most apocalyptic scenario right now: that Telegram shared all the messages of all members with timestamps, device IDs, phone numbers, geolocation etc

However, the case to be made that Telegram could simply invite the IT auditor in contact with authorities to their office and show her that in fact the company stores very little information; the information which does not change the legal case they’re involved in. Therefore, in this case they might have provided the information about presence or absence of the user data without actually sending said data. That way formally they have complied with the ruling but the user data have never left the office.

The same way you can send the headers of a data pipeline without actually sending any data.

The fact the company complied with the ruling to disclose the absence of information doesn’t necessarily mean they shared the users data.

Of course, this scenario is just my speculation and the company will have to present transparent and verifiable explanation. Yes, the situation looks bad but at the moment of writing, there’s still some wiggle room left.