A Reagan-era law that allows the government to read email and cloud-stored data more than six months old without a search warrant is under attack from technology companies, trade associations and lobbying groups, which are pressing Congress to tighten privacy protections. Federal investigators have used the law to view content hosted by third-party providers for civil and criminal lawsuits, in some cases without giving notice to the individual being investigated.
Nearly 30 years after Congress passed the law, the Electronic Communications Privacy Act [ECPA], cloud computing companies are scrambling to reassure their customers, and some clients are taking their business to other countries.The Times reports that there are bipartisan efforts to modernize the law, but because the law is not "sexy," these bills have stalled. Regarding the content of the Senate bill:
The bill would require a search warrant for access to electronic communications, with exceptions for some emergency situations. It would also require the government to notify individuals within 10 days that their information was being investigated. However, it does not address rules for location data, like GPS information from an individual’s cellphone.Given recent revelations about the scope of government surveillance and the economic impact of countries moving their electronic activities to other countries, the stalled attempts to change this bill may end up gaining more momentum.
The article quotes Orin Kerr, who describes how the ECPA could be changed in a recent article in the Pennsylvania Law Review. Here is the abstract:
In 1986, Congress enacted the Electronic Communications Privacy Act (ECPA) to regulate government access to Internet communications and records. ECPA is widely regarded as outdated, and ECPA reform is now on the Congressional agenda. At the same time, existing reform proposals retain the structure of the 1986 Act and merely tinker with a few small aspects of the statute. This Article offers a thought experiment about what might happen if Congress were to repeal ECPA and enact a new privacy statute to replace it.
The new statute would look quite different from ECPA because overlooked changes in Internet technology have dramatically altered the assumptions on which the 1986 Act was based. ECPA was designed for a network world with high storage costs and only local network access. Its design reflects the privacy threats of such a network, including high privacy protection for real-time wiretapping, little protection for noncontent records, and no attention to particularity or jurisdiction. Today’s Internet reverses all of these assumptions. Storage costs have plummeted, leading to a reality of almost total storage. Even U.S.-based services now serve a predominantly foreign customer base. A new statute would need to account for these changes.
This Article contends that a next generation privacy act should contain four features. First, it should impose the same requirement on access to all contents. Second, it should impose particularity requirements on the scope of disclosed metadata. Third, it should impose minimization rules on all accessed content. And fourth, it should impose a two-part territoriality regime with a mandatory rule structure for U.S.-based users and a permissive regime for users located abroad.Agencies like the SEC protest the proposed changes to the ECPA, arguing that they do not have the power to seek warrants for the disclosure of electronic communications. It will be interesting to see whether these bills attract enough attention to move forward, and whether the parties negotiating the bills can reach a meaningful compromise on how to modernize the law.