U.S. tech companies are hopeful that a bipartisan group of lawmakers will finally be able to enact an update to the federal email privacy statute governing how they respond to law enforcement requests for customer data, panelists and lawmakers said at a May 24 Senate Judiciary Subcommittee on Crime and Terrorism hearing.
The push for a modernized Electronic Communications Privacy Act (ECPA) would eliminate legal uncertainty facing U.S. technology companies, especially cloud computing services and email providers that store customer information in data centers outside the country, such asAlphabet Inc.’s Google and Microsoft Corp.
ECPA bans unauthorized interception of electronic communications. The Stored Communications Act, which is part of ECPA, prohibits unauthorized access of electronic communications in a storage facility. An update to the outmoded laws would give companies increased clarity as they try to expand in the growing cloud services marketplace, privacy attorneys told Bloomberg BNA.LEARN MORE
Bloomberg Law®, an integrated legal research and business intelligence solution, combines trusted news and analysis with cutting-edge technology to provide legal professionals tools to be proactive advisors.
Subcommittee Chairman Sen. Lindsey Graham (R-S.C.) said at the hearing that “from a congressional point of view, we can fix” law enforcement access to data abroad issues “or we can help criminals.”
Cameron F. Kerry, privacy and data security senior counsel at Sidley Austin LLP in Boston, told Bloomberg BNA that the U.S. needs to “take the lead” in setting email privacy standards, and Congress should address the issue. The U.S. is “home to the world’s leading internet, technology and cloud companies,” so those companies tend to be “hit the hardest,” he said.
ECPA “needs to be updated to reflect today’s digital world,” Kerry, who served as acting secretary at the Department of Commerce, said. The government and private sector, he said, need to find a “more balance approach that takes into account factors like where the data is located and where the data subject is.”
Morgan Reed, president at ACT | The App Association in Washington, told Bloomberg BNA that changes to ECPA will help clarify how companies should “handle the various legal requirements.” Leading U.S. cloud computing providers may see the biggest hit to their revenues and growth opportunities without necessary clarifications, he said.
ECPA reform bills seek to erase distinctions between how email services and remote computing providers are treated in regard to email privacy. Bills now pending in Congress would generally require the government to obtain a warrant to compel disclosure of customer content regardless of the age of the communications.
Updating Access Rules
U.S.-based cloud companies support changes to ECPA because, as the law stands now, there are different requirements to obtain electronic communications depending on the service provider and how long the data are stored.
One proposal to update the law would require email privacy updates, and a warrant for law enforcement access to stored communications by eliminating language in ECPA treating emails more than 180 days old as abandoned and, thus, obtainable with a subpoena or court order.
In a case involving Microsoft emails stored on servers in Ireland, the U.S. Court of Appeals for the Second Circuit ruled that the SCA doesn’t contemplate extraterritorial application and that the term of art, “warrant,” used in the SCA was intended to protect privacy rights.
Brad Smith, Microsoft’s president and chief legal officer, said under questioning from Graham that the privacy issues of most concern involve data belonging to a foreigner located abroad. In prepared testimony, Smith said that law enforcement access to stored data laws “are outdated in many respects” around the world.
Steven Wasserman, treasurer of the National Association of Assistant U.S. Attorney, told Bloomberg BNA that although there should be a “warrant requirement for accessing emails,” email privacy bills so far don’t take into account warrant exceptions in emergency situations. Law enforcement requests for data “should be treated as any other search warrant under the Fourth Amendment,” he said.
There are “obstacles to obtaining” data stored abroad, Brad Wiegmann, deputy assistant attorney general, testified. Criminals will be able to evade detection without changes, he said. Wiegmann declined to tell Bloomberg BNA whether he supports a specific ECPA update bill. The DOJ didn’t immediately respond to Bloomberg BNA’s email requesting comment.
Email Privacy Changes
Updating the decades-old ECPA has been before Congress for many years. Various bills have cleared the House but hit roadblocks in the Senate.
In this Congress, the Email Privacy Act ( H.R. 387) introduced by Rep. Kevin Yoder (R-Kan.) passed the House Feb. 6. It has the backing of some of the largest cloud computing companies in the U.S., including Microsoft, Amazon.com Inc. and Google, according to Bloomberg Government data. House Judiciary Committee Chairman Bob Goodlatte (R-Va.) said he has prodded the Senate to take up the measure.
Sen. Orrin Hatch (R-Utah) took to the Senate floor May 23 to discuss the bipartisan International Communication Privacy Act, which aims to “set clear rules for when and how U.S. law enforcement can access electronic data based on the location and national of the person whose data is being sought,” Hatch said on the Senate floor.
Hatch’s bill, which he plans to reintroduce after it died in committee in the last Congress, would establish a legal framework for law enforcement bodies to use warrants to obtain emails sent to or from any U.S. citizen, even if that person—or the server being used to send and store emails—is overseas.
However, changes to ECPA are already hitting resistance in the Senate. For example, Sen. John Cornyn (R-Texas), a subcommittee member, has pushed for an expansion of the FBI’s use of national security letters to require access.
With assistance from George R. Lynch in Washington
To contact the reporter on this story: Daniel R. Stoller in Washington [email protected]
To contact the editor responsible for this story: Donald Aplin [email protected]
For More Information
Further information on the hearing is available at http://src.bna.com/pbp.
Copyright © 2017 The Bureau of National Affairs, Inc. All Rights Reserved.
Cloud Companies Hit Hard by Languishing Email Privacy Update