Congress is again teeing up a bill to reform a thirty-year-old law giving law enforcement warrantless access to Americans’ stored emails, but advancing the case for reform could be problematic without another pending bill to give investigators other means of accessing such data.
The Electronic Communications Privacy Modernization Act, introduced by a bipartisan pair of senators Tuesday, would require law enforcement to obtain a warrant before accessing cloud-stored electronic communications and geolocation information. Republican Sen. Mike Lee of Utah and Democratic Sen. Patrick Leahy of Vermont rewrote the bill, first introduced last term, to update the 1986 Electronic Communications Privacy Act (ECPA).
ECPA currently gives law enforcement access to American emails 180 days old. The law is at the center of an ongoing legal battle between Microsoft and the Justice Department that began in 2014, when the government ordered the Redmond-based tech giant to turn over emails belonging to an Irish national stored on a server in Ireland.
Microsoft argued DOJ has no authority to compel the Windows maker to turn over data stored on another country’s sovereign soil, and that DOJ must request the emails from the foreign government in question. The government countered that as a company based in the U.S., Microsoft is obligated to adhere to the law, regardless of the physical location of the server itself.
The government eventually lost the case (though they’ve recently sought an appeal to the Supreme Court), and unintentionally ignited a legal debate that will likely result in loss of the Reagan-era law altogether. The House of Representatives unanimously passed ECPA reform last year, and the Senate version only stalled after opposition from agencies like the FTC and SEC, along with amendments from Republicans that, in some cases, sought to expand the FBI’s warrantless subpoena power.
Now the bill is back with new provisions protecting location data, giving law enforcement quick access in emergency situations and compelling agencies to provide notice within 10 days of accessing communications or location data. It’s already received endorsements from left-leaning groups like the ACLU and center-right think tanks including TechFreedom.
“While the House bill left out geolocation protection and notice requirements in anticipation of Senate resistance, today’s bill restores both of those critical reforms,” TechFreedom President Berin Szoka said. “There’s no better or easier way for Congress and the Administration to secure a win for privacy and technology than passing this bill into law.”
But the bill doesn’t provide a clear path for law enforcement to access data stored abroad. Another bipartisan group of senators is tackling that issue in legislation dubbed International Communications Privacy Act (ICPA), also introduced last Congress by Republican Sens. Orrin Hatch of Utah, Dean Heller of Nevada, and Democratic Sen. Chris Coons of Delaware.
ICPA would give law enforcement the means to obtain data on U.S. citizens from U.S. companies — regardless of where the data is physically stored — with the use of a warrant. It also lets U.S. law enforcement seek data belonging to foreign nationals in places where cooperation agreements exist. Additionally, the bill updates and streamlines the mutual legal assistance treaty (MLAT) process, which facilitates cooperation between countries for the exchange of data like that sought by the government in the Microsoft case.
Critics of DOJ’s position in the case say it not only opens the door to violate foreign nationals’ privacy and sovereignty, but leaves the door open for other countries to demand similar data on their citizens stored by U.S. companies.
The European Union is less than a year away from implementing the General Data Protection Regulation, which would strengthen data privacy protections for EU citizens and make it illegal for a company to bring customer data from Europe into the U.S. in response to a U.S. search warrant. That means without ICPA, U.S. law enforcement will have even fewer means of going after data stored in Europe.
Google and Microsoft both support the bill.
“It’s time to lay a new foundation and establish a new legal framework for the cloud,” Kent Walker, senior vice president and general counsel at Google, said in June.
Walker said the current “untenable” framework leaves companies like Google with the choice of violating another country’s laws or its own, and that the U.S. should embrace the “broad set of agreement on basic principles” included in ICPA.
Microsoft President Brad Smith told Congress in May that if it doesn’t act, the status quo will “leave us all hostage to a law that was passed 31 years that hinders law enforcement, undermines privacy rights, and frankly puts tension between countries.” Smith added he and his company have been “broadly supportive” of ICPA’s requirement of U.S. search warrants for digital data.