9 Oct. 2015

CalECPA: California's New Privacy Law

Prior to CalECPA’s enactment, California privacy law did not cover electronic devices or digitally stored information. The California Constitution, similar to the federal Constitution, provides, “the right of the people to be secure in their persons, houses, papers and effects against unreasonable seizures and searches may not be violated; and a warrant may not issue except on probable cause, supported by oath or affirmation, particularly describing the place to be searched and the persons and things to be seized.” (Article I, Section 13 of the California Constitution). CalECPA codifies application of the Section 13 warrant requirement to government access to and compulsion of electronic information.

Entities Covered

The act applies to government entities, service providers and owners and authorized possessors of electronic devices.

Government entities: California state departments or agencies, public subdivisions thereof or individuals acting on behalf of the state or a political subdivision thereof.
Service Providers: A person or entity offering an electronic communication service meaning “a service that provides to its subscribers or users the ability to send or receive electronic communications, including any service that acts as an intermediary in the transmission of electronic communications, or stores Electronic Communication Information.”
Authorized Possessor: Possessor of an electronic device when that person is the owner of the device or has been authorized to possess the device by the owner of the device.

Types of Data Covered

The act covers “electronic information” which includes “electronic device information” and “electronic communication information.” Examples of information covered by the act include cloud data, PINs, email contents and smartphone contents.

The act distinguishes between the requirements for electronic device information (EDI) and the requirements for electronic communication information (ECI).

EDI “means any information stored on or generated through the operation of an electronic device, including the current and prior locations of the device.”

ECI “means any information about an electronic communication or the use of an electronic communication service, including, but not limited to, the contents, sender, recipients, format, or location of the sender or recipients at any point during the communication, the time or date the communication was created, sent, or received, or any information pertaining to any individual or device participating in the communication, including, but not limited to, an IP address.”

In parallel to the content v. non-content distinction in existing privacy law, ECI does not include subscriber information such as name, street address, telephone number, email address or similar contact information provided by the subscriber to the provider to establish or maintain an account or communication channel, a subscriber or account number or identifier, the length of service and the types of services used by a user of or subscriber to a service provider.

Data Not Covered

The act does not limit the authority of a government entity to use an administrative, grand jury, trial or civil discovery subpoena to obtain:

Electronic communications and any ECI associated with that communication from the originator, addressee or intended recipient of the electronic communication.
ECI associated with electronic communication to or from an officer, director, employee or agent of an entity that provides electronic communication services to its officers, directors, employees or agents to carry out their duties.
Subscriber information from a service provider.

Structure of the Act

The act is comprised of three primary sections: Section 1546.1 contains the main provisions, including the actions prohibited and permitted under the act and the warrant requirements for each type of data; section 1546.2 provides the notice requirements for the act, and section 1546.4 provides for enforcement of the act, a suppression remedy for violations of the act and protection for corporations complying with the act.

Main Provisions

Section 1546.1 describes the acts expressly prohibited and permitted under the act; details the warrant requirements for each type of data subject to the act, and provides procedures in case of emergency.

Prohibited Actions

The act prohibits a government entity from the following actions except as authorized by the act:

Compelling a service provider to produce or provide access to ECI;
Compelling the production of or access to EDI from any person or entity other than the authorized possessor of the device, and
Accessing EDI by means of physical interaction or electronic communication with the device.

Permitted and Mandatory Actions

Government entities:

o May compel the production of or access to electronic information in only the specific circumstances outlined in the Warrant Requirements section below.

o Must destroy electronic communication or subscriber information voluntarily disclosed by service providers within 90 days unless the entity receives consent from the sender or recipient, receives a court order authorizing retention or reasonably believes the information is related to child pornography and retains the information as part of a multiagency database used to investigate child pornography or related crimes.

The court issuing a warrant or order may:

o Appoint a “special master” charged with ensuring the information produced or accessed is limited to the information necessary to achieve the objective of the warrant or order.

o Require that unrelated information obtained through the warrant is destroyed.

Service providers: may voluntarily disclose ECI or subscriber information unless otherwise prohibited by state or federal law.

o Note: If the service provider discloses the information to a government entity, the government entity must destroy the electronic communication or subscriber information within 90 days unless the entity receives consent from the sender or recipient, receives a court order authorizing retention or reasonably believes the information is related to child pornography and retains the information as part of a multi-agency database used to investigate child pornography or related crimes.

Individuals:

o Intended recipients of electronic communications may voluntarily disclose that communication and information about that communication to a government entity.

Warrant Requirements (see summary chart of requirements)

Warrants for electronic information under the act must describe with particularity the information to be seized, including time periods covered, the targeted individuals or accounts, the applications or services covered and the types of information sought. The act requires that information obtained through a warrant that is unrelated to the objective of the warrant must be sealed and may not be used, reviewed or disclosed without a court order.

The act distinguishes between the methods that can be used to compel EDI and ECI. ECI is limited to information from service providers and may be accessed or obtained through a warrant, wiretap order, order for electronic reader records or subpoena. A warrant used to obtain information from a service provider must also contain an order requiring the service provider to verify the authenticity of the electronic information through an affidavit that complies with Section 1561 of California Evidence Code. EDI may be from any person or entity other than the authorized possessor of the device (third party) or from government physical interaction or electronic communication with the device. EDI from a third party is subject to the same warrant provisions as ECI and may be accessed or obtained through a warrant, wiretap order, order for electronic reader records or subpoena. EDI from physical interaction or electronic communication with the device may be accessed or obtained through:

Warrant;
Wiretap Order;
Specific consent* of authorized possessor (not necessarily the owner);
Specific consent of the owner of the device, only if the device has been reported as lost or stolen;
Good faith belief of an emergency involving danger or death or serious physical injury to any person
Good faith belief device is lost, stolen or abandoned (access is limited to attempts to identify, verify or contact the owner or authorized possessor of the device);
Seizing a device from an inmate or correctional facility (except when believed to be in possession of authorized visitor or when prohibited by state or federal law).

* Specific consent means “consent provided directly to the government entity seeking information, including, but not limited to, when the government entity is the addressee or intended recipient or a member of the intended audience of an electronic communication. Specific consent does not require that the originator of the communication have actual knowledge that an addressee, intended recipient or member of the specific audience is a government entity.”

Emergency Provisions

The emergency provisions of the act enable law enforcement to compel or access information in the case of emergency involving danger or death or serious physical injury to a person. In the case of emergency the government entity must:

File an application for a warrant or order authorizing obtaining the electronic information or a motion seeking approval of the emergency disclosures within three days of obtaining the electronic information. The application should set forth the facts giving rise to the emergency.
File a sworn affidavit with the application if seeking an order delaying notification (see Notice Requirements).

Notice Requirements

Section 1546.2 of the act requires government entities that execute a warrant or obtain information under the act to provide notice to the identified target. The notice must inform the recipient that information about the recipient was compelled or requested, with reasonable specificity, the nature of the government investigation seeking the information and a copy of the warrant. Notice must be provided at the same time as the execution of the warrant. In the case of an emergency, the notice must include a written statement of the facts giving rise to the emergency and must be provided within three days of obtaining the information. The act specifies notification should be delivered by registered or first-class mail, electronic mail or other means reasonably calculated to be effective.

Delayed Notifications

If notification might produce an adverse result a court may issue an order delaying notification. An “adverse result” means danger to the life or physical safety of an individual, flight from prosecution, destruction of or tampering with evidence, intimidation of potential witnesses, serious jeopardy to an investigation or undue delay of a trial. Government entities may submit a request supported by a sworn affidavit to obtain an order delaying notification and prohibiting notification by third parties. An order delaying notification is valid only for the time period in which the court finds the notification may have an adverse result. Delay must not exceed 90 days unless the court grants an extension of the delay, also up to 90 days. Delayed notifications should include, in addition to the information included in regular notification, a copy of all electronic information obtained or a summary of that information and a statement of the grounds for delaying notification. Delayed notifications should be delivered by registered or first-class mail, electronic mail or other means reasonably calculated to be effective as specified by the court issuing the order authorizing delayed notification.

Notifications for Unidentified Targets

Government entities submit notification to the Department of Justice with three days of executing the warrant when there is no identified target unless an order delaying notification is granted. In which case, the government entity should submit all of the required information for delayed notifications upon expiration of the delay. The Department of Justice will publish notifications for unidentified targets on its website within 90 days or receipt and may redact names or other PII from the notifications.

Exceptions

Service providers and third parties may disclose information about any request or demand for electronic information unless otherwise prohibited by a court order delaying notification.

Enforcement and Suppression Remedy

Section 1546.4 provides: a suppression remedy for violations of the act; a civil action to enforce the act’s provisions; procedures for modifying a warrant, and protection for corporations complying with the act.

Suppression Remedy: allows any person in a trial, hearing, or proceeding to suppress any electronic information obtained in violation of the Fourth Amendment to the U.S. Constitution or the act.
Enforcement: provides the attorney general to commence a civil action to compel any government entity to comply with the act.
Modification: allows individuals targeted by a warrant or other process under the act to petition the issuing court to void or modify the warrant or process and destroy obtained information if the warrant or process violates the act, the California Constitution, or the U.S. Constitution.
Compliance Protection: Protects California or foreign corporations, their officers, employees and agents from any cause of action for providing records, information, facilities or assistance in compliance with a warrant, court order, statutory authorization, emergency certification or wiretap order issued under the act.

Summary of requirements to compel or obtain information under CalECPA

TYPE OF DATA

REQUIREMENTS FOR ACCESS

ECI
from a service provider

·Warrant with accompanying order requiring the service provider authenticate provided electronic information;
·Wiretap Order;
·Order for electronic reader records;
·Subpoena.

EDI
from any person or entity other than the authorized possessor of the device

·Warrant;
·Wiretap Order;
·Order for electronic reader records;
·Subpoena.

EDI

through physical interaction or electronic communication with the device

·Warrant;
·Wiretap Order;
·Specific consent of authorized possessor;
·Specific consent of the owner of the device, only if the device has been reported as lost or stolen;
·Good faith belief of an emergency involving danger or death or serious physical injury to any person
·Good faith belief device is lost, stolen or abandoned (access is limited to attempts to identify, verify or contact the owner or authorized possessor of the device);
·Device seized from an inmate or correctional facility (except when believed to be in possession of authorized visitor or when prohibited by state or federal law).