TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout

Privacy Tracker | The Email Privacy Act: What happened and where we are now Related reading: ANPD accepting feedback on guidelines for data security incident reporting

rss_feed
GDPR-Ready_300x250-Ad

This month, Rep. Kevin Yoder, R-Kan., reintroduced the Email Privacy Act, the intent of which is to amend the Electronic Communications Protection Act by requiring law enforcement to obtain a warrant before accessing an individual’s emails through their email provider. The reintroduced version of the act is not available yet, but will likely mirror the 2016 House version of the bill, HR 699. HR 699 was similar to past House resolutions and Senate bills seeking to amend ECPA to close a loophole that allowed law enforcement to obtain emails older than 180 days from email providers without a warrant. The act amends Sections 2702, 2703, and 2705 of title 18, United States Code and codifies the 6th Circuit ruling requiring warrants to access cloud-stored emails in U.S. v. Warshak (2010).

In 2016, HR 699, was unanimously approved by the House Judiciary Committee (28-0) and then, also unanimously, by the House of Representatives (419-0). The fate of the reintroduced bill is murky, however, because amendments floated by the Senate on its past version of the bill stalled the bill for the remainder of the 114th Congress.

Approved house version of the Email Privacy Act (114th Congress)

The House version of the act made several key changes to ECPA. Notable changes included requiring a warrant for law enforcement access to emails older than 180 days; removing the distinction between communications held by an electronic communication service and those held by a remote computing service; and updated notice requirements and exceptions.

Elimination of the 180-day rule

Currently under section 2703 of ECPA, emails stored longer than 180 days do not require a warrant for law enforcement access. This “180-day rule” was created when data storage was expensive and limited, meaning users would regularly clean out their email accounts. Most emails were not stored beyond 180 days at that time and emails stored beyond that date were considered “abandoned” under ECPA. As data storage has grown increasingly cheaper, more and more users are storing emails in perpetuity. When all of a user’s emails can be stored indefinitely, emails that are stored beyond 180 days may not necessarily be “abandoned.”

The Email Privacy Act removes the 180-day rule and requires a warrant for all emails regardless of how long they are stored.

Elimination of the distinction between an ECS and RCS

Section 2703 of ECPA contains distinct provisions for ECS and RCS. While the House version of the bill still references ECS and RCS, the bill amended section 2703 to mirror their respective provisions, functionally removing that distinction.

Notice requirement changes and extensions

Under the bill ECS and RCS providers were permitted to notify subscribers or customers when they received a warrant, court order or subpoena unless a governmental entity was granted a request to delay notification. Such requests are granted under the current version of ECPA when notification will likely result in endangering the life or physical safety of an individual, flight from prosecution, destruction of or tampering with evidence, intimidation of potential witnesses or otherwise seriously jeopardizing an investigation or unduly delaying a trial. The House bill contained the same provisions for when requests were granted, however, also contained an extension of the default duration of a delayed notice from 90 to 180 days. Additionally a new provision allowed extensions of delayed notice beyond the default for periods of up to an additional 180 days each when granted by a court. Such extensions could be granted by a court for the same reasons as an initial delayed notice.

Earlier drafts of the act required law enforcement to serve the warrant on not just the email provider, but also to notify the subject of the investigation after obtaining emails from a provider within 10 days and for any other governmental entity to notify the subject within three days.

Senate amendments that stalled the Email Privacy Act

The act stalled in the Senate process after the Senate put forward several amendments that privacy advocates found concerning. The Hill reported at the time that if the Senate amendments had passed, they could have sunk the bill entirely; however, it also noted, those nine amendments were unlikely to receive enough support. Sen. Mike Lee, R-Utah, who introduced the bill with Sen. Patrick Leahy, D-Vt., pulled the bill from the Senate Judiciary Committee’s markup agenda after the amendments because of concerns the bill was being used as a “vehicle to move an unrelated and controversial expansion of the use of national security letters by the FBI.”

While the House version of the act aimed to bring ECPA up-to-date with the digital age, the Senate amendments provided law enforcement with greater power than under existing law. The primary amendments concerning to privacy advocates were the addition of an emergency disclosure requirement and a provision allowing law enforcement to use National Security Letters to compel disclosures.

These amendments were aimed to increase law enforcement surveillance powers and lower the barriers to access protected information – essentially the antithesis of the original bill. With modern technology, ease of data collection, ease of disclosure and ease of publicity have increased exponentially. Technological advancement continually outpaces the evolvement of the legal system.

New laws have been promulgated and existing laws have been adapted or amended to prevent the degradation of privacy protections. The House version of the Email Privacy Act is one such law designed to provide privacy rights guaranteed by the 4th Amendment of the U.S. Constitution for our “persons, houses, papers and effects” to be secure “against unreasonable searches or seizures.”

Former Federal Trade Commissioner Julie Brill provides the analogy that “our emails, social media messages, and other communications are as private as our letters, financial statements and diaries.” The House version of the bill had the goal of ensuring these protections are properly applied to our emails, but the Senate amendments ignored the spirit of the bill and attempted to use the bill to undermine these protections.

So now we wait. Wait to see what version is considered by the House, wait to see if the Senate will re-propose the same amendments, and wait for our 4th Amendment rights.

photo credit: Washington DC Capitol - Purple Hour HDR via photopin (license)

Comments

If you want to comment on this post, you need to login.