It’s Time To Bring Email Privacy Into The 21st Century
President Trump has made clear that he wants Congress to quickly move to advance his agenda. In addition to the big ticket items like Obamacare repeal and tax reform, Congress should also waste no time in sending the Email Privacy Act (H.R. 387) to the president’s desk for his signature.
Reps. Kevin Yoder and Jared Polis recently reintroduced the Email Privacy Act in order to finally bring the 1986 Electronic Communications Privacy Act (ECPA) into the 21st Century. Without reform, the inadequate protections offered by ECPA leave Americans’ privacy rights vulnerable to bureaucratic overreach.
ECPA’s biggest flaw is that it protects emails from warrantless searches only so long as they are less than 180 days old. Any emails held by a third-party beyond 180 days are treated as abandoned and require only a simple subpoena for law enforcement to obtain access. This threshold might have made sense with the technology and behaviors of 1986, but it is laughably outdated in the age of cloud computing.
Last year, the House passed the Email Privacy Act with an overwhelming 419-0 vote only to see it languish in the Senate. They should try again to close this egregious loophole.
Exemplifying the need for adding clarification and certainty to the nexus between law enforcement and digital privacy is a lengthy legal battle between Microsoft and the Department of Justice.
In 2014 Microsoft was held in contempt of court for refusing to hand over the data of an Irish citizen that was being stored on a server in Dublin. The government argued that a U.S. warrant was sufficient because the Irish company is a subsidiary of the U.S.-based Microsoft.
In a landmark ruling in July 2016, the Second Circuit ruled in Microsoft’s favor and slapped down the government’s attempted overreach. Obama’s Justice Department then filed for the full court to rehear the case, only to see its appeal rejected earlier this week.
If the court had accepted the government’s assertion of global jurisdiction, it would have placed both U.S.-based multinationals and the privacy of American citizens in jeopardy. The former would have faced the impossible task of complying with aggressive U.S. law enforcement demands while also respecting the privacy laws of foreign jurisdictions, while the latter could have been caught in the crossfire as other nations followed suit with their own aggressive demands.
The Justice Department would no doubt like to continue the case all the way to the Supreme Court. Further litigation is not the answer, however.
A better approach would be for the Justice Department to work with Congress on passing clarifying legislation that balances legitimate law enforcement needs with respect for privacy and jurisdictional limits.
The International Communications Privacy Act (ICPA), introduced last Congress by Sens. Orrin Hatch Chris Coons, and Dean Heller, would allow for law enforcement to obtain data on U.S. citizens from service providers regardless of where the data is held, with a proper warrant of course. They could also pursue data of foreign nationals where appropriate cooperation agreements are in place. In addition, ICPA would reform the mutual legal assistance treaty process to make international cooperation less cumbersome, giving law enforcement no excuse for further seeking to circumvent legal protections.
Refocusing the Justice Department away from aggressive litigation that will do nothing to solve the underlying problems with the ancient Electronic Communications Privacy Act should be the first task of Sen. Jeff Sessions if and when he is confirmed by the Senate as the new attorney general. Reversing the Obama administration’s attempted invasions of privacy and the damage it is doing to American businesses would be a productive way to promote Trump’s “America First” agenda.
A Justice Department that is willing to be reasonable and not demand unlimited power for law enforcement could be the final push needed for either of the already popular and bipartisan Email Privacy Act or International Privacy Communications Act to become law.