Last week, witnesses before the Senate Judiciary Committee faced much more amicable questions than then-Judge Gorsuch. In a rare moment of bipartisan consensus, Senators on both sides of the aisle agreed to pass legislation by year end. The subject: law enforcement’s ability to collect email evidence under the Electronic Communications Privacy Act (“ECPA”). While electronic communications have changed rapidly, the law protecting consumers’ private data has stood still. ECPA was written when Facebook founder Mark Zuckerberg was two years old. Back then, emails were an up-and-coming technology with no international implications, and storing an email was a costly affair. As the hearing last week underscored, it is time for Congress to take ECPA out of storage and fix it.
In July 2016, the Second Circuit issued the landmark Microsoft decision that limits ECPA’s reach to emails stored within U.S. territory, and requires law enforcement to utilize Mutual Legal Assistance Treaties (“MLATs”) to access communications stored abroad. 829 F.3d 197. The Second Circuit relied on a long line of cases in which the Supreme Court has firmly held that Congress—not courts—must decide when to intrude on other nations’ sovereignty. Most recently in RJR Nabisco, Inc. v. The European Community the Court held that RICO claims occurring abroad should be decided in a country’s “own courts and under its own laws” unless Congress clearly says otherwise. 136 S. Ct. 2090, 2108 (2016). This followed similar holdings limiting the foreign reach of antitrust, securities, and Alien Tort statutes.
In Microsoft, federal prosecutors pushed back on that precedent, arguing that no law prevented government access to foreign-held emails as long as there was personal jurisdiction over the service provider. The Second Circuit disagreed; the government’s argument “stands the presumption against extraterritoriality on its head.” The court thus declined to rewrite the statute to achieve the government’s preferred policy result. But even while correctly limiting ECPA’s foreign reach, one judge noted that “we can expect that a statute designed afresh to address today’s data realities would take an approach different from [ECPA’s].”
But other courts have recently disagreed with the Second Circuit that Congress should be the branch to update ECPA. Take, for example, the Google case in the Eastern District of Pennsylvania. Relying on the Microsoft decision, Google declined to produce any emails stored abroad in response to an ECPA warrant. In February, a magistrate judge rejected the Second Circuit’s analysis, and held that ECPA provided law enforcement with authority to access emails stored abroad merely by issuing a request to the service provider.
More than just email is at stake in these cases; Microsoft and Google are, at bottom, about international comity and electronic privacy. Only the Second Circuit’s Microsoft decision properly places the onus on Congress to balance those interests while updating ECPA to reflect modern realities.
The Second Circuit’s reluctance to expand the territorial reach of U.S. law also aligns with the Supreme Court’s recent concerns over electronic privacy. In Riley v. California, the Court recognized that electronic cellphone data implicate greater privacy interests than most physical objects, a reality that prompted Justice Alito to caution that “we should not mechanically apply the rule used in the predigital era to the search of a cell phone.” 134 S. Ct. 2473, 2496 (2014). Along similar lines, the Court in United States v. Jones held that the use of a GPS tracking device constitutes a Fourth Amendment search. 565 U.S. 400 (2012). Again from a concurrence penned by Justice Alito: “In circumstances involving dramatic technological change, the best solution to privacy concerns may be legislative.” That sound advice counsels strongly in favor of the Second Circuit’s approach.
Indeed, the Microsoft and Google cases highlight several of ECPA’s deficiencies. First, the law requires a warrant for emails that have been in storage less than 180 days, but merely requires a subpoena for older emails—a provision the Sixth Circuit has held violates the Fourth Amendment. See United States v. Warshak, 631 F.3d 266, 288 (6th Cir. 2010). If anything, saving an email should suggest that it is more deserving of protection. Second, ECPA provides overbroad loopholes that allow the government to search emails without notifying the email’s owner. Third, and perhaps most pressing, ECPA is silent as to data stored overseas, since overseas storage was impractical (and essentially non-existent) thirty years ago. But today such silence catalyzes international tensions and uncertainty about the law for all involved stakeholders.
These problems—and the conflicting case law described above—place companies in the middle of intranational, and sometimes international, disputes. Google now must provide law enforcement in Eastern Pennsylvania with customer emails stored overseas, but would have no such obligation next door in New York. Worse still, sometimes ECPA makes unlawful a disclosure that is required by foreign law (or, conversely, mandates a disclosure that foreign law prohibits). A Microsoft employee recently faced prison time in Brazil after being forced to choose between violating Brazilian law or ECPA. The problem will be even worse when the European Union’s General Data Protection Regulations (“GDPR”) enter into effect next May. The GDPR facially makes unlawful the disclosure of customer data held in the E.U. in response to a U.S. search warrant. Microsoft’s Chief Legal Officer testified last week that the company may face fines up to four percent of worldwide revenue if it complies with a domestic warrant like the one in Microsoft. These international disputes are untenable, and will only get worse next May.
In an exemplary demonstration of public-private partnership, the technology sector has worked closely with Congress to develop legislative fixes that increase customer privacy and facilitate law enforcement investigations. In short: Microsoft highlighted a problem, and all interested stakeholders are now trying to fix it. The two primary fixes are known as the International Communications Privacy Act (“ICPA”) (formerly the LEADS Act) and the Email Privacy Act. Both fix the much-maligned 180-day loophole, and both require that an email’s owner receive notice when those emails are accessed by law enforcement, with narrow exceptions. But only ICPA attempts to comprehensively address ECPA’s comity concerns by pairing privacy rights with an individual’s citizenship, and by creating an ECPA exception so that no company will be forced to violate foreign law. The proper way to access foreign emails, says ICPA, is through the MLAT process. If the United States expects other countries to respect its sovereignty, then it must return the favor. As Justice Alito noted pithily in RJR Nabisco, “in the law, what is sauce for the goose is normally sauce for the gander.”
Congress must now prioritize passage of an ECPA reform bill, and that bill should address the territorial concerns outlined above. The Email Privacy Act unanimously passed the House by voice vote in February, and has since been referred to the Senate Judiciary Committee. That bill could be amended to address ECPA’s territorial concerns in addition to its domestic ones. ICPA has not yet been reintroduced, but Senators Hatch and Coons—a bipartisan team—made clear during last week’s hearing that they would soon reintroduce ICPA in the Senate. They could improve ICPA by further streamlining the MLAT process and encouraging bilateral agreements like the U.S.-U.K. agreement proposed by the Department of Justice. The ball is squarely in the Senate’s court. While congressional gridlock is all too common, there is reason for uncommon optimism and bipartisan cooperation on this issue. Subcommittee on Crime and Terrorism Chairman Graham and Ranking Member Whitehouse both suggested that they would like to reach consensus on ECPA reform before the end of the year.
In short, ECPA is not getting any younger (or more workable), and the technology sector should not be thrown into the middle of international privacy disputes caused by ECPA’s outdated regulatory framework. Courts are also ill-suited for the task. Though it is emphatically the province of the judiciary to say what ECPA currently allows, it is Congress’s job to update ECPA to match technological progress. The time for Congress to bring ECPA into the twenty-first century is now. In the meantime, courts should follow the Second Circuit’s lead and allow Congress to deliberate without exacerbating international tensions and placing technology companies between the Scylla of flouting foreign law and the Charybdis of being held in contempt for refusing to comply with domestic search warrants.