The second coming of the Email Privacy Act has technology companies cheering, but the bill’s future is far from certain.
This month, the House passed new legislation to update the decades-old Electronics Communications Privacy Act of 1986 by requiring law enforcement agencies to obtain a warrant before seizing emails and other digital communications older than 180 days.
Last April, the first iteration of the bill passed the House in a rare unanimous vote, only to be killed in the Senate after some Republicans offered amendments that would strip the legislation of its privacy protections.
The chairman of the Senate Judiciary Committee, the same committee from which the first version of the Email Privacy Act was withdrawn from consideration, said senators will “certainly take a look at the bill again at some point, but it’s a tough road in the Senate.”
“Everyone agrees ECPA needs to be updated,” said Sen. Chuck Grassley, R-Iowa. “But there was broad, bipartisan interest on our committee to modernize the law to also address law enforcement and national security equities in ways the House bill omits.”
For years, tech giants such as Microsoft, Google, Apple and Amazon, along with privacy advocates, have pressured Congress to bring the ECPA into the modern era. As it stands now, the Justice Department needs only a subpoena, which lacks a warrant’s probable cause requirement, in order to access emails.
According to Google, updating electronic privacy laws would “fix a constitutional flaw” in the ECPA allowing authorities a loophole to skirt the Fourth Amendment.
“We urge the Senate to advance this common-sense measure, which will begin the process of updating ECPA for the Internet age,” wrote Richard Salgado, director of law enforcement and security at Google, in a statement.
The American Civil Liberties Union also criticized the ECPA for not going far enough anymore to protect the Fourth Amendment because of modern technology.
“This bill contains critical provisions necessary to ensure that Americans’ adoption of modern technologies — like email and cloud storage — does not mean that they must sacrifice Fourth Amendment privacy protections,” the ACLU wrote in a letter to House lawmakers.
A coalition of more than 60 technology companies, trade groups and civil society organizations signed a letter supporting the Email Privacy Act to pass the 115th Congress. They said the bill doesn’t contain everything on their wish list, noting that it lacks a section featured in the prior bill “requiring notice from the government to the customer when a warrant is served, which are necessary to protect users.”
However, the coalition said it is “particularly pleased that the bill does not carve out civil agencies from the warrant requirement, which would have expanded government surveillance power and undermined the very purpose of the bill.”
Some privacy advocates have also stressed a more urgent need for updating the ECPA under President Trump, who nominated pro-surveillance hawk Mike Pompeo to be head of the Central Intelligence Agency.
One of Trump’s Cabinet members, Attorney General Jeff Sessions, last year offered a poison pill amendment to the Email Privacy Act that required technology companies to hand over electronic communications without a warrant in “an emergency involving the danger of death or serious physical injury.”
“Given Trump’s nominees … the stakes for privacy have never been higher,” said Robyn Greene, policy counsel at the New America Foundation’s Open Technology Institute, according to Wired.
There are other instances, too, in which tech companies have found themselves at the mercy of outdated laws that struggle to comply with the Internet age, and have led to calls for Congress to take action.
Microsoft and Google have fought warrants compelling them to hand over emails stored abroad for criminal investigations under the Stored Communications Act from 1986, which they have fought in the courts.
In the Microsoft case, Judge Susan Carney wrote in the court’s decision, which sided with Microsoft: “[T]he SCA has been left behind by technology. It is overdue for a congressional revision that would continue to protect privacy but would more effectively balance concerns of international comity with law enforcement needs and service provider obligations in the global context in which this case arose.”
