The Email Privacy Act, a persistent attempt to update the antiquated U.S. electronic privacy law, has returned to Capitol Hill for the third time since 2013. The bill aims to amend the Electronic Communications Privacy Act (ECPA) of 1986, which created a legislative framework that impacts internet communications to this day.
Amongst the provisions of the 1986 law is one which allows government agencies to obtain the electronic communications of U.S. citizens without a warrant, so long as the sought-after communications are at least 180 days old. The Email Privacy Act would change the rules and require those agencies to obtain a warrant, a process which requires more judicial oversight.
Under the ECPA, "emails older than 180 days are considered abandoned and not subject to a reasonable expectation of privacy," said James Koons, chief privacy officer at email marketing company dotdigital. "These days, storage is cheap and users can save email almost indefinitely, certainly well beyond 180 days. The (Email Privacy Act) would remove that 180-day rule and require a warrant regardless of how long the email has been stored."
After languishing in two previous Congresses – the bill died without leaving committee in 2013 and then again in 2016 at the hands of the Senate – the Email Privacy Act sailed unanimously through the House of Representatives. Now it stands at the steps of the Senate once more. So, what are the implications of the ECPA and the proposed amendments for businesses, their employees and their customers?
The Email Privacy Act would codify a judicial decision in the 2010 case U.S. v. Warshak, in which the U.S. Court of Appeals for the Sixth Circuit ruled that warrantless seizure of electronic communications violated the Fourth Amendment, said David Robinson, CEO and founder of the Enterprise Counsel Group. If adopted, the measure would increase future judicial scrutiny on law enforcement requests.
"(The Email Privacy Act) would … (help) businesses big and small by giving them some margin of additional protection," Robinson told Business News Daily. "Now, a judge has to make a reasoned determination that there is probable cause – which is a much higher standard than used to exist – before government agencies can obtain that sort of information."
Internet service providers (ISPs) have been urging the government to adopt the Email Privacy Act since it was first introduced; many even co-signed a letter to Capitol Hill in May 2016 urging legislators to support the bill. For ISPs, Robinson said, the Email Privacy Act clarifies obligations to the government and also when a company is able to notify a customer that their data has been sought.
However, there is a big exception in the Email Privacy Act that potentially undoes much of the protection it purports to extend to businesses and individuals, Robinson said.
"The exception virtually swallows the rule," he said. "The law has a carve-out so that government agencies can still obtain without a warrant – with an administrative subpoena – internal emails among 'officers, directors, employees or agents' (of an organization).
"The warrant protections of this law do not apply to those internal operations. I think (the bill) is a step in the right direction – it's better than what we had before – but frankly, I think this is more helpful for ISPs than it is for businesses," Robinson added.
Whether the Senate decides to approve the bill or not remains to be seen, but whatever the outcome, its decision will have sweeping ramifications for individuals and businesses alike. Koons recommended businesses revisit their terms and conditions to ensure that liability is explicitly spelled out and to guarantee regulatory compliance, regardless of what happens in Congress.
"(J)ust go over your terms and conditions at this point," Koons said. "Review the terms of service and determine whether you're subject to the Email Privacy Act."
Knowing your legal obligations could be the difference between offering your customers peace of mind when it comes to their data security and losing their business altogether, Koons added.
"Up until recently, most businesses were looking at privacy and data security from the perspective of protecting sensitive information from bad actors, not the government," said Jacob Ginsberg, senior director at Echoworx. "Most businesses have turned a blind eye, and that is a problem. The best advice is to not stick your head in the sand. Stay aware, keep up to date. Privacy is a moving target."