U.S. Privacy Act Updated: Modernizing Digital Due Process

Congress recently amended the Electronic Communications Privacy Act of 1986 (ECPA) to require law enforcement to obtain a warrant before accessing an individual’s emails through their email provider. Before this passing, a loophole in the original act allowed law enforcement to obtain emails older than 180 days from email providers without needing a warrant.

Originally, the 1986 act was enacted by the United States Congress to place the same government restrictions needed for wiretaps on telephone calls to include transmissions of electronic data by computer.

The passing act made several key changes to ECPA. Notable changes include requiring a warrant for law enforcement access to emails older than 180 days; removing the distinction between communications held by an electronic communication service and those held by a remote computing service; and updated notice requirements and exceptions.

Why? Most emails were not stored beyond 180 days at that time and emails stored beyond that date were considered “abandoned” under ECPA and thus not subject to a reasonable expectation of privacy.

However, in an era where data storage has grown increasingly cheaper, platforms like Gmail allow for “forever” storage, more and more users are storing emails in perpetuity. When all of a user’s emails can be stored indefinitely, emails that are stored beyond 180 days may not necessarily be “abandoned.” The Email Privacy Act removes the 180-day rule and requires a warrant for all emails, regardless of how long they are stored. With a lot of our consumer intelligence businesses, email is a central communication channel and source of behavioral information, so a lot of us and law enforcement can see so much about ourselves, purchasing habits, life choices, etc. scary and interesting all at the same time.

We applaud the intent of updating a regulation to stay current with the ever changing technological landscape — continuing to protect end-users from intrusive privacy risks that aren’t protected by laws linked to today’s technological uses.

However, with these new changes also come some bad. After 180 days, email would no longer be protected by a warrant standard and instead would be available to the government with an administrative subpoena and without requiring the approval of a judge. An administrative subpoena under U.S. law is a subpoena issued by a federal agency without prior judicial oversight. Critics say that administrative subpoena authority is a violation of the Fourth Amendment to the United States Constitution.

With a federal official’s signature virtually all businesses are required to hand over sensitive data on individuals or corporations, as long as a government agent declares the information is relevant to an investigation. So in this change Congress has also authorized the government to bypass the Fourth Amendment which is our constitutional guard against unreasonable searches and seizures that requires a probable-cause warrant signed by a judge.

Dennis Dayman, Chief Privacy & Security Officer, Return Path and Chair of eec
James Koons, Chief Privacy Officer, dotmailer
Alex Krylov, Privacy & Compliance Manager, Experian Marketing Services

Members of eec Advocacy Subcommittee