The privacy of electronic communications is provided for under the Electronic Communications Privacy Act. There are limited circumstances in which ISPs may disclose the contents of electronic and stored digital communications. But the law is unclear as to what happens when data is transmitted into and stored in other countries with data security laws that are at odds with the electronic communications privacy laws of the U.S. In such circumstances, when can the content of private electronic communications and stored data be disclosed by ISPs?
The Electronic Communications Privacy Act
Keeping in line with America’s long-standing belief that personal papers should be kept private (i.e., away from the eyes of the government), the Electronic Communications Privacy Act (ECPA) is a collection of privacy laws created in 1986 that are meant to protect electronic communications from being disclosed by the ISPs that handle them. The ECPA is comprised of three parts, each protecting a different aspect of privacy of electronic communications and data storage:
- The Wiretap Act: The Wiretap Act is a set of laws designed to protect the privacy of electronic communications during their transmission. The Wiretap Act protects the privacy of the content of the electronic communication, which can be thought of as the body of the communication, akin to the body of a letter sent by post.
- The Stored Communications Act: The Stored Communications Act (SCA) protects the privacy of electronic communications while they are being stored, e.g., on servers or on a computer.
- The Pen Register Act: The Pen Register Act is designed to provide privacy protection of non-content aspects of electronic communications during transmission. Non-content aspects of an electronic communication are akin to information you might find on a postal envelop (i.e., information related to where the electronic communication is coming from and its intended destination).
Modern Issues That are Unclear Under the ECPA
For the most part, the Electronic Communications Privacy Act, specifically by means of the Wiretap Act and the SCA, prohibits ISPs from accessing the content of electronic communications that they handle, except for limited circumstances under which it is permissible for ISPs to disclose the contents of private electronic communications to law enforcement or the government. Such disclosures are commonly made by ISPs for the purposes of assisting law enforcement with criminal investigations.
Since the creation of the ECPA predates modern internet technology, many issues have arisen when it comes to trying to apply such old law to new advances in internet technology. For many years technology companies and ISPs have been lobbying for the modernization of the ECPA to better reflect the current state of technology and its capabilities, such as the easy transmission of electronic communications to servers and other data storage facilities that are located in a foreign country.
Under the ECPA, the rules for when ISPs can access private electronic communications depend on the classification of the service provider and how long the data has been stored. It is unclear under the ECPA whether an ISP is permitted to disclose the contents of an electronic communication that is stored on a server in another country. While the U.S. courts are generally of the opinion that ISPs and technology companies are required to comply with U.S. search warrants that indicate that the content of electronic communications be disclosed for criminal investigation purposes, a recent division in the courts has brought this practice into question.
The Challenges to Updating the ECPA
There are many challenges to be faced if Congress does want to update the ECPA. For starters, the update to the ECPA would either have to be compatible with the privacy laws in effect in other countries, where electronic communications may be stored, or have to address how ISPs can access private electronic communications stored abroad in compliance with a U.S. search warrant while in violation of the other country’s privacy laws. At present, ISPs that have been issued a U.S. search warrant to access data stored in a foreign country that has strong privacy laws are faced with the Hobson’s choice of which country’s laws to violate – fail to comply with the U.S. search warrant or violate the privacy laws of the foreign country where the data is stored. The current state of the ECPA puts ISPs in an untenable position.
Furthermore, consideration must be given to what such an update to the ECPA would mean for electronic communication privacy all over the world. The effect of such an update to the ECPA would condone the extraterritorial application of a U.S. search warrant, making it clear that data that is stored in foreign countries is not out of the reach of the U.S. government. Under this precedent could foreign countries apply a similar approach to demand access to data that is stored in the United States?
ISPs and cloud-based storage providers that store electronic communication data abroad live in uncertain times under the Electronic Communications Privacy Act, and while updates to the law is something that the U.S. Congress has been puttering about for many years now, there is no clear, definitive path to change anywhere in the near future. If you have questions about your technology company’s rights and obligations under the ECPA or any subpart of the ECPA, feel free to contact one of the lawyers at Revision Legal today to discuss your particular privacy law concerns. The Wiretap Act and the Stored Communications Act can be complicated, but compliance with these privacy laws is necessary. Contact us using the form on this page or call us at 855-473-8474.