In 1986, Congress passed the Stored Communications Act within the broader Electronic Communications Privacy Act (“ECPA”). ((Microsoft Corp. v. United States, 829 F.3d 197,201 (2d Cir. 2016).)) In that year, Ronald Reagan was President, the U.S.S.R. suffered the Chernobyl disaster, and the price of gas was about 89 cents. Neither the internet nor the e-mail system existed. Obviously, a lot has changed since 1986, yet the ECPA remains frozen in time.
The ECPA was passed to create a legal framework with respect to the interception of computer and other digital and electronic communications. ((Id. at 205.)) The law defines two different types of electronic services: (1) electronic communication services, and (2) remote computing services, both of which are referred to as “service providers.” ((Id. at 206-07)). The Act generally prohibits service providers from disclosing information associated with and contents of stored communications, except in certain enumerated exceptional situations, such as where consent of the originator is obtained or notice is given to the intended recipient. ((Id. at 207)). The Act then establishes conditions under which the government may require a service provider to disclose the contents of stored communications and related obligations to notify a customer whose material has been accessed. ((Id.)). The law also details what the government must do if it wants to require individuals or corporations to provide them with data. ((Id.))
On its face, the ECPA seems to make sense. However, the law has failed to keep up with how e-mail is used today. Early forms of e-mail were stored on one’s own computer. ((See David Kraves, Aging ‘Privacy Law Leaves Cloud E-mail Open to Cops, Wired (Nov. 14, 2017), https://www.wired.com/2011/10/ecpa-turns-twenty-five/.)) Person A would send an e-mail to person B, and Person B’s computer would download the e-mail and store it on her computer. ((Id.)) There was an inherent limit to the amount of e-mails one could store, since computers only have a finite amount of memory.
Today, e-mails are stored on the cloud, large groupings of servers that are linked together around the globe. While there is technically a limit about on many e-mails a server farm can hold, that limit is astronomically high. For all intents and purposes, the servers can hold a limitless amount of e-mails. E-mails also commonly cross national borders.
The ECPA’s lack of foresight into the fact that e-mails commonly cross national borders has brought Microsoft Corp. v. United States all the way to the Supreme Court. The case stems from the government serving Microsoft with a subpoena for data connected to an individual. ((Microsoft Corp., 829 F.3d at 200.)) That data was stored on a server in Ireland. ((Id.)) Microsoft refused to hand over the data located in Ireland because it argues that none of the language in the ECPA indicates that Congress meant for the statute to have extraterritorial reach. ((Id. at 202-03.)) The court noted that if it provided the United States government with data that was not located in the United States, then other countries would demand the same treatment. ((Id. at 225))
Potential policy changes from Congress could dramatically affect the cloud businesses of Microsoft, Google and Amazon. For example, if Congress passed a new law that allowed ECPA warrants to have extraterritorial reach, then other countries would follow suit. Governments around the world, including oppressive government regimes, would have new-found access to data that was previously unavailable. Instead, Congress could mandate that the data of all U.S. citizens must remain in the United States. This would have a profound effect on cloud businesses. It is logical to assume that the inability to store data globally would require new servers to be built in America. Alternatively, Congress could mandate that so long as data is created in the United States, a copy of that data must be kept within its borders at all times. This solution would also probably require more servers to be built in the United States. Finally, Congress could choose to maintain the status quo and clarify that warrants under the ECPA do not have extraterritorial reach. This approach would have the most muted effect on cloud-based businesses and would still allow the government to receive data that is stored in the United States.
Latest posts by Jonathan Slack (see all)
- CLOUD Act: An Update Long Overdue - May 5, 2018
- Wells Fargo’s Punishment: A New Approach to Corporate Governance or Just a Mirage? - April 8, 2018
- The Electronic Communications Privacy Act: A Law Past its Prime - January 12, 2018