Passing ECPA reform – It has never been more important

This is an important week for privacy in the nation’s capital. With a hearing today before the Senate Judiciary Committee, another focus on privacy begins in earnest.

In truth, this could not come at a better or more important time. With each passing month it is becoming even clearer that our nation’s antiquated privacy laws need to be reformed. This is the time for Congress to act.

The principal law that protects the online privacy rights of Americans today was passed in 1986. In technological terms, it was a bit like the Stone Age.

I remember, because by coincidence I was a young lawyer moving to Washington that fall. People still remind me that I was a bit of a trailblazer at the time by insisting that I have a PC on my desk at a law firm. Yet what’s most striking is that any activity online at that time required connecting to a modem to access a service such as CompuServe. Viewed in hindsight, it was pretty primitive. So much so that it never even occurred to me to ask the law firm for a PC and a modem.

The privacy law passed in 1986 is the Electronic Communications Privacy Act (ECPA), and it’s no mistake the law has this title. If you look at the Congressional record from 1986, debate over the bill was mainly about how Congress could help advance people’s personal privacy – not about adding ways to access their information. But as technology evolved over time, the level of privacy set by the law has actually decreased. For example, ECPA assumed people didn’t keep electronic records or communications such as email for longer than 180 days because it was unheard of then. So the law established a lower level of privacy protection for emails that are more than six months old.

Yet this obviously makes no sense today. Let’s face it: most of us have more old emails than we can count. If someone has an email account that only has email that is less than six months old, it means that they’re either exceptionally well-organized, have a lot of time on their hands or an account that was opened up less than six months ago. In all probability, it’s the latter!

And this is just one of many ways in which the law has fallen behind.

The country has figured this out. A survey of U.S. voters we conducted last summer found that 86 percent believe in the same protections for digital information as information on paper. Similar sentiment in other countries has led to a series of new laws across Europe, Asia and South America while Americans continue to receive weaker protections as technology advances. Many of these updates center on laws to protect email, which has increasingly become our system for storing legal documents, remembering the milestones in the lives of our friends and family, and communicating our deepest held views.

The good news is that hope is finally on the horizon. Legislation to reform ECPA and fix these problems now has swelling numbers of co-sponsors.

The reforms in this new legislation are sensible. For example, ECPA reform would require that a warrant be obtained by law enforcement before it can access the content of someone’s email.

This would build on judicial trends and the fact that the courts increasingly agree that emails deserve the same protections as written letters in the physical world. In the ground-breaking Warshak case, a federal appellate court in fact ruled that law enforcement needs to get a warrant to get email content. The ECPA reform bill would codify this ruling.

But updating ECPA to require a warrant for email content is not the only legislative change that is needed. American technology is used around the world and data now commonly flow between countries. U.S. companies have customers in many countries, and ECPA does not address this global nature of data use and storage. This has led to debate between the tech sector and Washington, and to a lawsuit involving Microsoft and the Department of Justice.

We do not believe that existing law provides the authority for U.S. law enforcement unilaterally to obtain a person’s emails and other electronic data, such as pictures or documents, when these are stored in data centers located abroad. But we also recognize that new approaches are needed, and Congress therefore needs to act.

To address this issue, the Law Enforcement Access to Data Stored Abroad Act (LEADS) has been introduced by Senators Hatch, Coons and 14 other Senate co-sponsors, and Congressman Marino, Congresswoman DelBene and 93 House co-sponsors. The legislation would establish a rule of law for how law enforcement can obtain data that may be held abroad.

Without enactment of this type of bill, we face the prospect of increasing legal conflicts between governments and the loss of privacy for consumers.

In short, the need for legal change is real. The stakes for privacy and people are high. Congress has the opportunity to act. Let’s all hope that it finds the will to do so.