Shifting privacy landscape and the need for Congressional reform

The invalidation of the U.S.-EU Safe Harbor agreement by the EU Court of Justice demonstrates the EU’s loss of faith in U.S. government privacy practices and the most recent tectonic shift in tech. In many ways, this decision is the latest consequence of Edward Snowden’s actions, which, for better or for worse, dramatically changed the way tech companies and citizens think about privacy. The invalidation of the Safe Harbor agreement, coupled with the increasing use of end-to-end encryption, are examples of the shifting privacy environment. And both of these issues are squarely focused on the unwarranted or unlawful access to data.  Congress is in the unique position to help the U.S. regain its leadership on digital privacy issues and must enact much needed reforms to improve international data sharing while protecting individual privacy. 

Abandoning “Back-Door” Encryption Isn’t Enough

{mosads}The Obama administration’s recent announcement that it would abandon plans to pursue so-called “back-door” encryption brought a partial sigh of relief from many technology companies and privacy advocates. According to the announcement, President Obama will no longer ask Congress to pass legislation mandating tech companies to decode data for law enforcement use.

While this announcement was a positive development, major risks to individual privacy in the context of law enforcement remain. A high-profile example of this is the Microsoft search warrant case. In this Second Circuit case, the U.S. government is trying to obtain access to a citizen’s data stored in an overseas data center, circumventing long-standing multilateral treaties that govern international data access. Fortunately, a solution exists: the Law Enforcement Access to Data Stored Abroad Act (LEADS). LEADS would prevent the use of this loophole and protect individuals’ privacy, while providing law enforcement with a more efficient process to access the data it needs to keep the public safe. 

The nearly yearlong standoff between the FBI and major technology companies like Apple and Google has eased up in recent weeks. Historically, law enforcement agencies have sought to maintain access to encrypted data stored or handled by the technology giants, while tech providers have been adamant against allowing back-door access to data. The fight – one marked by harsh, public statements and intractable positions – has transitioned in recent weeks into a productive conversation with the administration’s latest announcement.

How Congress Can Help

Despite these positive developments, a legislative solution is still needed. The Electronic Communications Privacy Act (ECPA) that regulates the government’s access to citizens’ digital communications is about to turn 30 years old. Written long before the advent of global technological advancements like cloud computing, many provisions of the outdated law no longer apply. For instance, ECPA does not take into account the possibility of data centers being located overseas. The clash between outdated laws and modern, global technology has created ambiguity regarding access to personal data. 

In the midst of this ambiguity, some tech companies are challenging government practices under ECPA in court. The Microsoft search warrant case, which challenges a federal search warrant issued for personal emails stored on the company’s data server in Ireland, raises a larger question: can a U.S. law enforcement agency compel a U.S. technology provider to turn over digital information that is stored in a location outside the U.S.? This past September, Microsoft appealed the Southern District of New York’s answer to this question, arguing that law enforcement has no right to access this information by way of the issued warrant.

Although legal challenges will hopefully add clarity to the complex legislative environment, it will not sufficiently clarify the situation for individuals, tech companies, and law enforcement agencies. The invalidation of the Safe Harbor agreement only further complicates this environment. The public significance of the issues makes this grounds not only for Congressional legislation, but also for potential Supreme Court intervention.

A Call to Action

The LEADS Act is a bipartisan opportunity to reform ECPA and improve international data sharing while simultaneously protecting the privacy of individuals. The legislation clarifies that U.S. law enforcement warrants do not apply to emails of non-U.S. citizens that are stored in other countries. Absent congressional action, the privacy of individuals will be at risk and law enforcement agencies will continue to operate in an uncertain environment. The passage of the LEADS Act will also lay a meaningful foundation for a new Safe Harbor agreement.

LEADS strikes the delicate balance between security and privacy that is critical in today’s digital world.  The administration has agreed that mandated back-door access to encrypted data is not a viable solution.  Now, Congress must take action to clarify the rule of law and create certainty for all parties involved in modern digital communications. Momentum on this issue is growing, as companion bills with co-sponsors from both parties have been introduced in the House and Senate. It is time to schedule a hearing on LEADS so the solutions offered in this bill can be vetted publicly and have a path forward. 

Anderson, a former Obama administration official, is an expert with SafeGov.org.