It’s time to update the Electronic Communications Privacy Act (ECPA)

Our emails, social media messages, and other electronic communications contain private information and deserve protection.  Thirty years ago, Congress passed the Electronic Communications Privacy Act (ECPA) as a way to ensure that electronic communications were protected against wrongful use and public disclosure by third parties, including government agencies.

Now, technology has outstripped existing law, and it is time to update ECPA.

{mosads}Under ECPA, government investigators must obtain a warrant from a neutral judge to compel disclosure of electronic communications stored with third-party providers for 180 days or less.  But if the communications have been stored for more than 180 days, the government can obtain them with a mere subpoena that the agency itself may issue. The 180-day rule may have made some sense in 1986. But now, inexpensive cloud storage enables us to store years’ of content with our service providers.  The emails, social media messages, and other electronic communications we created two years ago can be just as private, and as deserving of protection, as the ones we create today. 

The time has come for the law to catch up with the reality of how we communicate today.  The House of Representatives understands this and, has passed the Email Privacy Act to update ECPA unanimously.  The Act would eliminate the 180-day distinction and require that government entities obtain a criminal warrant before they obtain the contents of the electronic communications we store with our third-party providers. 

The Senate now has the opportunity to follow the House in modernizing ECPA to provide needed protections for all of our electronic communications.  Unfortunately, some civil agencies have complicated the effort for reform. 

I was a civil law enforcer for 28 years.  For 22 years, I was an Assistant Attorney General in the states of North Carolina and Vermont.  And for the past six years, I served as a Commissioner of the Federal Trade Commission.  Throughout this time, we sometimes encountered difficulty serving process on foreign entities and persons.  And when we found the perpetrators, we sometimes found that they had no assets left to enforce restitution.  But we seldom struggled to obtain evidence of wrongdoing.  In my statement to the Senate Judiciary Committee last year, I wrote that the FTC rarely seeks the content of communications from ECPA-covered entities.

Effective enforcement is not unique to the FTC.  Last year, Securities and Exchange Commission Chair Mary Jo White told a House subcommittee that the SEC has not subpoenaed content from ECPA covered entities since she joined the agency.  Yet the SEC understandably touts its recent enforcement record. 

The need for a civil law enforcement exception to ECPA reform’s requirement that government agencies obtain a warrant from a neutral judge before looking at our private communications is overblown.

And the details of such an exception are far from clear.  Some have suggested that civil agencies should be allowed to compel communications providers to disclose communications by obtaining court orders after providing subscribers with notice and an opportunity to be heard.  But the civil agencies governed by ECPA include thousands of state and local government entities.  Will local libraries, parks and recreation departments, school boards, and local tax authorities be able to compel providers to hand over emails?  And what standard would civil agencies have to satisfy in order to compel disclosure?  If the standard were less than probable cause, would agencies be prohibited from sharing information with criminal law enforcement? 

To be sure, there are risks that the targets of enforcement actions may withhold or delete communications once they are served with a subpoena from a civil agency.  This is not new.  Targets have always been able to withhold or destroy requested evidence, whether in tangible or electronic form.  When they do, the law provides remedies.  Judges can impose sanctions, including inferences adverse to the recalcitrant and judgments in favor of prejudiced agencies.  With such remedies already at hand, there is no need to delay ECPA reform by getting mired in the morass of defining the contours of a civil law enforcement exception.  

We need ECPA reform.  Our emails, social media messages, and other electronic communications are as private as our letters, financial statements, and diaries.  Our rights should not be degraded simply because we live in the digital age.  Civil agencies are sophisticated, enterprising, and dedicated to their missions.  They will continue to succeed without an exception to the warrant requirement. 

Those calling for such an exception mean well.  But, as Justice Louis D. Brandeis, who both helped develop the right to privacy and create the FTC, said, “The greatest dangers to liberty lurk in insidious encroachment by men of zeal, well-meaning but without understanding.”     

Brill was a Commissioner of the FTC from April 2010 to March 2016.  She is now a partner and co-director of the global Privacy and Cybersecurity practice at Hogan Lovells.