House passes email privacy act, again

For the second time in less than a year, the House has overwhelmingly passed an email privacy act. Last year, the bill died in the Senate, and supporters are urging senators to pass the bill this time.

Image from Shutterstock.com
 

Last year, the Email Privacy Act passed the House without opposition but stalled and died in the Senate. House members and privacy advocates are wondering if it will be any different this time.

On Feb. 6, the House again passed the Email Privacy Act by unanimous voice vote. The bill updates the 1986 Electronic Communications Privacy Act (ECPA) to clarify and expand search warrant regulations for law enforcement to compel service providers to turn over customer emails or other data on their servers.

The current law draws a distinction between emails residing on provider's systems, and those downloaded to the computer or device of an end user. The age of the email is also a factor.

Privacy organizations such as the Electronic Frontier Foundation have long pushed for legislation to increase email privacy.

House Judiciary Committee chairman Bob Goodlatte (R-Va.) urged the Senate to pick up the pace on the legislation.

"As the House again has overwhelmingly approved this bill, it's time for the Senate to take up this bipartisan legislation and send it to the President's desk to become law," he said in a statement.

Senate Judiciary Committee Chairman Chuck Grassley (R-Iowa) said that those looking for quick moves on ECPA may be disappointed.

"We’ll certainly take a look at the bill again at some point, but it’s a tough road in the Senate," Grassley said. "Everyone agrees ECPA needs to be updated. But there was broad, bipartisan interest on our committee to modernize the law to also address law enforcement and national security equities in ways the House bill omits."

The legislation moves to the Senate just days after a court ruling that could color the debate.

On Feb. 3, 2017, a U.S. magistrate judge in Pennsylvania ruled that Google was required to turn over data held on its servers outside the U.S. that was the subject of Stored Communications Act warrants in criminal cases involving crimes committed in the U.S.

Google refused to comply with the warrants, citing a previous ruling by the Court of Appeals for the Second Circuit that said Microsoft was not required to turn over data in a criminal case because the data resided on a server in Ireland.

Grassley noted that the Microsoft ruling has "raised the stakes" for any move to pass ECPA because of the new limits on the ability of U.S. law enforcement to access data stored abroad.

Magistrate Judge Thomas J. Rueter of the Eastern District of Pennsylvania said the Google case was not governed by the Microsoft precedent.

"In contrast to the decision in Microsoft, this court holds that the disclosure by Google of the electronic data relevant to the warrants at issue here constitutes neither a 'seizure' nor a 'search' of the targets' data in a foreign country," Rueter wrote. "Electronically transferring data from a server in a foreign country to Google's data center in California does not amount to a 'seizure' because there is no meaningful interference with the account holder's possessory interest in the user data."

Google said it will appeal the ruling.