The importance of this week’s decision by the Second Circuit to deny rehearing in Microsoft’s Irish warrant case has less to do with the action in court and more to do with what happens next. Specifically, with what happens in Congress.
Last July, a panel of the Second Circuit held that a warrant issued by US law enforcement under the Stored Communications Act (SCA) does not have extraterritorial application. As Judge Carney notes in her concurrence with this week’s order: “[I]n many ways the SCA has been left behind by technology. It is overdue for a congressional revision that would continue to protect privacy but would more effectively balance concerns of international comity with law enforcement needs and service provider obligations in the global context in which this case arose.”
Laws regarding privacy and law enforcement have always struggled to strike a tricky balance: they must ensure that personal data receives the greatest protection possible while enabling investigators to do their job of keeping the public safe.
Unfortunately, in the digital world, the three decades-old Electronic Communications Privacy Act (ECPA), which is part of the SCA, does neither effectively.
This is understandable. Remember, when ECPA was enacted more than 30 years ago, our use of technology and cloud computing was dramatically different. Today, we store nearly all of our information in the cloud – emails, pictures, documents, health and financial records – and we expect to be able to access it whenever and wherever we are. Thirty years ago, we did not have the web of globally connected data centers and the software to move our data seamlessly around the world.
Software companies and civil liberties groups have urged Congress for years to update ECPA. The updates that passed the House of Representatives unanimously and had bipartisan sponsors in the Senate last Congress would make much-needed changes to enhance privacy protections that we have long championed. This week’s Second Circuit opinion is an important reminder that Congress must also focus on creating an international framework for accessing data – an issue that has also already received bipartisan, bicameral leadership in Congress.
As judges on the Second Circuit have said repeatedly since oral arguments in the case back in September 2015: the best next step is “congressional action to revise a badly outdated statute.” Our digital privacy laws need an update to protect both our privacy and security.