Last week, the European Commission and the U.S. concluded tough negotiations to reach an important new agreement regarding cross-border data transfers, the so-called “E.U.-U.S. Privacy Shield,” which replaces the 15-year-old Safe Harbor compact. We also learned the U.S. and the U.K. began negotiations regarding a new data-sharing agreement that shows great promise to establish a basis for other like-minded democracies to develop a more modern and workable legal framework for government access to citizens’ data.
In recent years, major advances in technology and the globalization of electronic communications have rendered much of our existing regulatory framework obsolete. As a result, digital privacy issues have increasingly become regulated through a series of outdated statutes and regulations that are updated through “band-aids and paper clips” rather than comprehensive solutions.
These agreements are an important step, but far more work still needs to be done, in both the E.U. and the U.S.
For many years, U.S. law enforcement officials’ ability to access consumers’ private communications was governed by comprehensive legislation that Congress would periodically update in response to judicial decisions and new developments in technology. In 1968, Congress enacted the Wiretap Act to regulate the use of wiretaps by law enforcement officials and restrict the disclosure and use of information obtained through wiretaps. In 1986, Congress enacted the Electronic Communications Privacy Act and Stored Communications Act to regulate government access to new communications technologies, such as email correspondence. And in 2001, while we were serving as U.S. Assistant Attorneys General, Congress enacted the USA Patriot Act, which comprehensively strengthened and clarified the legal tools for protecting the country against terrorism.
Today, however, many of those laws have become outdated in light of new technologies, and there are several pressing issues that cry out for comprehensive solutions through legislation or international agreements. For example, consumers, Internet providers and law enforcement officials need clear guidance from Congress about when a warrant is required to compel disclosure of a customer’s email correspondence. At least one federal court has held that a warrant is always needed to require an email provider to disclose its customers’ private communications, and all major providers insist upon a warrant before making such disclosures. Yet some government agencies continue to take the position that private communications can be disclosed through a much-less-formal process, such as a subpoena. It is untenable for this critical issue to be governed by a patchwork of inconsistent rules rather than a uniform, nationwide legal standard. Congress should make clear through legislation that a search warrant is always required for law enforcement officials to compel the disclosure of a person’s private email communications.
There have also been heated disputes over whether a U.S. court can compel an American company to produce customer data—such as e-mail communications—stored on servers located in a foreign country. This creates a problem for all entities involved. Despite being headquartered in the U.S., American companies serve a global customer base and therefore, must adhere to laws of individual nations whose citizen’s data they possess. When they do, they often find themselves at risk of violating one nation’s laws in order to comply with another. Law enforcement is equally challenged in this global digital environment having to rely on an antiquated system to fulfill requests for information or evidence they are seeking from foreign partners, a process which can take 10 months on average according to the President’s Review Group on Intelligence and Communications Technology.
The statute currently governing these issues—which was enacted more than 30 years ago, at a time when email was still in its infancy—says nothing about how to resolve these inter-jurisdictional disputes. As a result, law enforcement officials, Internet companies, consumers, and other stakeholders are forced to muddle through under a set of outdated rules that no longer match the practical reality on the ground. And this uncertainty about the rules of the road simultaneously undermines both consumer privacy interests and the needs of law enforcement.
Building on the EU-U.S. Privacy Shield and the U.S.-U.K. negotiations, we must continue to move beyond a system in which critical digital privacy issues are governed in an ad hoc manner. This system is broken. The time is ripe for a comprehensive legislative overhaul of the antiquated laws that currently govern when and how law enforcement officials may access citizens’ private electronic communications.