Engine commends Congressman Kevin Yoder (R-KS), Congressman Jared Polis (D-CO), Congressman Bob Goodlatte (R-VA), Congressman John Conyers (D-MI), and the bill’s other cosponsors for today’s reintroduction of the Email Privacy Act, legislation that would make critical reforms to our nation’s outdated outdated digital privacy laws.
“The touchstone privacy law that governs our online communications—the Electronic Communications Privacy Act (ECPA)—was passed over thirty years ago, at a time when the World Wide Web did not yet exist and most people didn’t even have computers in their homes,” said Engine Executive Director Evan Engstrom. “ECPA has become woefully inadequate for today’s digital landscape and the startup community has long advocated for reforms that would bring our nation’s privacy laws into the 21st century. The Email Privacy Act would do just that, helping to restore consumer trust in both the privacy of electronic interactions and the online services that facilitate those communications, in turn, benefitting entrepreneurs and startups across the U.S.”
ECPA was passed in 1986 and sets the standards for government access to private internet communications. However, in the years since ECPA was passed, the way that data are stored and transmitted has changed dramatically, and a loophole in the bill allows law enforcement to access consumers’ electronic communications, database records, and other digital data older than 180 days without a warrant. In practice, this means that all of the emails, Dropbox documents, text messages, financial records, and other electronic information that we tend to hold onto for much longer than six months can be obtained by law enforcement without a probable cause warrant.
This framework is especially problematic for startups, which lack the internal resources to handle ambiguous law enforcement requests. Since ECPA has been used to tackle issues outside of its original scope, and is often applied inconsistently, the ensuing uncertainty means that startups must often choose between complying with law enforcement at the risk of alienating users, or defying a data request and facing fines and legal action.
The Email Privacy Act would remedy these issues by making it clear that law enforcement agents must obtain a warrant—except in clearly defined emergencies—before they can compel a company to share an individual’s private information. This will bring clarity around startup compliance obligations and help to ensure that consumers’ expectations of privacy are met.
Congress has considered a number of ECPA reform bills in recent years, but legislation has yet to pass both chambers. Efforts in 2016 came to a standstill after a number of controversial amendments were introduced in the Senate. Still, we are optimistic that 2017 could be the year that the Email Privacy Act becomes law. Not only does the bill have broad, bipartisan support (the version introduced in the 114th Congress had over 300 House cosponsors and passed the the House unanimously), but ECPA reform also has a strong track record at the state level. Similar reforms were passed in California in 2015, and the sky didn’t fall. In fact, California’s approach, which carefully balances law enforcement needs with privacy protections, has allowed California’s law enforcement to continue to serve and protect with the same level of rigor and diligence.
We hope that Congress will follow California’s lead and pass reforms to ECPA this year. Consumers rightly demand that their digital communications receive the same protections as their physical possessions. And entrepreneurs deserve clarity and transparency around what is required of them in terms of government data requests. It’s time to bring our digital privacy laws out of the digital dark ages and pass a robust ECPA modernization bill, and today’s re-introduction of the Email Privacy Act is a good place to start.