by Andrew K. Woods, Assistant Professor of Law, University of Kentucky College of Law
*This post is part of ACSblog’s symposium examining proposed reforms to the Electronic Communications Privacy Act (ECPA).
There is growing consensus that ECPA reform is necessary. ECPA was passed in 1986, a time when the Internet was more a research curiosity than what it is today: the global backbone for modern communications and commerce. And indeed, the time for ECPA reform has never been more urgent. The U.K. is urging a new treaty with the U.S. regarding data access, which could have an effect on some of ECPA’s provisions, and just as importantly the Microsoft Ireland case is working its way through the courts, which may lead Congress to respond. So it is welcome news that Congress is currently entertaining at least three bills that would reform ECPA – the LEADS Act, the ECPA Amendments Act of 2015, and the Email Privacy Act. There’s just one problem: none of these reforms would fix the most significant problem with ECPA.
By nearly every metric, the Internet has gone global, and it is dominated by American companies. U.S. Internet users now constitute only ten percent of the world’s Internet users, and the majority of Google and Facebook users are outside the U.S.. Yet, according to Alexa.com, the top websites and web service companies in many countries – Brazil, the U.K., India, France and many more – are mostly American. Moreover, as Orin Kerr has written, the drafters of ECPA simply did not contemplate an Internet that would cross national borders. Because the Internet is global, and because so many of the world’s leading websites are based in the U.S., ECPA has a number of nasty extraterritorial effects.
Imagine a police officer in the U.K. investigating a kidnapping in London in 2015. The prime suspect has a Gmail and Facebook account, so the police go to a magistrate and get a warrant to search the suspect’s apartment and to access his online accounts. The British investigators then take their U.K. warrant to Google and Facebook and ask to see the suspect’s private communications. The response: “Sorry, ECPA prohibits us from handing that data over without a warrant from a U.S. judge.” This means that the British investigator will need to request mutual legal assistance from the U.S., in accordance with the U.S.-U.K. Mutual Legal Assistance Treaty (MLAT), which dates from 1996. As I noted in a report for the Global Network Initiative earlier this year, the MLAT process is painfully slow, with requests regularly taking longer than a year. (The LEADS Act, to its credit, proposes a number of much-needed reforms to the existing MLAT process; however, the act does not change the fact that foreign law enforcement must still engage the U.S. government’s help to get cloud-based evidence held in the U.S.)