internet law

  • October 20, 2015
    Guest Post

    by Brad Smith, president and chief legal officer, Microsoft

    *This piece first appeared at Microsoft on the Issues

    When people who care about technology look back at the year 2015, they will remember October as the month when the EU-U.S. Safe Harbor collapsed. An international legal agreement that has been in place for 15 years was invalidated in a single day. On Oct. 6, the Court of Justice of the European Union struck down an international legal regime that over 4,000 companies have been relying upon not just to move data across the Atlantic, but to do business and serve consumers on two continents with over 800 million people.

    The decision made clear what many have been advocating for some time: Legal rules that were written at the dawn of the personal computer are no longer adequate for an era with ubiquitous mobile devices connected to the cloud. In both the United States and Europe, we need new laws adapted to a new technological world.

    As lawyers and officials scurry to assess the situation, it’s apparent that both a variety of smaller steps and a more fundamental long-term change will be needed. We need to focus on both of these aspects.

    It’s important to focus on a wide variety of steps, especially given the potentially drastic ripple effects caused by the collapse of the U.S.-EU Safe Harbor. Government officials in Washington and Brussels will need to act quickly, and we should all hope that Congress will enact promptly the Judicial Redress Act, so European citizens have appropriate access to American courts. In addition, companies like our own that have put in place additional safeguards such as the EU Model Clauses will rely on and add to them, even while everyone discusses additional measures.

    But for the sake of the long-term we should also recognize some obvious and fundamental facts. We need solutions that will work not just for large tech enterprises but for small companies across the economy, and for consumers most of all. If we’re going to ensure that data more broadly can move across the Atlantic on a sustainable basis, we need to put in place a new type of trans-Atlantic agreement. This agreement needs to protect people’s privacy rights pursuant to their own laws, while ensuring that law enforcement can keep the public safe through new international processes to obtain prompt and appropriate access to personal information pursuant to proper legal standards.

  • September 8, 2015
    Guest Post

    by Susan Freiwald, Professor of Law, University of San Francisco School of Law

    *This post is part of ACSblog’s symposium examining proposed reforms to the Electronic Communications Privacy Act (ECPA).

    As eyes focus on the Microsoft appeal, people are asking why the Electronic Communications Privacy Act (ECPA) fails to resolve more clearly the questions presented. Anyone with a passing familiarity with ECPA could guess the answer: ECPA’s provisions, most of which are nearly 30 years old, are incomplete, ambiguous, and in dire need of amendment. Hence the calls to Congress to pass the LEADS Act (S. 512H.R. 1174). But those bills, and other ECPA reform bills getting traction in Congress, leave uncovered gaping holes in the law. Only the California Electronic Communications Privacy Act (CalECPA, SB 178), which is up for its final vote in California today, would bring the needed coverage and clarity to protect modern electronic privacy rights. CalECPA applies in California to state and local entities, but it provides a blueprint for comprehensive federal reform.

    At the federal level, ECPA fails adequately to protect our most personal information: the communications, movements, documents and online activities that we store on our cell phones and share with our service providers. Though it should, ECPA does not clearly require a warrant for the location data generated when we use our cell phones to make and receive calls or texts and access the internet, even though, in one recent Fourth Circuit case, United States v. Graham, agents obtained well over 100 location data points per day from the subject’s provider.  Other recent cases have been all over the map on whether and when a warrant is required. CalECPA takes its cue from the Supreme Court, which recently recognized the intrusiveness of location data acquisition in Riley v. California and United States v. Jones. CalECPA requires a warrant for access to any location data (with appropriate exceptions for emergencies in any case where it requires a warrant).