Government Affairs Blog
October 31, 2019
WHAT DOES THE U.S.-U.K. DATA ACCESS AGREEMENT MEAN FOR INTERNATIONAL COMMUNICATION SERVICE PROVIDERS?
Earlier this month the governments of the United Kingdom and United States signed an agreement to help law enforcement agencies (LEAs) in each country gather digital evidence in the other country for purposes of criminal investigations. The pact is known as the “Data Access Agreement.” Why is the Data Access Agreement needed, how does it work, and what is the impact on communication service providers (CSPs)?
The problem of gathering evidence in cross-border criminal investigations
An order from a judge in Country A to disclose evidence stored in Country B may violate the data protection laws of Country B. This dilemma spawned a legal controversy in 2016, when Microsoft refused to honor a U.S. court order to produce emails that the company had stored in a data center in Ireland. In the litigation, the Second Circuit Court of Appeals ruled in Microsoft’s favor.
The Microsoft ruling delivered an important victory for end user privacy. But it frustrated a law enforcement investigation. Beyond that, criminals likely realized they could help conceal their criminal activity in the U.S. by contriving email user accounts designated for email storage outside the U.S.
The problem with mutual legal assistance treaties (MLATs)
Governments worldwide tried to solve the problem of cross-border digital evidence gathering by entering into agreements called mutual legal assistance treaties, or “MLATs.” Under an MLAT, a law enforcement agency in Country A that needs copies of emails stored in Country B could submit a formal request to the government of Country B, and if Country B approved the request it would dispatch its own law enforcement agents to collect the evidence under its own laws.
MLATs worked well in theory because they paved an investigatory path for LEAs while protecting privacy. Unfortunately, they proved unsatisfactory in practice. Sometimes a country in receipt of an MLAT filing would deny the request. Other times the approval process would take months or years to complete. Countries with good political relations enjoyed more MLAT cooperation than others.
The benefits of the Data Access Agreement
To improve the international sharing of digital evidence, the U.S. Congress enacted a statute called the Clarifying Lawful Overseas Use of Data Act of 2018 (the “CLOUD Act”), and the U.K. passed a similar bill called the Crime (Overseas Production Orders) Act of 2019. The implications of these actions were explored in a prior blog. The dual legislation enabled the two democracies to negotiate the Data Access Agreement. The Agreement facilitates criminal investigations while preserving meaningful privacy protection.
Under the Data Access Agreement, an LEA in the U.K. that must investigate electronic information stored in the U.S. no longer needs to invoke the government-to-government MLAT channel to obtain the evidence. Instead, it may serve an order directly on the U.S. CSP. The order would be issued by a “designated entity,” meaning an agency appointed by the U.K. Home Office or Secretary of State. In the U.S., the designation would come from the attorney general. The service provider could be an email host, a wireless service provider, social network, or cloud storage company. Likewise, a U.S. designated entity could approve the same type of order for delivery to a British CSP. The terms of the Agreement ensure that both sides would observe a common baseline of strong due process and privacy protection. By skipping the governmental middleman, the process should work more quickly and reliably than the MLAT scheme.
The Data Access Agreement is not a cure-all. The arrangement cannot be used for evidence-gathering in civil proceedings. It is available only for “serious crimes,” such as terrorism, transnational organized crime, murder, cybercrime, and child sexual abuse. Even within that narrow scope of wrongdoing, each country may investigate only suspects who are not residents of the other country. The idea is to let Country A investigate its own citizens without exploiting the opportunity to investigate citizens of Country B. Moreover, the range of assistance is limited to the disclosure of stored records. It does not permit orders for real time electronic surveillance (wiretapping). Finally, the plan does not solve the problem of deciphering encrypted communications. Services like Facebook’s WhatsApp could still be encrypted end-to-end.
The bilateral Agreement will take effect following a six-month period of review by Congress and the U.K. Parliament.
The impact on communication service providers
Thanks to the Data Access Agreement, CSPs on both sides of the Atlantic may receive more requests for stored electronic data. A provider that serves both markets may see an even greater upsurge in evidentiary demands. Look for a relatively larger number of orders to flow from the U.K. to the U.S. After all, American competitors like Microsoft, Facebook, and Google hold dominant market shares worldwide.
On the other hand, the U.K.-U.S. deal affects only two jurisdictions. Other governments undoubtedly want similar terms of reciprocity. But if they lack high standards of due process and privacy they probably won’t get far. The EU and Australia have begun data access negotiations with the U.S. Any progress between Australia and the U.S. must overcome at least one significant policy difference. Australia’s decryption mandate is stricter than that of the U.S. Beyond the collection of traditional U.S. allies, it is difficult to predict when any other data access agreements may emerge.
Data access agreements will impose a bigger impact on CSPs subject to data retention mandates. For example, if the U.S. signs a data access agreement with Australia, and a U.S. designated entity requests data from an Australian email provider, the company may need to disclose as much as two years of data because two years is the Australian-mandated period of retention. A U.S. VoIP provider, by contrast, is not subject to any data retention law and therefore need not retain user data at all. No provision of the Data Access Agreement requires a service provider to disclose data it does not have.
The need for appropriate legal expertise
To the extent CSPs receive more requests for stored data they may need more legal experts to review the requests for validity and process them pursuant to the applicable privacy laws. Some service providers could expand their in-house staffs. Others may prefer to outsource the function to a contractor with the appropriate expertise. Another option is to hire outside counsel, though that can be expensive.
A CSP that objects to a digital evidence order may appeal to the foreign designated entity. But that would naturally require foreign legal expertise. At this early stage of the Data Access Agreement, the chances of success would be hard to predict.
The Data Access Agreement intends to expedite LEA investigations while protecting end user privacy. But the legal breakthrough may produce an unintended consequence: a bigger workload for the communications industry.
September 27, 2019
MAY A U.S. COURT REQUIRE A COMMUNICATION SERVICE PROVIDER TO INTERCEPT COMMUNICATIONS IN A FOREIGN COUNTRY?
Most Americans probably assume the U.S. Wiretap Act applies only in the U.S. It is difficult to imagine how a judge in any one country could find authority to order electronic surveillance in another country. Nevertheless, as a practical matter the Act does permit a U.S. judge to order such surveillance, even though the suspect, the suspect’s communications device, other parties to the call, and the communications themselves, are all located outside the U.S. That was the outcome of United States v. Rodriguez-Serna, a federal court ruling issued in southern California earlier this month. How can that be?
The U.S. Legal Standard to Assert Jurisdiction over Lawful Surveillance
It is well-settled law that the U.S. Wiretap Act has no extraterritorial jurisdiction. That is, U.S. wiretap law ends at our nation’s borders. A U.S. judge cannot cite it as a basis to order electronic surveillance in a foreign country. But that’s not the end of the surveillance story.
In the U.S., a judge may assert jurisdiction over a criminal case for purposes of authorizing electronic surveillance if any of three things related to the crime is found in the judge’s territory. The three are:
- the suspect’s communications device, such as a cell phone;
- the intercept access point, which is the point in the communication service provider’s (CSP’s) network where the suspect’s communications are duplicated and re-routed to the law enforcement agency (LEA) monitoring point; and
- the LEA monitoring point, where the intercepted communications are first heard and/or viewed.
In United States v. Rodriguez-Serna, the LEA investigated an illegal drug ring that spanned the U.S. and Mexico. The LEA monitoring point was in the southern California. Hence, the southern California court asserted jurisdiction over the case and decided, based on a showing of probable cause, to order surveillance of the gang members.
The targeted surveillance suspects were Mexican citizens. At the time of the surveillance, they were traveling in Mexico. Their CSP was an American wireless carrier with network infrastructure on both sides of the border. Yet despite the many Mexican features of the situation, the U.S. Federal District Court for the Southern District of California upheld the validity of the intercept due to the presence of the LEA monitoring point on U.S. soil.
If any of the three above-listed elements of the surveillance are in the U.S., the Department of Justice has advised that the intercept must be ordered by a U.S. judge. Otherwise the intercepting party could be prosecuted for the crime of unauthorized surveillance.
The Potential for Jurisdictional Conflicts over Lawful Surveillance
Liberal democracies outside the US have their own wiretap statutes. As in the U.S., most or all those laws have no extraterritorial effect. Also like the U.S., each foreign state considers it a crime to conduct surveillance within its boundaries without approval from a domestic court. The result is a system where each state reserves the sovereign right to conduct surveillance on its own soil.
Notice how international surveillance may create conflicts of law. Let’s say a court in one state, which we’ll call Olympia, orders surveillance on a suspect based on the presence of an LEA monitoring point in Olympia. Now suppose the suspect is talking on his cell phone in another state, which we’ll call Atlantis, and the CSP’s intercept access point is also in Atlantis. The surveillance may be validly authorized by Olympia but still unauthorized by Atlantis because no Atlantis court has approved it.
In this scenario, how should the CSP respond? It does not want to be prosecuted for engaging in unauthorized surveillance in Atlantis. But it may risk an enforcement action in Olympia if it refuses to implement the valid Olympian order.
In American criminal procedure, the “exclusionary rule” ensures that unlawfully gathered evidence may not be used against a defendant in a criminal trial. If a judge orders an intercept but lacks jurisdiction to do so, a higher court may apply the exclusionary rule to decide that any evidence gathered from the surveillance must be thrown out. Therefore, it is not only the CSP that may suffer from a defective jurisdictional analysis. The general public may also lose out because the legal mix-up may let a criminal go free.
How Service Providers Avoid Jurisdictional Conflicts over Lawful Surveillance
The U.S. and all but a few countries have signed treaties that shield CSPs from getting sandbagged in jurisdictional conflicts over lawful surveillance. Under these mutual legal assistance treaties, or “MLATs,” if a court in Olympia serves an order on a CSP in Atlantis to conduct surveillance in Atlantis, the CSP may validly say no. The Olympia LEA would then invoke a legal process through which the ministry of justice in Olympia would ask the ministry of justice in Atlantis for help. Upon approval from the ministry in Atlantis, an LEA in Atlantis would serve a surveillance order on the CSP, and the CSP could implement it without fear of violating Olympia’s laws.
MLAT treaties honor the principle of state sovereignty, where each state controls surveillance within its own contours. Therefore, the treaties avoid the most common type of jurisdictional conflict that a surveillance order may cause. Nevertheless, MLATs do not address all surveillance scenarios. Imagine a case where a court in Olympia validly orders a CSP in Olympia to conduct surveillance, even though elements of the investigation lie across the border. That is the dilemma posed in United States v. Rodriguez-Serna. The international community has not yet solved this type of conflict. A solution would require them to reconcile many conflicting jurisdictional laws.
A CSP caught in the above legal vice should consult counsel, ideally someone with expertise in the laws of both governments. Often, a conversation with the applicable LEA can lead to a work-around, such as where investigators modify their plan of attack to avoid CSP friction with foreign laws. If the LEA can gather the communications evidence it needs, it will not need to initiate an enforcement action against the CSP.
European CSPs are better protected from surveillance conflicts. Most E.U. states have signed a special European treaty that permits surveillance agents to follow a suspect across a border without violating the laws of the neighboring jurisdiction. Let’s say a German court orders a German CSP to activate surveillance on a suspect with a cell phone. If the suspect drives from Germany to Italy, the CSP would notify the German LEA, and the LEA would alert its counterpart in Italy. At that point, the Italian authority could halt the surveillance, continue the surveillance through its own laws and technology, or simply consent to the continuation of the German monitoring. The CSP would simply follow the option chosen by the Italian official.
One other initiative may rescue CSPs from the surveillance jurisdiction trap. The U.S. and Great Britain are negotiating an agreement that would permit an LEA in either country to order surveillance by a CSP in the other country. The arrangement would avoid the MLAT process, which is widely considered slow and unreliable. At the same time, it would guarantee a common baseline of due process and privacy protection. Success in this legal experiment could persuade other democracies to follow suit.
Different impacts on different networks
Any analysis of a CSP’s international surveillance law obligations must examine not only the surveillance laws in the governing jurisdictions but the composition of the CSP’s network. Different network architectures require different types of surveillance solutions, and some solutions offer more flexibility than others for purposes of choosing the country or countries where they are deployed. In United States v. Rodriguez-Serna, the CSP operated a traditional wireless network, where communications were captured at a mobile switching center in Mexico. A hosted VoIP provider might house its surveillance solution in the data center where its subscriber communications are processed, even though the CSP serves subscribers in other jurisdictions. A satellite operator might deploy its intercept access point in any of numerous countries covered by its service footprint.
In light of the above complexities, an international CSP should design its surveillance law compliance strategy in close coordination with a surveillance law expert and a communications engineer, with all conversations protected by a nondisclosure agreement. Otherwise the CSP could end up spending a lot of money on a compliance plan that does more legal harm than good.
Maybe one day lawyers will reconcile all the surveillance law conflicts in the world. Of course, that could take a while.
August 5, 2019
IS RICH COMMUNICATION SERVICE SUBJECT TO THE CALEA LAWFUL SURVEILLANCE STATUTE?
The wireless communications industry is increasingly deploying a new service known as rich communication service, or “RCS.” If RCS is subject to the Communications Assistance for Law Enforcement Act (CALEA), wireless carriers deploying RCS must equip the service with technical capabilities for lawful electronic surveillance. Is RCS covered by CALEA?
RCS is a Next-Generation Form of SMS/MMS
RCS is the next generation of text messaging, formally known as short messaging service or SMS, and its more robust relative, multimedia messaging service or MMS.
By upgrading SMS/MMS with more interactivity, RCS lets subscribers start a group chat, share files of any type during a communication, set “read receipts,” and use “phonebook polling” (to see if the subscriber’s friends have RCS).
Criminals, terrorists and hostile nations can presumably use RCS in their nefarious activities. Hence the question: do RCS providers have an obligation under CALEA to build technical capabilities into their networks for lawful surveillance?
Is SMS/MMS Subject to CALEA?
CALEA was enacted in 1994, long before the widespread adoption of SMS/MMS. As those texting services gained popularity, neither law enforcement nor industry petitioned the Federal Communications Commission to determine whether the services were subject to CALEA. They didn’t need to. SMS/MMS providers found a low-cost, efficient way to build surveillance capabilities into their services, and the wireless industry decided to include the capabilities in its CALEA wireless “safe harbor” technical standard as an option for individual competitors to adopt as they saw fit. Consequently, wireless carriers were generally able to deliver SMS/MMS lawful intercept capabilities to investigators in response to court surveillance orders.
That said, whether SMS/MMS is subject to CALEA remains unsettled. Some lawyers argue that SMS/MMS falls within CALEA’s exemption for “electronic messaging services.” That exemption was meant for email. Both SMS/MMS and email produce messages in the form of text. But other legal experts cite fundamental architectural differences between the two services. At any rate, the fact remains that some major wireless carriers, and perhaps many smaller players, provide SMS/MMS interception as part of their CALEA-compliant solutions.
Meanwhile, providers of texting services transmitted through the internet, as opposed to wireless networks, can sidestep the debate over the definition of electronic messaging services. The online competitors avoid CALEA obligations due to the statute’s separate exemption for “information services.”
RCS is Subject to CALEA
The FCC has not addressed whether CALEA covers RCS. On first impression it may seem appropriate to group RCS in the same ambiguous CALEA category as SMS/MMS. However, a close examination of the service compels a more decisive result. RCS messages are transmitted through the same SIP signaling as current-generation voice calls, namely VoIP, and routed by the same network equipment as VoIP (e.g., session border controllers). In fact, from the network’s point of view, RCS is a phone call. Furthermore, during an RCS session, one can switch between voice and non-voice communications, or even share them simultaneously. Thus, RCS is an extension of “two-way interconnected VoIP,” a service that is expressly under CALEA.
The following summarizes the relevant FCC analysis.
The FCC’s First Report and Order and Further Notice of Proposed Rulemaking in ET Docket No. 04-295, released September 23, 2005 (the “CALEA Broadband Coverage Order”), ruled that two-way interconnected VoiP is subject to CALEA. At paragraph 39, the CALEA Broadband Coverage Order reasoned that:
is covered by CALEA for all VoIP communications, even those that do
not involve the PSTN. Furthermore, the offering is covered regardless of
how the interconnected VoIP provider facilitates access to and from the
PSTN, whether directly or by making arrangements with a third party.
By this logic, the CALEA coverage determination hinges on the “capability” of the given service, regardless of whether or how customers use that capability.
Because RCS operates using SIP signaling, RCS has just the kind of capability that the CALEA Broadband Coverage Order defined as two-way interconnected VoIP and subjected to CALEA. Therefore, carriers offering RCS must apparently equip the service with CALEA capabilities, regardless of whether subscribers use RCS to make VoIP calls.
Note that in addition to passing messages as text, an RCS user can pass presence information, location information, audio files, video clips, pictures, and files of any type. This information is considered part of the communication and therefore must be produced as part of a “full-content” interception.
Wireless RCS Providers Should Add CALEA Capabilities
Wireless and other VoIP providers would be wise to adopt the same pragmatic CALEA strategy for RCS as they chose for SMS/MMS. Once an RCS service is equipped with intercept capabilities, the service provider can implement court surveillance orders without fear of penalties from the court or the FCC.
Industry could give its members even more legal safety by writing RCS capabilities into its safe harbor CALEA standard, just as they did for SMS/MMS. The safe harbor process helps ensure that a carrier’s surveillance work complies with CALEA, protects the communication privacy of non-suspects, and avoids harm to network evolution.
May 10, 2019
SHOULD ADVANCED COMMUNICATIONS NETWORKS INSTALL LAWFUL SURVEILLANCE CAPABILITIES?
Facebook recently announced a major redesign of its social media platform that will accommodate more advanced communications. Other high-tech competitors, including website operators, app developers, and handset vendors, have likewise introduced new ways to communicate. Unlike traditional communications carriers, the advanced providers are not subject to the CALEA lawful surveillance mandate. Should they be?
The Scope of Communications Providers Covered by CALEA
When CALEA was enacted in 1994, the statute applied to traditional telecommunications carriers. Think plain old telephone service, cellular radio, and other common carrier offerings such as satellite phone service. At the time, federal legislation was needed because the complexities of cellular signaling frustrated lawful surveillance. The statute therefore required all “telecommunications carriers” to facilitate court-ordered surveillance by installing technical capabilities for interception in their networks. A telecommunications carrier was defined as an entity that provided “transmission or switching” of electronic communications.
The 1994 Congress was aware of the internet. But because the new computer-based medium was not used significantly by criminals, and because political leaders wanted to let the nascent technology grow unfettered by regulation, they limited CALEA by exempting “information services” and “electronic messaging services.” The latter category referred to email.
Since then, CALEA has never been amended. However, in 2005 the FCC broadened its interpretation of CALEA to include two internet-age services: broadband access and two-way interconnected VoIP.
The New Communication Service Providers
After 2005 the internet continued to evolve. Facebook is a good example. Its latest overhaul will facilitate more personalized, privacy-focused communications for individuals and groups. Users will find it easier to make new friends, coordinate social events, apply for jobs, and navigate the dating world. End-to-end encryption will be more uniformly applied. In the process, Facebook will unite its wildly popular apps for text messaging, voice communications, photo-posting, and video sharing (currently branded as Messenger, WhatsApp and Instagram) and make them more user-friendly. Less attention will be devoted to Facebook’s impersonal and unsecured “News Feed” broadcasts to the world.
Facebook is hardly the only communications innovator. For years Google Voice has offered a suite of messaging, telephony and voice mail, while Google Hangouts has carried messaging and videoconferencing. Apple provides similar services on its iMessage platform. With Twitter, Tumblr and Reddit, users can upload multi-media content to the internet and exchange comments on the digital creations. Snapchat is an app that lets a user decide how long a message, photo, or video will appear on the recipient’s device before it automatically disappears. A cross-platform app called Signal provides end-to-end encrypted messaging, voice communication, and video calling.
The Resulting CALEA Coverage Divide
None of the above-described new communications providers say they are subject to CALEA. They contend that because email is a CALEA-exempt “electronic messaging service,” the same exemption applies to text messaging, multi-media messaging, and rich communication services. But legal experts in law enforcement may disagree. To them, putting advanced messaging beyond the reach of CALEA only hinders investigators from accessing the data they need to solve crimes. Congress or the Federal Communications Commission could resolve the legal ambiguity. But so far neither authority has addressed the issue.
Where a messaging service is provided via an “over-the-top” app, as opposed to a wireless carrier, the argument for CALEA exemption grows stronger. First, the app developer could assert that because it does not provide “transport” or “switching” of electronic communications it is not a CALEA telecommunications carrier. Next, the developer could claim it offers an exempt information service, no different for CALEA purposes than an internet search, browsing, or web site service. Finally, the entrepreneur could seek refuge under the electronic messaging service exemption.
No doubt criminals and terrorists know which communication networks are equipped for lawful surveillance. The more sophisticated bad guys go to extremes to keep their conversations concealed from investigators. Nevertheless, in the case of advanced communication services, even a valid court order for surveillance may be impossible to implement if the targeted network lacks CALEA-prescribed technical capabilities.
Exacerbating the problem for law enforcement is the spread of end-to-end encryption. There is no one place in such a communication path where the voice or text is converted to plain text, so there is no place where a lawful intercept can capture the communication in a readable form. FBI agents have asked Apple and Facebook to decrypt suspect communications to help solve investigations. But the high-tech titans refused. Neither entity is a CALEA telecommunications carrier. Even if they were subject to CALEA, the statute would not prevent them from securing communications with impenetrable encryption. It is already common for networks to facilitate encryption in a way that even the network owners cannot decrypt.
The proliferation of non-interceptable communications services has caused law enforcement to complain they are “going dark.” The fear is that many suspects may be communicating entirely without detection. If left unaddressed, the problem may ultimately be called “going into a black hole.”
Another consequence of the surveillance-stunting trend is that the communications industry now lives in a regulatory divide. Some service providers are required by CALEA to install technical capabilities for lawful surveillance while their competitors are not. This type of disparity is unknown in most, if not all foreign jurisdictions. In countries from Canada to the European Union, Australia, and Brazil, the surveillance statutes contain no exemptions for information services or electronic messaging. To those nations, CALEA must look like an ancient relic.
Closing the CALEA Coverage Divide
CALEA is now 25 years old. The internet is no longer a nascent service free from significant criminal or terrorist use. On the contrary, the nefarious actors presumably exploit the most advanced internet-based techniques to plan and execute their schemes. This is reason enough, for public safety minded people, to close the CALEA coverage divide. Congress could do so by updating the old statute.
On the other hand, updating CALEA is not as easy as repealing the exemptions for information services and electronic messaging. The statutory definition of “telecommunication service” does not fit social media networks, handset vendors, or app developers. Some of those cutting-edge innovators have no physical presence in the U.S. and therefore may not even fall within U.S. jurisdiction. Others may lack access to a suspect’s communications content or metadata. Yet another issue: the advanced entities generally operate beyond the jurisdiction of the FCC, the regulator that implements and enforces CALEA.
Even if the CALEA coverage gap is closed, end-to-end encryption would continue to stymie law enforcement investigations. Law enforcement agencies worldwide want lawful access to suspect communications in plain text. But private sector experts warn that industry should not create such decryption “back doors” because doing so would compromise the privacy and security of innocent communications.
Congress has the authority to prevent law enforcement from going dark. Ideally, the lawmakers should preserve law enforcement’s ability to conduct lawful surveillance, return industry to a level regulatory playing field, and strictly protect user privacy.
March 18, 2019
HOW WOULD A NEW NATIONWIDE PRIVACY LAW IMPACT COMMUNICATION SERVICE PROVIDERS?
Congress may soon adopt a statute to provide nationwide privacy protection for personal information collected online. How would the new law affect communication service providers (CSPs)?
State privacy initiatives are pushing Congress to enact a nationwide privacy law
Companies that provide services through the internet commonly collect records containing personal facts about their customers. Meanwhile, the service providers increasingly sell those records to third parties, especially for marketing purposes. No one nationwide law protects the privacy of the personal data. Privacy advocates have called for a national privacy law, but in the absence of congressional action, individual states have taken matters into their own hands. Last year California adopted a strong privacy law, and other states have signaled their intent to follow suit. The specter of 50 different privacy mandates has provoked anxiety in the business community.
Arguably, the pro-privacy trend in America was inspired by a strong European privacy law called the General Data Protection Regulation (GDPR), which gained approval in 2016 and took effect in 2018. The GDPR gave “data subjects” the “fundamental right” to decide how their personal information is “controlled” and “processed.” Fines for breaches of the GDPR were set as high as four percent of a violator’s annual revenue. Since the advent of GDPR, many non-European nations have decided to craft similar nationwide privacy laws. Experts believe the widespread legislation could make the GDPR a global standard.
In response to the above policy tensions, congressmen have proposed nearly a dozen privacy laws that would apply nationwide and potentially preempt the state initiatives. The proposals would generally protect the privacy of all Americans who disclose personal information in their online transactions. Some of the legislative approaches would give consumers a privacy-protecting “bill of rights” similar to the GDPR. Other draft statutes would focus more on cyber security and data breach notices. Most of the legal schemes would be implemented through the Federal Trade Commission (FTC).
CSPs already operate under a nationwide privacy law: the SCA
CSPs use online-generated records to register and serve subscribers. These service providers already follow legal guidelines to protect the privacy of the records and disclose them in response to due process requests from law enforcement. The records-management policies are governed by the federal Stored Communications Act (SCA).
How would a new nationwide privacy law be reconciled with the SCA?
A new nationwide privacy law would likely parallel the SCA
None of the data privacy laws percolating on Capitol Hill would abolish or limit the SCA. Instead, the privacy measures would co-exist with the SCA. As a result, CSPs would continue to receive investigative requests from law enforcement. However, a mistake in handing subscriber records could subject the CSP to liability under both the new law and the SCA.
Reviewing a sample of the pending privacy bills reveals the potential interplay between those legal frameworks and the SCA.
The proposed Consumer Data Protection Act (S. 2188) would govern companies that use the internet to collect and share consumer data. It would instruct the FTC to establish a national “Do Not Track” website, similar to the existing “Do Not Call” site, so consumers may opt out of unwanted online marketing. The Act would not cover:
by law; … disclosures made pursuant to an order of a court or administrative
tribunal; … disclosures made in response to a subpoena, discovery request,
or other lawful process …. or … disclosures made to investigate, protect
themselves and their customers from, or recover from fraud, cyber attacks,
or other unlawful activity ….
A violation of the Act could trigger an FTC investigation and a fine totaling up to $25 million. In addition, an aggrieved consumer could pursue a private cause of action to recover damages, including punitive damages in egregious cases.
Under the Consumer Data Protection Act, if a law enforcement agency serves a CSP with a valid subpoena for a suspect’s subscriber records, the CSP would be required by the SCA to disclose the records, and the disclosure would be exempt from the Consumer Data Protection Act. However, if the CSP sends a subscriber a marketing message despite the person’s Do-Not-Track command, the CSP could be liable under both the SCA and the Consumer Data Protection Act.
The proposed Information Transparency & Personal Data Control Act (H.R. 6864) would generally govern web site “operators” engaged in the collection and sale of “sensitive personal information,” including financial information. Among other things, the bill would require the operators to: (a) give customers notice and a right of opt-in consent to the use of the sensitive data; and (b) observe policies to protect the privacy and security of the data. The bill would exempt sensitive data uses when the operators are “responding in good faith to valid legal process.” In an enforcement proceeding the FTC could levy a fine of up to $40,000.
Under this statutory formula, suppose a law enforcement agency sends a CSP a valid subpoena to learn a suspect/subscriber’s credit card payment information. Under the SCA, the service provider would properly disclose the credit card details. And because this sensitive personal information would be delivered in response to valid legal process, the disclosure would be exempt from the Information Transparency & Personal Data Control Act. Nevertheless, if the CSP were to sell the credit card data to an internet data broker, the seller could be punished under both the SCA and the Information Transparency & Personal Data Control Act.
The Congressional privacy bills that focus on cyber security and data breaches would likewise apply independently of the SCA. For example, if someone could hack into a CSP’s customer care database and delete subscriber records, the service provider might suffer penalties under both the data breach law and the SCA.
CSPs should prepare to meet both a new nationwide privacy law and the SCA
Congress is responding to growing public pressure for a nationwide data privacy law. The planned national privacy law may parallel some or all of the GDPR. So far, the question for CSPs is not whether such a national law would reduce their obligation to meet the needs of law enforcement. It would not. The new law would likely exempt valid SCA disclosures.
The greater concern is how CSPs would cope with any new privacy law layered atop the SCA. In an age of dual federal privacy regimes, a privacy violation could subject a CSP to two federal enforcement actions. CSPs should therefore prepare their privacy programs for a new source of potential liability.