A bipartisan group of lawmakers has introduced proposed legislation that would impose substantial restrictions on government surveillance and access to data. The Government Surveillance Reform Act (“GSRA”) is a comprehensive privacy reform bill that would: (1) reauthorize and reform Section 702 of the Foreign Intelligence Surveillance Act (“FISA”); (2) revise other aspects of FISA; and (3) amend the Electronic Communications Privacy Act (“ECPA”). While media reporting on the bill has largely focused on reforms relating to FISA Section 702, which will sunset unless it is reauthorized by December 31, this post addresses the substantial changes that the GSRA would make to ECPA. ECPA addresses wiretapping, access to stored electronic communications, and the use of pen registers and other devices to collect information. If passed, the GSRA would be the most significant overhaul of ECPA since its enactment in 1986.
Businesses should pay close attention to this bill as the end of the year approaches because it would meaningfully alter the rights and obligations of entities already subject to ECPA and extend parts of ECPA to additional entities that it does not currently affect. The GSRA would:
- Greatly expand the scope of companies covered by ECPA to include any online service provider, regardless of whether a company is an ECS, RCS, or their subcontractor
- Require a warrant for stored content, search queries, geolocation data, and vehicle data
- Prohibit U.S. law enforcement from purchasing personal data from data brokers
- Exempt congressional subpoenas from ECPA, allowing political officeholders to subpoena the communications and personal data of U.S. persons without any statutory protection
Notable Changes to the Stored Communications Act
Among the most important changes in the GSRA would be to expand the scope of Title II of ECPA, commonly referred to as the Stored Communications Act (“SCA”). The SCA defines the circumstances in which covered service providers may voluntarily disclose stored user communications and data, and in which a governmental entity may compel a covered service provider to disclose such communications and data. In its current form, the SCA applies to providers of electronic communications service (“ECS”) and remote computing service (“RCS”). Generally, an ECS is any service that enables users to send or receive wire or electronic communications, whereas an RCS provides computer storage or processing services to the public via an electronic communications system.
The GSRA Would Extend the SCA to Many More Online Businesses
- Compelled disclosures to governmental entities: The GSRA would extend the SCA’s restrictions on government access to user communications and information to a much wider range of entities that hold such data. The Act would add a new category of service providers to the SCA’s provision governing the compelled disclosures to governmental entities: online service providers (“OSP”). The Act defines OSP to include not only ECS and RCS providers, but also any other provider of an interactive computer service (“ICS”), following the definition in the much-discussed Section 230 of the Communications Decency Act. That definition broadly applies to “any information service, system, or access software provider that provides or enables computer access by multiple users to a computer server.” Court decisions interpreting and applying Section 230 make clear that the definition of ICS includes many online services beyond ECS and RCS providers, including website operators, e-commerce platforms, and information services sites, among others.
- Voluntary disclosures: The GSRA would subject a new category of service providers— intermediary or ancillary service providers (“IAS providers”)— to the SCA’s general prohibition on voluntary disclosures of user communications and data to third parties. The Act defines IAS provider to include any entity or facilities owner or operator that directly or indirectly delivers, transmits, stores, or processes any communications or other covered personal data for or on behalf of an ECS, RCS, or OSP. IAS providers would include, among other things, cloud storage services that hold and process data on behalf of other SCA-covered providers.
The GSRA Would Require a Warrant for Additional Forms of Data
The GSRA would heighten protections for user data by requiring the government to obtain a warrant to compel disclosures of data previously obtained under other forms of legal process, such as court orders and subpoenas.
- The GSRA would effectively codify the Sixth Circuit’s landmark decision in Warshak v. United States, 631 F.3d 266, 288 (6th Cir. 2010), which held that the Fourth Amendment requires law enforcement to obtain a warrant to compel the disclosure of the contents of user communications. Under the GSRA, governmental entities would generally need a warrant to obtain a user communication regardless of (1) whether the user receives advance notice of the legal demand; or (2) the form or duration of the communication’s storage. Certain categories of communications would be exempt from the warrant requirement, however, such as disclosures by businesses of internal communications and online advertising communications.
- Law enforcement would also generally need a warrant to compel the disclosure of other sensitive forms of information, including location information, web browsing records, online search queries, and covered vehicle data. The GSRA would codify and arguably extend the protection provided to certain location information by the Supreme Court’s landmark decision in Carpenter v. United States, 138 S. Ct. 2206 (2018). Covered vehicle data encompasses a wide range of data processed and stored in a vehicle, including navigation data, images captured by onboard sensors, and event data. In requiring a warrant for these record types, the GSRA narrows the scope of information government entities may obtain with a court order.
- The GSRA would also add new provisions permitting the government to use a warrant to compel a provider to disclose prospective location data and web browsing information. Most providers currently take the position that production of such prospective data requires a greater showing than mere probable cause, such as that needed for a wiretap order. This requirement would present a compliance issue for companies that do not currently have the capability to easily produce such information.
- While the GSRA would retain the SCA’s provision allowing governmental entities to obtain basic subscriber information with a subpoena, the GSRA would prohibit law enforcement from compelling the disclosure of such information with a subpoena unless the subpoena specifies a name, address, temporary network address or account identifier associated with the target. This amendment would ensure that government subpoenas can be only used to compel the disclosure of data associated with particular individuals or accounts, but not data entitled to higher protection. Thus, a subpoena seeking the name of every user who downloaded an App or searched for an address, or a subpoena containing another similar subject matter parameter, would not be permitted.
Law Enforcement Would be Prohibited From Purchasing Data on U.S. Persons
The GSRA would close an existing loophole in ECPA that allows governmental entities to purchase personal data from data brokers. Under the GSRA, the government would generally not be permitted to purchase the personal data of U.S. persons (i.e., U.S. citizens and lawful permanent residents) or people reasonably believed to be located inside the United States.
Congressional Subpoenas Would be Exempted
The GSRA would remove current limitations ECPA places on congressional subpoenas. Under existing law, Congress may use a subpoena to compel a provider to produce non-content user information but cannot obtain the contents of communications with any legal process. The GSRA would expand Congress’ subpoena power by allowing it to bypass the statutory warrant requirement to compel OSPs to produce communications contents, location information, web browsing information, and online search queries, subject only to constitutional restrictions. This provision is one of the few that reduces privacy protections thought to apply under the current version of ECPA, and theoretically exposes individuals’ private communications and location data to partisan congressional subpoenas.
Other ECPA Changes
The GSRA would make several other changes to ECPA, such as removing “local and long distance telephone connection records” from the list of basic subscriber information that the government may obtain pursuant to a subpoena, meaning that the government would need a warrant or court order to compel the disclosure of such data. The GSRA would also harmonize ECPA’s pen register provision with the SCA’s provision for court orders compelling the disclosure of similar metadata in stored form. If adopted, this change would require the government to support a pen register application with a certification of specific and articulable facts showing there are reasonable grounds to believe that the information to be obtained is relevant and material to an ongoing criminal investigation.