The Need to Modernize Data Privacy Laws for the Cloud Computing Age
Current digital privacy law—the Electronic Communications Privacy Act (ECPA)—was enacted in 1986, before the invention of the web and the emergence of global cloud computing. Simply put, U.S. law no longer reflects today’s technology, with data accessed, transferred, and stored all across the world.
Because of outdated laws, technology users are less assured of privacy protection, which is eroding trust in cloud computing. In addition, U.S. law enforcement has legitimate needs to access data anywhere in the world in the course of its investigations. But current law does not adequately define how data can be accessed overseas, and access can create conflicts with the laws of other nations.
Congressional action is needed to address the current legal uncertainty, which poses substantial challenges for consumers, businesses, the tech sector, and law enforcement. Fundamentally, this is a legal and policy issue—not a technical matter.
In a July 2016 U.S. Court of Appeals ruling in a case in which Microsoft challenged the U.S.’s request for private data held in Ireland, the three-judge appellate panel ruled that existing laws did not give U.S. law enforcement the authority to issue warrants extraterritorially. The court’s decision underscored the “need for congressional action to revise a badly outdated [digital privacy] statute.”
In January 2017, the Court of Appeals denied the government’s request for an en banc rehearing, leaving the decision in place—and allowing the government to petition the U.S. Supreme Court. The U.S. Department of Justice then filed to have the case heard by the Supreme Court. In October, the Supreme Court granted the DOJ’s request to review the case. A court date has not yet been announced.
Regardless of how the high court rules, our nation’s outdated digital privacy laws still need to be updated to reflect today’s technology. In 2016, a bipartisan group of U.S. Senators introduced legislation—the International Communications Privacy Act (ICPA)—to modernize digital privacy laws that reflect today’s cross-border internet. This proposal represented a positive step forward. In summer 2017, bipartisan momentum continued as the U.S. Senate and House both re-introduced ICPA (S.1671; H.R.3718).
Voices for Innovation is supporting efforts to enact ICPA, which will provide a comprehensive legislative framework to protect privacy and provide law enforcement with the tools they need to pursue investigations worldwide.
- Microsoft on the Issues, “U.S. Supreme Court will hear petition to review Microsoft search warrant case while momentum to modernize the law continues in Congress,” by Brad Smith
- Microsoft, “Reforming laws: International Communications Privacy Act (ICPA)”
- Microsoft, “Legal cases: Microsoft’s Search Warrant Case”
- BSA | The Software Alliance video, “ICPA: The Update We Need to Modernize Digital Data Laws”
- Microsoft on the Issues, “ICPA: A much-needed legislative path to modernize outdated digital data laws,” by Brad Smith
- VFI blog post: Senate Hearing Highlights Need to Update Data Privacy and Access Laws
- “ICPA: A much-needed legislative path to modernize outdated digital data laws” by Brad Smith, Microsoft President and Chief Legal Officer
- A Twenty-First Century Framework for Digital Privacy, a Microsoft-supported project of the National Constitution Center
- Reform Government Surveillance
- Full Text of International Communications Privacy Act (ICPA) from the 115th Congress (2017-2018)
- Letter from 11 technology associations urging congressional support for ICPA
- “Our search warrant case: An important decision for people everywhere,” by Brad Smith
- In The Cloud We Trust: It’s Time to Rebuild the World’s Faith in the Technology That Empowers Us All, written by Brad Smith
- Deseret News: Op-ed: Utah’s tech renaissance threatened unless Congress acts to update archaic law
- FITS News: Steve Sherman: Lindsey Graham Should Stand For Privacy Rights
- Bloomberg BNA: Cloud Companies Hit Hard by Languishing Email Privacy Update
- Law360: Senate Hears Microsoft’s Take On Overseas Data Warrants
- Lawfare: Senate Judiciary Committee Hearing on Law Enforcement Access to Data Stored Across Borders
- International Association of Privacy Professionals: Reverse Microsoft v. US? Judiciary subcommittee wrestles with cross-border data sharing
- The Hill: DOJ pitches agreements to solve international data warrant woes
- Lawfare: Why Cross-Border Government Requests for Data Will Keep Becoming More Important
What Experts, Analysts, and Lawmakers are Saying
“Customers want their rights protected by their own country’s laws. Americans want that, citizens everywhere want that. So the fundamental challenge that we’ve been dealing with is concerns by other people that their rights are not being protected by laws when you have these extraterritorial warrants.”
– Brad Smith, president, Microsoft
“What we need is a sensible regime with clear rules that determine access based on factors that actually matter to the person whose data is being sought.”
– Senator Orrin Hatch (R-UT)
“Implemented in 1986, years before the cloud was even invented, the Electronic Communications Privacy Act (ECPA) is outdated and ambiguous and proving harmful to the success of our business, the trust of our customers, and the ability of law enforcement to do their jobs effectively. Because of the ambiguities codified within this statute, companies providing cloud services are caught precariously between international legal jurisdictions.”
– Jeff Hadfield, founder, 1564b
“Just how far around the world does a U.S. warrant reach? Obviously, it can’t reach across borders without another country agreeing to respect the warrant. If warrants are issued to other countries, will that impact the way South Carolinians feel about the safety from federal government eyes on their emails, pictures and data stored in the “cloud?” When the government has a legitimate interest in seizing data for national security purposes, do they have a way to get that data today or do they need new tools? Are there ways to seize data that they have no right to see? All of these issues should be explored at the hearing.”
– Steve Sherman, conservative commentator
“In order to accomplish this urgent requirement, it will require Congress taking the necessary legislative steps to allow it to happen… While we are starting with our closest ally, the framework may allow future expansion to other like-minded countries.”
– Homeland Security Advisor Tom Bossert
“It is essential to ensure that legal safeguards are maintained when reforming an existing model of cooperation such as the Mutual Legal Assistance Treaties. Otherwise, reform has the potential to weaken civil rights by seeking the lowest common denominator among systems.”
– Susan Vergnolle, assistant professor, Pantheon-Sorbonne University