After the bill sailed through the Judiciary Committee in April, the U.S. House of Representatives passed the Email Privacy Act by a vote of 419 to 0. The proposed act has overwhelming bipartisan support and is likely to be enacted.
Today, it would be difficult to find a company that does not use email. Most email providers store information—including your email conversations, shared documents, photos and other electronic content—via the Internet on a platform called “the cloud.” Right now, if the government wants to access personal communications stored in the cloud, it can simply ask the provider of email services for access, and the provider is free to comply.
The Email Privacy Act takes a bold leap by preserving the privacy of stored electronic communications—especially in the face of a government investigation. This act essentially seeks to make it harder for the government to obtain personal communications. It also provides cover for Internet service providers and electronic communication providers that otherwise would feel compelled to comply with the government’s informal requests for information. It requires the government to obtain a warrant or other court order to access this information.
The act prohibits Internet service providers, email providers and others who provide electronic communications services to the public from knowingly divulging contents of an electronic communication to the government. The legislation applies to both state and federal governments and requires governmental agencies to obtain warrants before obtaining “the contents of a wire or electronic communication that is in electronic storage with or otherwise stored, held, or maintained.”
As with most laws, there are many exceptions found in the Email Privacy Act that are likely to create confusion for businesses, their employees and their customers. Here are a few key points to know about this proposed law:
- Employer-provided email. Employees using company email need to know whether their email is protected. The act does not apply to employers that provide email accounts to employees for the purpose of carrying on the employer’s business. However, it does apply where employers use a separate service to provide email to their employees that the employers do not own, operate or control. If the act passes, employers may wish to clarify for employees whether company emails are protected from voluntary turnover to the government without a warrant.
- Avoid customer confusion. Companies that maintain data about subscribers and customers who visit their websites are not covered by the act, because they do not maintain the data “solely for the purpose of providing storage or computer processing services.” Many retail websites maintain information about subscribers and customers to facilitate the checkout process or to better market to the subscribers and customers. That information is not protected under the current version of the act.
- Review your terms of service. Subscribers and providers of electronic communication services and Internet access services should review their terms of service to determine whether the providers are subject to the Email Privacy Act. Providers that are “authorized to access (the) contents of … communications for purposes of providing services other than storage or computer processing” are not covered by the act. Terms of service that allow providers to access their customers’ email and data in order to provide those customers other services (possibly including advertising) would exempt those providers from the act. Savvy consumers are likely to use providers that they know are covered by the act, and non-covered providers may lose subscribers.
There are a number of additional exceptions to the scope of the act, including for Foreign Intelligence Service Act investigations, congressional subpoenas, and subpoenas and warrants targeted at authors of emails and creators of stored data. Additionally, providers would still be required to disclose certain pedigree information about their users, including names, addresses, telephone numbers, records of connection times and durations, length of service and types of services used, IP addresses and the source of payment for such services (including credit card and bank account numbers).
While the Email Privacy Act is still subject to Senate and presidential approval, given its overwhelming passage in the House it is expected to become law in close to its current form, at which time companies should review their agreements with email and electronic communications providers to make sure they understand what content is covered.
Curtis Johnson is an associate in the Rochester office of Bond, Schoeneck & King PLLC.
5/27/2016 (c) 2016 Rochester Business Journal. To obtain permission to reprint this article, call 585-546-8303 or email firstname.lastname@example.org.