On September 18, 2014, Senators Orrin Hatch, Dean Heller and Chris Coons introduced "The Law Enforcement Access to Data Stored Abroad Act" (LEADS), a bill that would amend provisions in the Electronic Communications Privacy Act (ECPA) relating to access to the content of communications in electronic storage. The bill mirrors, in part, amendments to the Electronic Communications Privacy Act which were reported by the Senate Judiciary Committee in 2013.
The LEADS Act would eliminate the current structure under ECPA that allowed the content of a wire or electronic communication that is in electronic storage to be obtained without a warrant in certain instances. Instead, a warrant—issued under the Federal Rules of Criminal Procedure or state warrant procedures—would now be required to obtain such content, regardless of how long it has been held in storage. The bill further attempts to provide authority for an extraterritorial warrant to obtain content stored outside the United States, but only if such content belongs to a U.S. person. As an additional safeguard, the issuing court shall modify or vacate the warrant if it finds that the warrant would require the violation of applicable foreign laws.
The bill recognizes that the extraterritorial use of search warrants involves exercising the provisions of the Mutual Legal Assistance Treaty (MLAT). As a result, the bill imposes streamlining and transparency measures that include the publication of statistics relating to MLAT requests for content of communications.
Finally, the bill includes a Sense of Congress that is aimed at foreign countries that have imposed or are considering data localization requirements on data providers. These requirements, which vary by country but generally impose geographic limits on where data pertaining to a country's citizens or businesses may be stored, have raised substantial concerns about the future of cloud services and the viability of even complying with such requirements in a global economy. According to the bill's section by section analysis, data localization requirements "are incompatible with the borderless nature of the Internet, an impediment to online innovation, and unnecessary to meet the needs of law enforcement."
Companies that rely on cloud services, operate on the Internet, or are electronic communications providers or remote computing providers all have a stake in this legislation and should monitor its progress through the U.S. Senate. This legislation, which will likely be considered with other ECPA bills, is additional proof that privacy and data security are hot issues in our nation's capitol. Affected companies, therefore, should ensure that all obligations, responsibilities and limits imposed on them by such legislation are clearly defined and reasonable, and do not undermine global communications and connectivity. For example, companies that may be asked to cooperate with law enforcement should seek clarity in any proposed exceptions to the warrant requirement, and companies potentially impacted by data localization requirements should ensure that legislators are mindful of the possible link between ECPA and surveillance reforms and more regulation by foreign countries.
The bottom line, as this domestic and international debate over privacy, surveillance and security continues, is that companies in all industries that are routinely assessing their data security and privacy policies and practices will be in a better position to respond to consumer, regulatory and political concerns.