The Electronic Communications Privacy Act of 1986 (ECPA), together with the Stored Communications Act (SCA), establishes statutory privacy rights for individuals in their electronic communications and regulates the process by which the US government may obtain access to wire, oral, and electronic communications in transit and in storage.1 The legal process for obtaining communications is keyed to the sensitivity of the data at issue. For example, the government must obtain a warrant to compel a service provider to provide the content of stored emails, but can use a court order demonstrating that the information is relevant to an ongoing investigation to obtain less invasive subscriber account information. These standards can change as technology evolves.2
In addition to establishing the procedures for required disclosure of customer communications or records, the SCA sets forth limits on the voluntary disclosure of information. The SCA prohibits service providers from voluntarily disclosing the contents of communications or records pertaining to their customers without sufficient legal process, absent certain exceptions such as a good faith belief that certain emergencies require disclosure or the lawful consent of the originator or recipient of the communication. The concept of “consent” in this context has changed over time.3
In 2018, Congress enacted the Clarifying Overseas Use of Data Act of 2018 (the CLOUD Act), amending the SCA to address the situation of data stored outside the United States.4 Under the CLOUD Act, a provider of an electronic communication service or remote computing service generally must comply with valid legal process requesting the information under its control, regardless of whether the information is stored in the US or abroad. However, there are a number of avenues for providers to challenge such requests, such as if the request violates principles of international comity (including if complying with the request would violate the laws of the country where the information is stored).
1 See 18 USC §§ 2510-2523 (ECPA); 18 USC §§ 2701-2713 (SCA).
2 Id. § 2703.
3 Id. § 2702.
4 Clarifying Lawful Overseas Use of Data Act, Pub. L. No. 115-141 § 105, 132 Stat. 866 (2018).