The founders of the United States existed in a time long before the technology revolutions of the 20th and 21st centuries. These men and women understood the world of technology as one or two important innovations during a lifetime. Thus, as the founding documents were being crafted and the role of Congress was being debated, no one was overly concerned at the possibility Congress would be unable to enact legislation at a speed needed for a changing world. Moreover, no one would have imagined a Congress willingly ceding power to a growing Executive branch. The failure of Congress to enact meaningful legislation addressing the balance between data privacy and national security is a particularly vexing example. Passing the International Communications Privacy Act (ICPA) will be an important step in the right direction.
Over the past 70 years we have witnessed a massive growth in the power of the President through the creation and expansion of Executive branch agencies which have, in some cases, usurped the lawmaking duties of Congress. In some ways this makes perfect sense. As our nation has grown and evolved, we simply cannot wait for Congress to act as our society evolves at a rate that would have shocked our founding mothers and fathers.
This, however, has led to unnecessary legal and policy complications. The quintessential example of this is the current debate surrounding the ICPA. The current governing law for data privacy – Electronic Communications Privacy Act (ECPA) – was passed in 1986 and has since been constantly debated. The difference in technology today compared to 1986 is as pronounced as the muskets our forefathers used compared to a drone firing a hellfire missile in Iraq while being piloted in Utah. In fact, many Congressional staffers working today are so young they have no working knowledge of a floppy disk or dial-up modem circa 1986. As Microsoft President Brad Smith recently wrote “The current laws were written for the era of the floppy disk, not the world of the cloud.”
Instead of Congress taking up the issue, it has relied upon legal challenges to the old law, or various Administrations making marginal tweaks through Executive action. Thus, not surprisingly, myriad issues have emerged due to the incredible rate of technological innovation and our inability to create thoughtful legislative remedies. For instance, the Supreme Court recently agreed to see a case involving Microsoft Corporation and its fight to protect its data being stored in Ireland from being seized by the US federal government.
Of particular interest to many on both the political left and right is the issue of safeguarding personal data online. In 1986, the main privacy concern of most computer users involved a misplaced floppy disk at the office. However, technology firms today, both large and small, are facing an incredible challenge balancing innovation with privacy and security. This, coupled with the antiquated legal guidelines, can have a stifling effect on technological growth. Much of our data today is stored, not on home or office computers, but in the cloud, a network of remote servers spread throughout the world that allows us to access data from literally anywhere. This, coupled with national security concerns following 9/11, has created an atmosphere of distrust in both government and technology firms’ ability and/or desire to protect American’s privacy. We saw this during the debates surrounding the USA PATRIOT Act, which affected aspects of the ECPA.
The bipartisan ICPA (Senators Hatch – R and Coons – D) goes along way toward removing the ambiguity that has lead to numerous legal challenges because it creates a clear framework for determining whether and when U.S. law enforcement can access an individuals electronic communications, regardless of where those communications are stored. This will provide a much needed set of objective and clear standards for data privacy which will relieve some stress from the clogged federal courts. For example, this bill requires officials to obtain a warrant to access the contents of electronic communications stored with electronic communication service providers and remote computing service providers. It also clarifies that a provider receiving a warrant for the contents of electronic communications must produce responsive contents in its possession, custody, or control regardless of where the contents are stored.
Congress should have been working since 9/11 to craft a comprehensive piece of legislation that addresses the tension between national security and data privacy from a 21st Century framework. Congress has finally done that with the International Communications Privacy Act. While it certainly is not perfect, no legislation is perfect, it is a welcome attempt by Congress to reclaim its Constitutional role in making the laws of America while addressing the problem of data security and privacy in an era of cloud computing, artificial intelligence and a dizzying pace of innovation.