California, home of many of the world’s largest technology companies, has long been at the forefront of protecting personal electronic information in the United States. California adopted the nation’s first data breach notification law, led the nation in requiring website privacy statements, and actively enforces online privacy. On October 6, 2015 Governor Jerry Brown signed SB 178, the Electronic Communications Privacy Act (CalECPA), taking another step further by requiring California law enforcement agencies to obtain a warrant and notify the subject(s) of the warrant before acquiring electronic information.
It was also on October 6, 2015 that the European Court of Justice ruled that the United States – European Union Safe Harbor, which facilitated the electronic transfer of electronic information between the European Union and the United States, is invalid. In large part, the decision was based on the perception that United States law does not adequately safeguard the personal information of European citizens. CalECPA is a move toward congruence with the privacy rights of citizens of the European Union (and other countries like Switzerland, Canada and Israel).
Specifically, CalECPA requires any state law enforcement agency or other investigative entity to obtain a warrant before requiring a business to turn over any metadata or digital communications–including emails, texts, and documents stored in the cloud. The new law also requires a warrant to search or track the location of electronic devices like mobile phones.
California State Senator Mark Leno of San Francisco introduced SB 178 in an effort to update California law to reflect the reality that technology and data storage have affected existing laws that protect privacy and free speech. According to Senator Leno:
The California legislature has long been a leader in enacting laws to properly balance the rights of Californians as technology advances. But California’s statutory protections for electronic information is now very outdated. SB 178 updates existing federal and California statutory law for the digital age and codifies federal and state constitutional rights to privacy and free speech by instituting a clear, uniform warrant rule for California law enforcement access to electronic information, including data from personal electronic devices, emails, digital documents, text messages, metadata, and location information. Each of these categories can reveal sensitive information about a Californian’s personal life: her friends and associates, her physical and mental health, her religious and political beliefs, and more.
What it means to internet service providers and other businesses
CalECPA applies only to California law enforcement entities; other states are bound by the laws in their jurisdictions. If a California law enforcement agency or other investigative agency seeks electronic information from a business, it must first obtain a warrant and notify the individuals targeted by the warrant.
Federal law already requires a warrant to acquire electronic communication content. CalECPA goes further, requiring a state government to obtain a warrant in order to gain access to electronic information, including both content and metadata. Metadata–which does not necessarily contain personal information–can be used to recreate personal data. The inclusion of metadata in SB 178 closes this technological loophole to some extent. While the restrictions on acquiring electronic content are absolute, CalECPA grants some leeway in the disclosure of metadata.
A warrant under CalECPA must “describe with particularity” the information sought by identifying the target and requires any information obtained under the warrant but unrelated to the warrant’s objective “shall be sealed and not subject to further review, use, or disclosure” without a separate court order.
When a service provider voluntarily shares electronic communication or subscriber information, which is authorized by CalECPA, the government entity receiving the information must destroy the data within 90 days–unless it has obtained specific consent from the sender or recipient of the electronic communications, it obtains a court order, or if the government reasonably believes the information is related to child pornography and retains the information within a “multiagency database” on child pornography or related investigations.
Subpoenas are permissible only if the information is not requested in the context of a criminal investigation or prosecution.
Exceptions to the warrant requirement
There are four general exceptions to CalECPA warrant requirement:
- the authorized possessor or owner of the information has specifically authorized its disclosure;
- the device containing the information is taken from an inmate of a correctional facility;
- the situation is an emergency involving danger of death or serious physical injury;
- the device is believed to be lost, stolen, or abandoned – and then the exception exists only if access is sought in order to “identify, verify, or contact the owner or authorized possessor of the device.”
The last two exceptions are qualified by the requirement that the governmental body act in good faith. Additionally, in emergency situations government agents must file an application for a warrant or other authorization within three days of obtaining the electronic data.
When a warrant is executed or electronic information is obtained in emergency cases, CalECPA requires the governmental entity to notify “the identified targets of the warrant or emergency request.” The notice to the individuals must state “with reasonable specificity the nature of the government investigation.” In addition, the notice must include a copy of the warrant (or a written statement with facts to support the declaration if it is an emergency case). The notice must be provided to the recipient at the same time as the warrant’s execution, or three days after the data is collected when it’s an emergency case.
When there is not an identified target involved, the government must submit all of the same information required for notice (or delay of notification) to the California Department of Justice, which will then publish all those reports within 90 days of receiving them. Personal identifying information may be redacted.
Notice can be delayed
The government may seek a court order delaying notification and limiting a notice recipient’s authority to notify other parties that information has been sought, but the court retains the authority to determine whether there is “reason to believe that notification may have an adverse result.” Under CalECPA, an “adverse result” includes: danger to life or individual safety, flight from prosecution, destruction of or tampering with evidence, intimidation of potential witnesses, and serious jeopardy to an investigation or undue trial delay. If notice is postponed, it cannot exceed 90 days unless the court authorizes further extensions, each for 90 days at a time.
Once the grant of delayed notice expires, the government must provide notice with the requirements described above and must give the identified targets a document with a copy of all electronic information obtained or a summary of the information. This must include “the number and types of records disclosed, the date and time when the earliest and latest records were created, and a statement of the grounds for the court’s determination to grant a delay in notifying the individual.”
Targeted individuals’ rights
The last section of the statute allows any individual involved in a judicial proceeding to move to suppress any information “obtained or retained in violation of the Fourth Amendment” or in violation of CalECPA. Any individual whose information is targeted by a warrant or other court authorization that is inconsistent with the statute may petition to have the authorization voided or modified, or to have the information destroyed. The individual may also petition to have information destroyed that was obtained in violation of the bill or the U.S. or California state constitution. Finally, the bill provides that the state Attorney General may bring a civil action to compel government compliance.
CalECPA is intended to protect the privacy of Californians by requiring state law enforcement to provide a warrant for obtaining digital records, which include emails and texts, as well as the user’s location. These protections apply to personal electronic devices and to services that store personal data. Service providers that collect and store personal, digital information should be aware of how and when CalECPA requirements apply to them.
Robert E. Braun is the co-chair of the Cybersecurity and Privacy Law Group at Jeffer Mangels Butler & Mitchell LLP. Bob helps clients to develop and implement privacy and information security policies, negotiate agreements for technologies and data management services, and comply with legal and regulatory requirements. He helps clients to develop and implement data breach response plans, and he and his team respond quickly to clients’ needs when a data breach occurs. Contact Bob at RBraun@jmbm.com or +1 310.785.5331.
Michael A. Gold is the co-chair of the Cybersecurity and Privacy Law Group at Jeffer Mangels Butler & Mitchell LLP. Known for both legal expertise and an understanding of technology, he works with Boards of Directors, C-Suite executives and IT directors to address cyber risks. He advises clients on domestic and international requirements for information privacy and security. He represents companies in complex litigation and arbitrations, including class action defense actions connected with data breach and privacy claims. Contact Mike at MGold@jmbm.com or +1 310.201.3529.