US senators are backing legislation that would see the Electronic Communications Privacy Act (ECPA) amended to void law enforcement requests for offshore data that breach the laws of country where its is stored.
The bill tabled last week, Law Enforcement Access to Data Stored Abroad (LEADS) Act (PDF), aims to update three decade old ECPA.
The proposed changes would clarify that police warrants requesting electronic communications, such as emails, don't necessarily authorise the seizure of data stored in foreign countries.
The legislation would potentially help cloud service and email providers tasked with responding to police data requests as well as protecting the information of customers across the globe.
Earlier this month, tech giant Microsoft was held in contempt of court for not complying with a ruling that required it to relinquish customer emails in an Ireland data center to US prosecutors. The order, however, was seen as a measure that would clear the way for Microsoft to appeal the government request for data.
The LEADS Act requires law enforcement to have a warrant when requesting data stored abroad belonging to a “US person.” An ECPA warrant would not compel US email and cloud service providers to hand over data on other individuals, however, and would force the government to comply with the laws of countries where data it seeks is stored.
Greg Nojeim, senior counsel at the Center for Democracy and Technology, said in a Thursday blog post that the organization applauded the bill's “overall thrust,” and its additional provision that the government must notify customers whose data is obtained via a warrant.
“Currently, when the US government uses warrants to compel service providers to disclose the stored emails of their customers, there is no requirement that the government provide notice of the seizure to the person whose emails are disclosed,” Nojeim wrote.
“The notice requirement in this proposed bill represents a wise and balanced approach.”
He did offer, however, that the bill has its drawbacks, including the fact that it could “increase the pressure for data localisation mandates.” Furthermore, providers that move customer data between data centers, bring forth further uncertainty regarding implementation of the law.
“Finally, it is not clear how the bill would apply to providers who move data to different data centers around the globe in order to balance the burden on their network and better serve their users,” Nojeim said.
“If a load-balancing provider stores a user's data at one moment in India, the next in the UK, and the next in the US, will the US warrant reach the data because the data at some point comes to the US?”
Lawmakers have posted a summary (PDF) of the proposed LEADS Act, including the scope of authority provided by ECPA warrants under the bill.
