Over the last few decades, technology has evolved at an ever-increasing pace. As technology changed, so did our preferred method of communication. For most of us, the postal service seems quaint: it’s how we get Amazon deliveries and advertising spam, but few still think of snail mail as their preferred way to communicate with friends, family, and co-workers. Instead we use email and other forms of electronic communication.
The law has not evolved at anywhere near the pace of technological change. Privacy is a fundamental right, and in the US, that right is enshrined in law. For law enforcement officials and government agencies to access snail mail, they need a warrant. To access email over 180-days-old, they do not. This is a glaring disparity that the Email Privacy Act is intended to address — giving email and other online communications data similar protections to postal mail.
Email is, by the standards of the internet, an ancient technology, but it’s only since the late nineties that it has been the dominant way to communicate for businesses and citizens alike. Over the last decade, the amount of information we entrust to the cloud has increased exponentially with the massive adoption of SaaS email platforms like Gmail, which encourage us to throw nothing away. In the modern world, the privacy of that data is a pressing concern, and many would argue that it’s as important as the privacy of postal mail, if not more so.
Law enforcement agencies often have a legitimate reason to scrutinize email, just as they have a legitimate reason to scrutinize postal mail, but the law that currently governs access to email data — the Electronic Communications Privacy Act — was enacted in 1986, a decade before the web entered widespread use. Under the ECPA, data stored on a third-party server for more than 180 days is considered to have been abandoned — a view that’s clearly incompatible with modern communications platforms.The current incarnation of the Email Privacy Act is intended to bring privacy laws around email into the 21st century and give our online communication data the same privacy protection as physical communications.
What does that mean for email providers? Most importantly, it would mean that — exceptions aside — email providers will have no obligation to hand over private email data without a warrant.
The Email Privacy Act has a way to go before it becomes law, and it’s not unopposed. The SEC and several other agencies don’t want to see their easy access to email data removed, and it’s unclear how the new administration will regard increased privacy for email data. But, if the act does become law, companies that deal with email data will have to carefully consider its implications — a privacy right for email users imposes a privacy duty on email providers.