Access to Data Must Be Governed by Modern Law — Why Congress Must Act
By Karen S. Evans Antiquated and outdated are words I hear too often when someone describes the federal government’s approach to information technology — or the corresponding laws and policies governing its implementation. During my nearly 27 years of public service, it was clear that the government’s response to new technology was often delayed by the challenges of reconciling new technology with existing law. Many laws today, including the Electronic Communications and Privacy Act, are decades out of date and do not address the use of cloud computing and mobile devices. Without new legislation, such as the Law Enforcement Access to Data Stored Abroad Act, the U.S. is at risk of falling behind in its approach to privacy, jeopardizing its position as a leader in the digital age.
The opportunities and benefits afforded by these innovations are endless, but they will be minimized, even detrimental, without policy action in Congress to safeguard individual privacy. Moreover, the recent Safe Harbor announcement underscores the need for greater clarity to protect citizen privacy and the economy at large.
The Need for Legislative Clarity ECPA regulates the government’s access to private electronic communications, but does not clearly address the use of cloud storage. If my company is U.S.-based but has servers located overseas, do U.S. or foreign laws apply? The Second Circuit courts and Congress are working to identify an answer to this question, which is being asked by many U.S.-headquartered companies. This situation is further complicated by the EU’s recent decision to invalidate Safe Harbor, which will significantly affect the way technological solutions are implemented by global companies.
The highest-profile example of this issue, the Microsoft search warrant case, sits before the Second Court of Appeals. As I have seen this case unfold, it is clear that the government’s reliance on outdated policy has put individual privacy at risk. Simply put, the case underscores the fact that data storage is international and operating under an outdated regulatory framework. The U.S. approach to this issue is even more concerning when I think about how a court decision in the government’s favor could reverberate with foreign governments. U.S citizens and companies would not want foreign governments unilaterally accessing their data. Congress must take action to prevent this.
Above all, the search warrant case highlights that the policies and the underlying statutes governing access to data are out of date. It demonstrates the need for Congress to develop a new rule of law that addresses how information is exchanged today. It is time to modernize how the government balances the needs of law enforcement with privacy concerns in order to fully embrace the benefits of the cloud.
A Legislative Fix: The LEADS Act The LEADS Act addresses the loopholes in current law and provides a long-term solution to guide law enforcement’s access to data. The LEADS Act updates ECPA and requires the U.S. to improve its mutual legal assistance treaties (MLATs) — the agreements between countries governing the exchange of information for law enforcement purposes. This bill, with bipartisan support in Congress, ensures the U.S. has a clear framework for access to data that takes into account both national security and personal privacy concerns.
The passage of the legislation would reaffirm U.S. leadership on privacy and its ability to effectively address the growing set of issues associated with evolving technologic capabilities. During my time in government, developing complex systems to make our government smarter and more efficient was, at times, an onerous process. Systems had to comply with all relevant legislative requirements, which often required balancing the government’s approach to personal privacy. Congress needs to demonstrate U.S. leadership and technological preeminence abroad by updating our current statutes.
While the LEADS Act is debated on Capitol Hill and routed through the legislative process, it is imperative that supporters of increased privacy protections examine all possible avenues for reform, including legal remedies at the highest level. This is an issue of great public importance and a situation where Supreme Court intervention should be considered if Congress fails to act.
Improvements to our laws must keep up with future breakthroughs and govern new technology with a heightened understanding. It’s imperative now more than ever that Congress properly balance individual privacy with access to data to preserve U.S. leadership in the digital age.
Karen S. Evans is a partner at KE&T Partners and the national director for the US Cyber Challenge. She retired after nearly 28 years of federal government service with responsibilities ranging from a GS-2 to presidential appointee as the administrator for E-Government and Information Technology at the Office of Management and Budget.