The U.S. House of Representatives approved on Monday the Email Privacy Act, which would require law enforcement agencies to get court-ordered warrants to search email and other data stored with third parties for longer than six months.
The House approved the bill by voice vote, and it now goes the Senate for consideration.
The Email Privacy Act would update a 31-year-old law called the Electronic Communications Privacy Act (ECPA). Some privacy advocates and tech companies have pushed Congress to update ECPA since 2011. Lax protections for stored data raise doubts about U.S. cloud services among consumers and enterprises, supporters of the bill say.
Under ECPA, the protections are different for older or more recent data. Law enforcement agencies need warrants to search paper files in a suspect’s home or office and to search electronic files stored on the suspect’s computer or in the cloud for less than 180 days. But files stored for longer have less protection. Police agencies need only a subpoena, not reviewed by a judge, to demand files stored in the cloud or with other third-party providers for longer than 180 days.
That difference in the way the law treats stored data is a “glaring loophole in our privacy protection laws,” said Representative Jared Polis, a Colorado Democrat and co-sponsor of the bill.
The Email Privacy Act will bring U.S. digital privacy laws into the 21st century, said Representative Kevin Yoder, a Kansas Republican and co-sponsor of the bill.
Supporters of the bill argue internet users’ privacy expectations have changed since ECPA passed in 1986. Storage was expensive back then, and only about 10 million people had email accounts, Yoder said. Now internet users are more likely to store sensitive communications with cloud providers and other internet-based companies.
Under former President Barack Obama, the Department of Justice was cool to the idea of changing ECPA. The changes will make it tougher for law enforcement agencies to investigate crimes and terrorism, some critics say.
A similar bill passed the House by a 419-0 vote in April 2016, but the Senate failed to act and the legislation died after a new Congress was elected in November. The new version of the Email Privacy Act, introduced Jan. 9, has already collected 108 cosponsors, about a quarter of the membership of the House.
The bill would not protect internet companies from searches of their overseas servers by U.S. law enforcement agencies. Microsoft and Google have been fighting warrants for user data located outside the U.S.
Before the vote, the Consumer Technology Association urged the House to pass the bill. ECPA which was “written before Congress could imagine U.S. citizens sharing and storing personal information on third-party servers, is woefully out of date,” Gary Shapiro, president and CEO of the CTA, said in a statement.