Cloud Security, Compliance Management, Government Regulations, Privacy

LEADS Act addresses gov’t procedure for requesting data stored abroad

Three senators are backing legislation that would amend the Electronic Communications Privacy Act (ECPA) to clarify U.S. law enforcement procedure for requesting Americans' data stored abroad.

Sens. Orrin Hatch, R-Utah; Chris Coons, D-Del.; and Dean Heller, R-Nev.; introduced the Law Enforcement Access to Data Stored Abroad (LEADS) Act (PDF) on Thursday. The bill aims to update ECPA which was enacted three decades ago, in order to make it clear that police warrants requesting electronic communications, such as emails, don't necessarily authorize the seizure of data stored in foreign countries.

The legislation would potentially help cloud service and email providers tasked with responding to police data requests as well as protecting the information of customers across the globe.

Earlier this month, tech giant Microsoft was held in contempt of court for not complying with a ruling that required it to relinquish customer emails in an Ireland data center to U.S. prosecutors. The order, however, was seen as a measure that would clear the way for Microsoft to appeal the government request for data.

The LEADS Act requires law enforcement to have a warrant when requesting data stored abroad belonging to a “U.S. person.” An ECPA warrant would not compel U.S. email and cloud service providers to hand over data on other individuals, however, and would force the government to comply with the laws of countries where data it seeks is stored.

Greg Nojeim, senior counsel at the Center for Democracy and Technology, said a Thursday blog post that the organization applauded the bill's “overall thrust,” and its additional provision that the government must notify customers whose data is obtained via a warrant.

“Currently, when the U.S. government uses warrants to compel service providers to disclose the stored emails of their customers, there is no requirement that the government provide notice of the seizure to the person whose emails are disclosed,” Nojeim wrote. “The notice requirement in the Hatch-Coons-Heller bill represents a wise and balanced approach.”

He did offer, however, that the bill has its drawbacks, including the fact that it could “increase the pressure for data localization mandates.” Furthermore, providers that move customer data between data centers, bring forth further uncertainty regarding implementation of the law.

“Finally, it is not clear how the bill would apply to providers who move data to different data centers around the globe in order to balance the burden on their network and better serve their users,” Nojeim said. “If a load-balancing provider stores a user's data at one moment in India, the next in the U.K., and the next in the U.S., will the U.S. warrant reach the data because the data at some point comes to the U.S.?”

On Sen. Hatch's website, lawmakers posted a summary (PDF) of the LEADS Act, including the scope of authority provided by ECPA warrants under the bill.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.