SEC Enforcement Director Tells House Judiciary Committee That Investigation Agencies Should Not Need Warrants to Access Email Data Directly from Internet Service Providers

On Tuesday, Andrew Ceresney, Director of the Securities and Exchange Commission’s Division of Enforcement, told the House Judiciary Committee that the Email Privacy Act (H.R. 699) and the Electronic Communications Privacy Amendments Act (S. 356) should not be amended to require prosecutors and civil enforcement agencies to obtain criminal warrants when requesting emails and other electronic data directly from internet service providers (“ISPs”), which include cloud-based storage services. 

The draft legislation, supported by civil liberties advocates and internet service providers, would amend the Electronic Communications Privacy Act (“ECPA”) of 1986 to bar civil investigators from using subpoenas, rather than warrants, to obtain electronic communications that are more than 180 days old directly from electronic hosting services.  The bill’s proponents argue that the ECPA does not adequately protect Americans’ privacy because the law did not contemplate that consumers would rely so heavily on internet service providers for long-term data storage.

Ceresney, testifying along with representatives from the Department of Justice, the National Association of Assistant U.S. Attorneys, the Tennessee Bureau of Investigation, the Department of Homeland Security’s Office of Policy, the Center for Democracy and Technology, and Google, vociferously opposed the bills.  Ceresney emphasized the importance of emails in proving the mental state element in fraud causes, and contended that the draft legislation would create an incentive for investigation targets to destroy or refuse to provide emails, because those targets would know that the SEC could no longer easily obtain the data from other sources like ISPs.

Under Ceresney’s counter-proposal, which he said complied with existing case law, both the investigation target and the service provider could challenge subpoenas in judicial proceedings prior to responding to them.   He also proposed adding the words “where possible” to language requiring civil law enforcement agencies to first seek electronic communications directly from the data’s owner.

Congressmen questioned the constitutionality of using subpoenas instead of warrants, and noted that the SEC has not compelled the production of older electronic communications directly from a service provider in over five years.  Cereseny stated that while the SEC continues to believe the Constitution permits its use of subpoenas instead of warrants, it has refrained from using them recently because of Congress’s proposed changes.  Cereseny also stated that the SEC gives notice to email account holders when it has sought content from ISPs.  Representatives of the House also echoed Google Director Richard Salgado’s testimony to the Committee, criticizing the SEC for treating electronic communications differently from paper communications, and analogizing the SEC’s proposal to asking a locksmith to help it enter a house to retrieve a box of paper documents.  The complete testimony from Tuesday’s hearing is available here.

The bipartisan bills to secure additional privacy in the digital age appear to have strong support, but it bears noting that the House and Senate have been mulling over ECPA reforms for years.