What New Privacy Protections Could Mean for Cloud Businesses

Imagine if you or your company were storing controversial information on a cloud or other SaaS (storage as a service) platform and suddenly the FBI or the police served you a subpoena, seizing possession of the files without your consent. Now, overnight, you or your business are involved in a legal investigation over files that have been sitting safely in your computer server for years. This is the reality of the Electronic Communication Privacy Act of 1986, which has regulated matters of online privacy, including emails and all digital files, until February of 2017. Yes, the law was staggeringly outdated. Don’t worry. We’ll get to that.

Now, imagine what it must be like to be the cloud storage company involved in this instance. In light of such a situation, can businesses feel that their data is safe and private in the care of a cloud storage when such companies are regularly mandated to hand sensitive and confidential files over to the authorities? Think of the tension they must feel between their obligations to client and country. As they hand information over to the government, are they betraying their customers’ interests? Are they serving the greater good? Similar questions have been discussed in recent years, with Apple’s refusing to unlock their iPhone and Amazon’s refusal to unlock an Amazon Echo, however in both cases, their decisions were sanctioned by the law. This predicament of privacy, however, has been a troubling thought, particularly to SaaS businesses and their clients. Fortunately, as aforementioned, the ECPA has been replaced with a piece of legislation that is more relevant to a world steeped in technology that would have simply been unimaginable in 1986.

So what is the new law and how is it different from the old one. Furthermore, what will it mean for SaaS businesses?

The new bill is called the Email Privacy Act and it essentially updates the conditions necessary in order for law enforcement or federal officers to seize digital files, including emails and cloud-stored files. Under the prior regulation, digital files that had been stored for less than 180 days required a warrant. Obtaining a warrant required the approval of a judge, which made the process much more of an ordeal. However, for files that had been stored for more than 180 days, federal agencies and law enforcement only needed to serve a subpoena. This may have made sense in 1986 when only 10 million of the world’s citizens had email addresses and the thought of long-term online storage of files was impractical, but now that the technological landscape has been reinvented many times over, a change is needed in order for citizens to feel that their data is safe.

In the Email Privacy Act of 2017, essentially reverses the approach of the ECPA, requiring more extensive approval to search older files rather than new ones. Under the new law, files that have been stored with third parties for six months or longer require that law enforcement secure a court-ordered warrant in order to seize the data. This seems to be a change that is welcomed by both sides of the political spectrum. While it is the Republican led house and senate that have worked to push this legislation through, it is interesting to note that the policies outlined under the new law essentially characterize the philosophy on online privacy executed by President Obama’s administration.

For SaaS companies, this significantly lessens worries about government seizure of client files by limiting the time window for an easy subpoena to six months, rather than allowing open season on documents indefinitely after approximately the same amount of time. Searching documents void of a warrant within this period would require investigators to act much faster. Ultimately, all of this means that government and police investigations involving digital files held by a third party server must be overseen more by judges. This could be interpreted to mean that fewer files will be searched and those that are will have an implicitly stronger justification, citing that the search was court-mandated.