So What's in the California Electronic Communications Privacy Act?

On October 8, Governor Jerry Brown of California approved Senate Bill (S.B.) 178, or the California Electronic Communications Privacy Act, designed to designed to strengthen electronic privacy against law enforcement access to data. It’s kind of a whopper, imposing a warrant requirement on the acquisition of metadata at the state level.

Here’s a brief summary.

The legislation has two big moving parts: a warrant requirement and a notice requirement.

Federal law already requires a warrant for electronic communication content acquisition. But under this statute, government entities in California will generally have to have a warrant (or another valid court authorization) in order to compel the production of or gain access to electronic information, including both content and metadata.

In the case of metadata, but not content, the bill sets forward four general exceptions to the above requirement: (1) when there’s specific consent from the information’s authorized possessor or owner, (2) if the device containing the sought information is taken from an inmate, (3) in an emergency situation involving danger of death or serious physical injury, or (4) if the device is believed to be lost, stolen, or abandoned, and then only if access is sought in order to try to “identify, verify, or contact the owner or authorized possessor of the device.” The last two categories are qualified by express good faith requirements. Additionally, in emergency situations, government agents must file an application for a warrant or other authorization within three days of obtaining the electronic data.

If a warrant is the basis for collection, the warrant must “describe with particularity” the information sought by identifying the target and require that any information obtained under the warrant but unrelated to the warrant’s objective “shall be sealed and not subject to further review, use, or disclosure” without a separate court order.

When a service provider voluntarily shares electronic communication information or subscriber information, which is authorized by S.B. 178, the government entity receiving the information must destroy the data within 90 days, unless there’s specific consent from the sender or recipient of the electronic communications, a court order is obtained, or if the government reasonably believes the information is related to child pornography and retains the information within a “multiagency database” on child pornography or related investigations.

Subpoenas are permissible only if the information is not requested in the context of a criminal investigation or prosecution.

S.B. 178 also requires that whenever a warrant is executed, or when electronic information is received in emergency cases, notice must be served upon or delivered to “the identified targets of the warrant or emergency request.” The notice must indicate that information about the notice recipient is being sought and it must state “with reasonable specificity the nature of the government investigation.” In addition, the notice must include a copy of the warrant or, in emergency cases, shall provide a written statement with facts to support the declaration of an emergency situation. This notice must be provided to the recipient at the same time as the warrant’s execution, or three days after the data is collected when it’s an emergency case.

The government may seek a court order delaying notification, and limiting a notice recipient’s authority to notify other parties that information has been sought, but the court retains the authority to determine whether there is “reason to believe that notification may have an adverse result.” (An “adverse result” is defined in S.B. 178 to include: danger to life or individual safety, flight from prosecution, destruction of or tampering with evidence, intimidation of potential witnesses, and serious jeopardy to an investigation or undue trial delay.) If notice is postponed, it cannot exceed 90 days unless the court authorizes further extensions, each for 90 days at a time.

Once the grant of delayed notice expires, the government must provide notice with the requirements described above and must give the identified targets a document with a copy of all electronic information obtained or a summary of the information. This must include “the number and types of records disclosed, the date and time when the earliest and latest records were created, and a statement of the grounds for the court’s determination to grant a delay in notifying the individual.”

When there is not an identified target involved, the government must submit all of the same information required for notice (or delay of notification) to the Department of Justice, which shall then publish all those reports within 90 days of receiving them. Personal identifying information may be redacted.

The last section of the bill allows any individual involved in a judicial proceeding to move to suppress any information “obtained or retained in violation of the Fourth Amendment” or of the bill. It also provides that any individual whose information is targeted by a warrant or other court authorization that is inconsistent with the bill may petition to have the authorization voided or modified, or to have the information destroyed. That individual may also petition to have information destroyed that was obtained in violation of the bill or the U.S. or California state constitution. Finally, the bill provides that the state Attorney General may bring civil action to compel government compliance.