Closing the data broker loophole: 4th Amendment is Not for Sale Act
In 1986, Congress passed the Electronic Communications Privacy Act (ECPA). Title II of ECPA, commonly known as the Stored Communications Act (SCA), prohibits the provider of an electronic communication service from giving or selling the contents of any communication stored, carried or maintained to a third party. The SCA also provides procedural requirements for government entities accessing these electronic communications—such as requiring a court order for law enforcement agencies to gather evidence against a suspect. Current law applies only to phone companies, social media platforms and providers of internet, e-mail and text messaging services. In passing the ECPA, Congress recognized the need for additional data privacy protections and created legislation sufficient for their governing period.
Today, this country is experiencing a concerning trend in data privacy with the advent of the data broker industry. Data brokers are businesses that collect and combine data made available through different sources such as app use, web browser cookies and public records. These companies then sell that compiled information to other entities. Currently, government agencies are circumventing the restrictions of the SCA and purchasing data from brokers. As the law stands now, defendants in a criminal trial are subject to evidence presented against them without any legal justification for obtaining such evidence and without a real opportunity to purchase the same quality or quantity of exculpatory evidence. This practice unfairly burdens defendants at trial and threatens the vitality of the Fourth Amendment.
Reports show that the Customs and Border Patrol, the Department of Homeland Security, the Internal Revenue Service, the Federal Bureau of Investigations and the Drug Enforcement Agency are all governmental culprits for purchasing data from private companies. Often these brokers obtain data from sources such as games and weather apps that users download onto their phones without knowing the privacy invasion they are opening themselves up to. The use of the purchased data varies based on each agency’s purpose, but the privacy violation is all the same.
In recent years, the Supreme Court signaled a change in privacy protection levels for digital data. In 2018, the Court ruled in Carpenter v. United States that a warrant is required to compel wireless carriers to turn over location information obtained by tracking a user’s movements for long periods. In Carpenter, the location data presented to the court equated to a week’s worth of geological tracking of the defendant. This case significantly changed the application of the third-party doctrine—the legal principle that information voluntarily given to a third party loses its reasonable expectation of privacy and thus is not subject to Fourth Amendment protections. United States v. Miller established the third-party doctrine when the Court ruled that information found in a defendant’s bank records had no reasonable expectation of privacy. When the Court decided Miller, they had no way of knowing the type and volume of information society would soon be divulging to third parties.
In Carpenter, the Court reasoned that using cell phones is necessary to function in today’s society and giving data from the consumer to the wireless carrier is not truly voluntary. An individual is not left with a real choice when it comes to producing data and giving it to third parties lurking in the background of their electronic devices. The legislative and judicial branches of government have clarified that an individual’s private electronic data should be protected under the Fourth Amendment.
Additionally, Senate Report 99-541 from the Senate Judiciary Committee makes clear that the intent of the Legislature when passing the ECPA was for the law to continue to evolve with the development of new technologies. The report provides that “the law must advance with the technology to ensure the continued vitality of the [F]ourth [A]mendment. … Congress must act to protect the privacy of our citizens. If we do not, we will promote the gradual erosion of this precious right.” Without the ability to predict the future, Congress could not legislate in a way that prevented the current loophole we are experiencing today. However, it is clear that the lawmakers intended to protect this area of privacy, regardless of what type of company the data is being purchased from.
Last year, in an attempt to update the law to serve our current reality better, Sens. Ron Wyden (D-OR) and Rand Paul (R-KY), along with Reps. Jerrold Nadler (D-NY) and Zoe Lofgren (D-CA) introduced the bipartisan, bicameral Fourth Amendment is Not For Sale Act. The bill, if enacted, would prohibit law enforcement and intelligence agencies from purchasing data from a third party. Additionally, any data received by such agency in violation of this bill would be inadmissible as evidence in any proceedings before a court, grand jury, regulatory body or any other administrative or legislative hearing. The provisions in this proposed legislation will close the current loophole and end the practice of government agencies buying their way around Fourth Amendment restrictions. After the introduction, Congress referred the bill to each chamber’s Judiciary Committee, but it never went to a vote before the full House or Senate. The new 118th Congress has not yet reintroduced this legislation.
The Fourth Amendment is Not For Sale Act is an important step in addressing the current violations of Fourth Amendment rights. Furthermore, it is in line with the Court’s ruling in Carpenter, which protects digital data without the constraint of the third-party doctrine, and it is likely just the first of many reforms pertaining to privacy in the digital age.