California Paves the Way with New Privacy Laws

Home to Silicon Valley, California has been at the forefront of protecting privacy with three new laws in as many years. According to the website Lexology, the most recent piece of legislation, coming into effect on January 1 2016, will give the sunshine state “the strongest digital privacy rights in the U.S.” Yet, the brunt of the new measures concern strengthening privacy breach notification regimes, hardly a major shift in legislative intent. Rather, these changes represent an incremental updating of the law in order to make its language and application more fit for purpose.

However, that cannot be said for the flagship in this sea battalion of privacy measures, the California Electronic Communications Privacy Act (CalECPA). Introduced by Democratic Senator Mark Leno in the wake of the Supreme Court's 2014 decision in Riley v. California, the new Act requires a search warrant for law enforcement officials to access digital personal communication. The Act also extends the definition of personal information to include metadata, thereby bringing the Californian legal framework more closely in line with European data protection laws.

The Act has been labelled a response to the significant increase of law enforcement requests to tech companies for access to email accounts and other electronically stored communication. Yet, it is tempting to ask whether the CalEPCA is also an attempt to guarantee that California’s bread-and-butter industries will be able to do business as usual by ensuring that the flow of personal data from Europe’s 500 million consumers does not stop at the border. Only weeks ago, the Court of Justice of the European Union ruled that the U.S. lacked adequate data protection safeguards. The Court was concerned that companies such as Google and Facebook would send personal customer information to the U.S. where it could be accessed by law enforcement agencies in contravention of the E.U. Data Protection Directive. As such, the CalEPCA could be read as an intended rapprochement to E.U. law that introduces data privacy protection for U.S. citizens through the back door of trade. Nevertheless, it is not a given that the new law will actually satisfy the demands of the E.U. The gap between the two systems of legal thought is still wide.

The website StateScoop notes that the new legislation is a countermeasure to “a series of revelations in recent years about expansive government surveillance programs.” If the objective is to reign in the kind of activities revealed by Edward Snowden, the Act is a step in the right direction. Yet, the CalEPCA has also been criticised for its wide exemptions — for example, enabling law enforcement agencies to circumvent its provisions in cases where these may interfere with the prevention of death or serious injury, or even to exclude electronic communication received by undercover police officers altogether.

Having grown up in Cold War Europe with clicks in our landline phone as the secret police eavesdropped on my father’s union and political activities, I can easily imagine how these loopholes could be misused. Time will tell if the Act appropriately strikes the balance between protecting civil privacy rights, and the government’s ability to catch the “bad guys”. In the meantime, the Act’s seemingly mixed objectives of transparency and accountability on the one hand and the restriction of activities on the other may make proper oversight unexpectedly difficult.

Finally, it should be noted that the new California privacy laws, along with those of Maine, Texas, Virginia and Utah, are now at odds with the U.S. Electronic Communications Privacy Act of 1986, which still permits law enforcement officials to ask for email content stored in cloud accounts. Thus, the new California laws may strengthen the arguments for federal legal reform. As Nicole Ozer of the ACLU of Northern California told the website CIO Dive: “We hope [the new California law] is a model for the rest of the nation in protecting our digital privacy rights.” Yet, it remains to be seen if California has paved the way for a nationwide future of privacy protection.