Sixth Circuit Rules Disclosure Requirements of the ECPA Are Unconstitutional

The Sixth Circuit ruled recently that the portions of the Electronic Communications Privacy Act (ECPA) related to disclosures of the content of e-mails to the government were unconstitutional in Warshak v. U.S., 2007 WL 1730094 (6^th Cir. June 18, 2007). While there have been a number of decisions finding other portions of the ECPA constitutional, including in the Ninth Circuit, this is the first decision finding any portion of the ECPA unconstitutional. However, this decision follows a number of other recent decisions that also have rejected government review of e-mails on Fourth Amendment grounds, including U.S. v. Long, 64 M.J. 57 (C.A.A.F. 2006) as well as the governments review of search engine data in Gonzales v. Google, Inc., 234 F.R.D. 674 (N.D.Cal. 2006).

The Warshak case focused on the unconstitutionality of the portion of the ECPA that permits government review of e-mails under 18 U.S.C.A. § 2703(b), which permits review of e-mails based upon a court order, not a warrant. The government argued that the Internet Service Provider’s (ISP) terms of service — Yahoo! in this case — as well as the general practice of screening e-mails for certain improper content and viruses defeated a user’s reasonable expectation of privacy, thus permitting a search of email without a warrant and its commensurate probable cause requirements. 

The Sixth Circuit upheld the district court’s entry of an injunction precluding the disclosure of email to the government, finding that this portion of the ECPA was unconstitutional. The court limited disclosure of e-mails to the government to three specific circumstances: (1) if the government obtains a search warrant under the Fourth Amendment, based upon probable cause and in compliance with the ECPA’s particularity requirement, (2) if the government provides notice to the account holder in seeking an SCA order, giving the target the same judicial review permitted if a subpoena is issued, or (3) if the government can show specific facts, demonstrating that an ISP or other entity has complete access in question and that it actually relies on and utilizes this access in the normal course of business, sufficient to establish that the user has waived his/her expectation of privacy with respect to that entity, if that entity is afforded notice and an opportunity to be heard.

This decision has implications for ISPs, but also potentially for businesses that provide e-mail service to their employees. Since the decision relates to a portion of the ECPA that only is applicable to” remote computing services” — typically ISPs that provide services to the public — normal monitoring by employers, especially if there is a stated policy that defeats a reasonable expectation of privacy, should be permitted, particularly if the employer accesses e-mail in the normal course of business. Also, the exception in the ECPA that permits businesses to review emails was not impacted by this decision since it is in a separate part of the statute.

For a more detailed discussion of the ECPA and issues raised in this alert, please see Chapters 2, 5 and 6 of the Information Security and Privacy, A Practical Guide to Federal, State and International Law (West 2007).