In this article, the authors explain that connected vehicle companies must be intentional about routinely assessing new features for potential Electronic Communications Privacy Act implications to be prepared to act quickly when served with government process.
In this article, the authors explain that connected vehicle companies must be intentional about routinely assessing new features for potential Electronic Communications Privacy Act implications to be prepared to act quickly when served with government process.
That trove of sensitive data brings unique legal obligations, wrinkles and, ultimately, risks. For instance, connected vehicle companies may increasingly find themselves critical players in law enforcement investigations and civil discovery, a role that will likely bring them face to face with the Electronic Communications Privacy Act (ECPA). Initially passed in 1986, ECPA governs the circumstances under which companies that provide communications services or store communications may disclose customer data and communications (most notably, to the U.S. government). Despite predating the modern internet, ECPA is quickly becoming a critical consideration for the companies behind the "smart" products customers increasingly demand – including, in some circumstances, connected cars. To avoid liability and reputational harm, inhouse counsel for connected vehicle companies must be alert to ECPA's restrictions on disclosure and safe harbors.
ECPA OVERVIEW
ECPA consists of three main provisions: the Wiretap Act, the Stored Communications Act (SCA), and the Pen Register/Trap and Trace Act. Relevant here, the SCA regulates the disclosure of stored electronic communications and communications-related data by certain types of entities – namely, providers of electronic communication services (ECSs) and remote computing services (RCSs). The SCA prohibits those providers from disclosing electronic communications and related records and customer information to a third party, with limited exceptions.1 For instance, it does not apply where, in the case of an ECS, the originator or an addressee or intended recipient of the communication consents to disclosure or where, in the case of an RCS, the subscriber consents to the disclosure.2
In addition to establishing prohibitions on sharing content and data, the SCA limits how the government can compel electronic records from covered providers through warrants, subpoenas, and court orders.
Specifically, it affords the content of communications held by ECS providers for 180 days or less the greatest degree of protection, requiring that government agencies obtain a warrant for such information.3
By contrast, to compel the content of electronic communications held by an ECS provider for longer than 180 days or the content of any electronic communications held by an RCS provider, the government must either (1) provide prior notice to the subscriber or customer and obtain a subpoena or court order, or (2) obtain a warrant.4
On the other end of the spectrum, the government only needs to issue certain specific subpoenas to compel certain basic subscriber records from ECS and RCS providers.5 A third genre of process, a 2703(d) order, may compel other categories of non-content customer data.6 However, as is often the case when applying old law to new technologies, where customer data fits into this rubric may not always be obvious.
COULD ECPA APPLY TO CONNECTED VEHICLE COMPANIES?
As discussed above, ECPA only applies to ECSs and RCSs. An ECS is defined under the ECPA as "any service which provides to users thereof the ability to send or receive wire or electronic communications."7
Meanwhile, an RCS is defined as "the provision to the public of computer storage or processing services by means of an electronic communications system."8 While both definitions are increasingly showing their age, modern courts continue to find ways to apply them to 21st century technologies. In addition to traditional telecommunications providers, ECSs may now include the following types of entities: internet service providers, email service providers, messaging service providers, and applications that facilitate user communications.9 And RCSs, oft referred to as "virtual filing cabinet[s],"10 have been found to include internet service providers that store emails for users11 and video sharing websites that store videos for users.12
Notably, whether an entity constitutes an ECS or an RCS is context and servicespecific – application turns in large part on the information at issue.13 Thus, depending on how a particular connected vehicle company's networks and systems operate, certain features could potentially implicate ECPA. For example, it is possible that a connected vehicle company that provides customers with automatic service notifications, connects drivers with third-party repair facilities, and then wirelessly transmits vehicle data to a repair shop on a driver's behalf could be acting as an ECS for purposes of those communications and related records. Providing the communications network and connectivity for these cars to communicate with other vehicles, traffic lights, and other roadside infrastructure (to enhance safety and traffic flow), may also be an ECS service. Another example is automatically contacting first responder services after an accident or emergency.
The same company might also be an RCS in several scenarios, such as when it:
- Compiles driver behavior data to allow motorists to monitor their own or their children's driving habits;
- Stores and maintains geolocation data so owners can track where their vehicle is being driven or has been driven by family members via an app, either in real time or after the fact;
- Offers personalized infotainment services that rely on the remote retrieval of cloud-based customer media preferences, voice profiles, or playlists;
- Stores and applies customer preferences for electric vehicle charging settings; or
- Wirelessly updates vehicle operating systems.
BEST PRACTICES FOR RESPONDING TO GOVERNMENT PROCESS
Responding to government process for customer information should not be taken lightly. Under ECPA, covered entities can be civilly liable for improperly disclosing customer communications and records to the government.
Specifically, a person "aggrieved by any violation" of the SCA engaged in with a "knowing or intentional state of mind[,]" may recover equitable or declaratory relief, damages not less than $1,000, and punitive damages and attorney fees.14 The SCA does include a "good faith" defense for companies that wrongfully disclose information on the reasonable, but mistaken, belief that a warrant, court order or subpoena required the disclosure.15 However, providers are not entitled to assert that defense if they fail to reasonably assess the validity of legal process, overlook obvious deficiencies, or otherwise produce in response to process they know is invalid.
When receiving government process, connected vehicle companies should carefully consider whether they might be an ECS or RCS with respect to the information sought, and then evaluate the government request and their obligations. If the validity of the legal process for the information sought is questionable, counsel may consider taking the following steps to reduce the risk of unlawful production and potential liability:
- Establish an Open Line of Communication With the Government. Initiate a dialogue with the requesting law enforcement or administrative agency and inform the appropriate authorities of any concerns regarding complying with the subpoena. If the government cannot provide reasonable assurance, request additional process.
- Narrow the Subpoena. Attempt to narrow the subpoena to non-content, basic subscriber information (e.g., subscriber names, addresses, and phone numbers) to mitigate potential liability stemming from the production of stored customer records or content.
- Seek User Consent. Seek user consent before disclosing certain sensitive data to the government, if feasible.
Furthermore, in-house counsel for connected vehicle companies should take proactive measures to ensure that their subpoena response programs comport with ECPA's requirements for customer data disclosure. And where no subpoena response program has been implemented yet, it would be prudent for in-house counsel to establish one to be better equipped to respond to the government's disclosure requests.
LOOKING AHEAD
With technology in cars rapidly evolving, the number of connected vehicle services resembling those associated with traditional ECS and RCS providers will continue to grow. Accordingly, connected vehicle companies must be intentional about routinely assessing new features for potential ECPA implications to be prepared to act quickly when served with process. They should also be on the lookout for case law expanding ECPA's reach to analogous industries.
Footnotes
1 18 U.S.C. § 2702(a)-(c).
2 Id. § 2702(b)(3).
3 Id. § 2703(a).
4 Id. § 2703(a)-(b).
5 Id. § 2703(c)(2).
6 Id. § 2703(d).
7 Id. § 2510(15).
8 Id. § 2711(2).
9 See, e.g., Garcia v. City of Laredo, Tex., 702 F.3d 788, 792 (5th Cir. 2012) (observing that the SCA has been applied to communication service providers such as telephone companies, internet providers, and email service providers).
10 See, e.g., Casillas v. Cypress Ins. Co., 770 F. App'x 329, 331 (9th Cir. 2019); Low v. LinkedIn Corp., 900 F. Supp. 2d 1010, 1022 (N.D. Cal. 2012).
11 United States v. Weaver, 636 F. Supp. 2d 769, 770 (C.D. Ill. 2009).
12 Viacom Int'l Inc. v. Youtube Inc., 253 F.R.D. 256, 264 (S.D.N.Y. 2008).
13 Low, 900 F. Supp. 2d at 1023.
14 18 U.S.C. § 2707. On the other side of the coin, refusal to comply with a lawful court order or warrant could result in contempt proceedings, obstruction charges, or other sanctions.
15 18 U.S.C. § 2703(e) provides that "no cause of action shall lie in any court against any provider of wire or electronic communication service, its officers, employees, agents, or other specified persons for providing information, facilities, or assistance in accordance with the terms of a court order, warrant, subpoena, statutory authorization, or certification under this chapter." 18 U.S.C. § 2707(e) provides that "a good faith reliance on – (1) a court warrant or order, a grand jury subpoena, a legislative authorization, or a statutory authorization (including a request of a governmental entity under section 2703(f ) of this title); (2) a request of an investigative or law enforcement officer under section 2518(7) of this title; or (3) a good faith determination that section 2511(3) of this title permitted the conduct complained of; is a complete defense to any civil or criminal action brought under this chapter or any other law."
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
