BILL ANALYSIS Ó SENATE COMMITTEE ON APPROPRIATIONS Senator Ricardo Lara, Chair 2015 - 2016 Regular SB 178 (Leno) - Privacy: electronic communications: search warrants ----------------------------------------------------------------- | | | | | | ----------------------------------------------------------------- |--------------------------------+--------------------------------| | | | |Version: April 22, 2015 |Policy Vote: PUB. S. 6 - 1 | | | | |--------------------------------+--------------------------------| | | | |Urgency: No |Mandate: Yes | | | | |--------------------------------+--------------------------------| | | | |Hearing Date: May 28, 2015 |Consultant: Jolie Onodera | | | | ----------------------------------------------------------------- SUSPENSE FILE. AS AMENDED. Bill Summary: SB 178 would create the Electronic Communications Privacy Act, which would require a search warrant or wiretap order for access to all aspects of electronic communications, with specified exceptions, and would specify noticing and information deletion requirements. This bill would require a government entity, as defined, that obtains information pursuant to the Act to annually report specified data to the Attorney General, and would require the Department of Justice (DOJ) to aggregate and publish the information on its website by April 1, 2017, and annually thereafter. Fiscal Impact (as approved May 28, 2015): Noticing requirements : Ongoing potentially significant costs to state and local law enforcement agencies for those noticing provisions in the bill that exceed requirements under federal law. To the extent local agency expenditures qualify as a reimbursable state mandate, agencies could claim reimbursement SB 178 (Leno) Page 1 of ? of those costs (General Fund). Costs would be dependent on various factors including but not limited to the number of persons requiring notice, both contemporaneously and under the delayed noticing provisions, time/workload required per notice, and the method of noticing used. Information deletion : Unknown, but potentially significant costs to government entities for the required deletion of information within the specified time period. To the extent local agency expenditures qualify as a reimbursable state mandate, agencies could claim reimbursement of those costs (General Fund). DOJ impact : Significant ongoing costs potentially in excess of $300,000 (General Fund) for resources to meet the noticing requirements of the bill. Minor, absorbable impact to aggregate and post annual reports received to its website. Background:1) The Fourth Amendment to the U.S. Constitution and Article I, Section 13 of the California Constitution protect the right of the people against unreasonable searches and seizures. In recent cases, the U.S. Supreme Court has affirmed that Fourth Amendment protections extend to electronic information, and that protection must keep pace with advancing technology. Existing federal law under the Electronic Communications Privacy Act provides that a government entity may only access the contents of communications in electronic storage for 180 days or less pursuant to a warrant. If the contents of a wire or electronic communications have been in electronic storage in an electronic communications system for more than 180 days, a government entity may require its disclosure through other means such as a subpoena or a court order with prior notice to the subscriber or customer. However, a government entity may access the contents of a wire or electronic communications that have been in electronic storage for more than 180 days without required notice to the subscriber or customer if the government entity obtains a warrant. Further, under existing federal law, a governmental entity may require a provider of electronic communication service to disclose a record or other information pertaining to a subscriber to or customer of such service under specified circumstances, including pursuant to a warrant or court order. A governmental entity receiving records or information under this SB 178 (Leno) Page 2 of ? provision of federal law is not required to provide notice to a subscriber or customer. (18 USC § 2703.) This bill seeks to update existing state law by instituting a clear, uniform warrant process for government access to all aspects of electronic information, including data from personal electronic devices, emails, digital documents, text messages, metadata, and location information. Proposed Law: This bill would enact the Electronic Communications Privacy Act, which would provide that government entities shall not compel the production of or access to electronic information, as defined, without a warrant or wiretap order, with specified exceptions. Additionally, this bill: Provides that a government entity may access electronic device information by means of physical interaction or electronic communication with the device only as follows: 1) In accordance with a wiretap order or search warrant, as specified. 2) With the specific consent of the authorized possessor of the device, including when a government entity is the intended recipient initiated by the authorized possessor of the device. 3) With the specific consent of the owner of the device, only when the device has been reported as lost or stolen. 4) If the government entity, in good faith, believes that an emergency involving danger of death or serious physical injury to any person requires access to the electronic device information. 5) If the government entity, in good faith, believes the device to be lost, stolen, or abandoned, provided that the entity shall only access electronic device information in order to attempt to identify, verify, or contact the authorized possessor of the device. Requires a government entity receiving electronic SB 178 (Leno) Page 3 of ? communication information voluntarily to delete that information within 90 days unless specific consent or a court order has been obtained authorizing retention of the information. Requires a government entity that executes a warrant or wiretap order, or an emergency, as specified, to contemporaneously serve upon, or deliver by registered or first-class mail, electronic mail, or other means, the identified targets of the warrant, order, or request, a notice that informs the recipient that information about the recipient has been compelled or requested, and states the nature of the investigation. The notice is to include a copy of the warrant or order, or a written statement setting forth facts giving rise to the emergency. Requires a government entity to take reasonable steps to provide notice within three days of the execution of the warrant, wiretap, or emergency request or access, to all individuals about whom information was disclosed or obtained if there is no identified target. Authorizes a government entity to submit a request for a court order delaying notification for up to 90 days that prohibits any party from notifying any other party that information has been sought. Extensions for up to 90 days may be granted by the court. Upon expiration of the period of delay, requires government entities to notice every individual whose electronic information was acquired, a document including specified information, a copy of all electronic information obtained or a summary of that information, including, at a minimum, the number and types of records disclosed, the date and time when the earliest and latest records were created, and a statement of the grounds for the court's determination to grant a delay in notification. Specifies a California or foreign corporation, and its officers, employees, and agents, are not subject to any cause of action for providing records, information, facilities, or assistance in accordance with the terms of an order issued pursuant to this chapter. Specifies that except as proof of a violation of this SB 178 (Leno) Page 4 of ? Act, no evidence obtained or retained in violation of this chapter shall be admissible in a criminal, civil, or administrative proceeding, or used in an affidavit in an effort to obtain a search warrant or court order. Requires a government entity that obtains electronic information pursuant to the provisions of this Act to make an annual report to the AG on or before February 1, 2017, and each February 1 thereafter. To the extent it can be reasonably determined, the report is to include all of the following: a. The number of requests or demands for electronic information. b. The number of requests or demands made, and the number of records received for each of the following types of records: i. Electronic communication content. ii. Location information. iii. Other electronic information. c. For each of the types of records in (b), all of the following: i. The number of requests or demands that were each of the following: 1. Wiretap orders 2. Search warrants 3. Emergency requests ii. The total number of users whose information was requested or demanded. iii. The total number of requests or demands that did not specify a target individual. iv. The number of requests or demands complied with in full, partially complied with, or refused. v. The number of times the notice to the affected party was delayed and the average length of the delay. vi. The number of times records were shared with other government entities or any department or agency of the federal government, and the agencies with which the records were shared. vii. For contents of electronic communications, the total number of SB 178 (Leno) Page 5 of ? communications contents received. viii. For location information, the average period for which location information was obtained or received and the total number of location records received. ix. For other electronic communication information, the types of records requested and the total number of records of each type received. On or before April 1, 2017, and each April 1 thereafter, requires the DOJ to publish on its internet website both of the following: o The individual reports from each government entity that requests or compels the production of contents or records pertaining to an electronic communication or location information. o A summary aggregating each of the items required to be reported by government entities. Prior Legislation: SB 467 (Leno) 2013 would have required a search warrant for access to electronic communications, and mandated specified notifications by law enforcement. This bill was vetoed by the Governor with the following message: This bill requires law enforcement agencies to obtain a search warrant when seeking access to electronic communications. Federal law currently requires a search warrant, subpoena or court order to access this kind of information and in the vast majority of cases, law enforcement agencies obtain a search warrant. The bill, however, imposes new notice requirements that go beyond those required by federal law and could impede ongoing criminal investigations. I do not think that is wise. SB 1434 (Leno) 2012 would have prohibited a government entity from obtaining the location information of an electronic device without a valid search warrant unless certain exceptions apply. This bill was vetoed by the Governor. SB 914 (Leno) 2011 would have prohibited the search of information contained in a portable electronic device by a law enforcement officer incident to a lawful custodial arrest except pursuant to a search warrant. This bill was vetoed by the SB 178 (Leno) Page 6 of ? Governor. Staff Comments: The provisions of this bill will significantly increase costs to government entities with regard to the overall process of requesting and obtaining electronic information, while strengthening protections for consumers with respect to electronic privacy law. While some of the provisions of the Act are consistent with existing federal/state and case law, the data collection/reporting, information deletion, and certain noticing provisions mandated by the Act will result in new workload for local agencies. Data collection/reporting to DOJ This bill requires government entities that "obtain electronic information pursuant to this chapter" to make an annual report including specified data to the DOJ. As the chapter essentially covers all means by which to obtain electronic information, whether through request or demand, it is estimated that all law enforcement entities, both local and state, would be subject to the data collection and reporting requirements of this bill. There are currently 482 cities and 58 counties in the State. While statewide costs cannot be estimated with certainty, given the large number of local agencies and the numerous types of data required to be collected and reported, these activities could result in major one-time and ongoing costs, potentially in the tens of millions of dollars annually. To the extent local agency expenditures qualify as a reimbursable state mandate, agencies could claim reimbursement of those costs (General Fund). As an example, the Commission on State Mandates' statewide cost estimate for Crime Statistics Reports for the DOJ reflects eligible reimbursement of over $13.6 million per year for slightly over 50 percent of local agencies reporting. The costs to individual agencies would vary widely and depend on various factors, including but not limited to the size of the agency, the volume of requests and demands for electronic information by the agency, the type of electronic data, the number of records for each request/demand, and the workload involved to fulfill each of the data elements required to be reported. For example, while the workload involved to report the number of requests and demands for electronic information may not be substantial, the workload required to collect and track SB 178 (Leno) Page 7 of ? the number of times each notice to an affected party was delayed and the average length of the delay, would be much more onerous. To the extent local agencies additionally require the development of a central database and other system enhancements to collect, track, and report the information, these one-time and ongoing costs for maintenance and operations could also be very significant. Noticing requirements Certain noticing requirements specified in the bill are consistent with provisions of federal, state, and case law, and are not estimated to result in increased costs to agencies. However, as noted in the Background Section of this analysis, under existing federal law (18 USC § 2703), a governmental entity is not required to provide notice to a subscriber or customer when a warrant is obtained for specified electronic information. And the delayed notification provisions under federal law apply only to use of administrative subpoenas or court orders, which require customer notification. As a result, certain provisions of this bill will result in a higher level of service for agencies, resulting in potentially significant ongoing costs. To the extent local agency expenditures qualify as a reimbursable state mandate, agencies could claim reimbursement of those costs (General Fund). The costs to agencies would be dependent on various factors including but not limited to the number of persons requiring notice, both contemporaneously and under the delayed noticing provisions, time/workload required per notice, and the method of noticing used. For example, a request or order for metadata with no identified target could involve hundreds or more individuals, that would require noticing, as the bill requires all individuals about whom information was disclosed or obtained to be noticed. The requirements under delayed notification additionally require a copy of all information obtained, or a summary of that information including the number and types of records, the date and time when specified records were created, and a statement of the grounds for the court's determination to grant a delay in notification. Information deletion Government entities could incur new costs for the required deletion of information voluntarily provided within the 90-day time period. Because an agency could avoid this workload through SB 178 (Leno) Page 8 of ? a court order or by obtaining a warrant or order for the information, any new costs to an agency attributable to information deletion would reduce the additional costs noted above that otherwise would be incurred by that agency for noticing and the associated data collection on noticing. To the extent local agency expenditures for information deletion qualify as a reimbursable state mandate, agencies could claim reimbursement of those costs (General Fund). 2/3-Vote Requirement The California Constitution provides for the Right to Truth in Evidence, which requires a 2/3 -vote of the Legislature to exclude any relevant evidence from any criminal proceeding, as specified. Because this bill would exclude evidence obtained or retained in violation of its provisions in a criminal proceeding, it triggers the 2/3-vote requirement. Author amendments (as adopted May 28, 2015): For cases in which there is no identified target of a warrant, wiretap order, or emergency request or access, deletes the requirement that the government entity take reasonable steps to provide notice within three days and instead requires the entity to submit to the Department of Justice (DOJ) within 72 hours a report that states with reasonable specificity the nature of the government investigation under which the information was sought. Require DOJ to publish each report received on its website within 90 days of receipt. Add a coauthor. Make other technical changes. Committee amendments (as adopted May 28, 2015): Delete the data collection and reporting requirements of the bill. -- END -- SB 178 (Leno) Page 9 of ?