April 23, 2019

April 23, 2019

Subscribe to Latest Legal News and Analysis

April 22, 2019

Subscribe to Latest Legal News and Analysis

New Utah Privacy Law Expands Warrant Requirement for Individuals’ Data Held by Electronic Communications Service Providers

On March 27, 2019, Utah Governor Gary Herbert signed HB 57, a bill designed to increase privacy protections by requiring law enforcement to obtain a search warrant before being able to access a person’s data held by electronic communication or remote computing service providers, including location information.

The bill, called the “Electronic Information or Data Privacy Act,” was introduced by Representative Craig Hall (R-Utah), who stated that the goal of the bill “is to provide the same protections we have in the physical world and apply those to the electronic world.”

Just last year, in Carpenter v United States, 138 S.Ct. 2206 (2018), the Supreme Court declared a Fourth Amendment privacy right for cell phone location data. The Court revised its long-held “reasonable expectation of privacy” test and ruled that law enforcement obtaining cell site location information records from a person’s cell phone service provider constitutes a search under the Fourth Amendment and requires a warrant.

Even when such ruling expanded the privacy protection to information shared with a third party, it was a narrow decision referring only to location data in possession of wireless providers. Chief Justice Roberts recognized this and admitted that further expansion of these protections would be better achieved through state legislatures that could develop an “entirely new body of Fourth Amendment case law.”

Following the Chief Justice’s hint, Utah enacted the “Electronic Information or Data Privacy Act” that protects electronic data held by a third party from warrantless access by law enforcement. Specifically, subject to a few exceptions, the law imposes a warrant requirement for law enforcement to obtain (i) location information, stored data, or transmitted data of an electronic device, or (ii) electronic information or data transmitted by the owner thereof to a remote computing service provider. As used here, the term “electronic information or data” means “information or data including a sign, signal, writing, image, sound, or intelligence of any nature transmitted or stored in whole or in part by a wire, radio, electromagnetic, photoelectronic, or photooptical system.”

Notably, this law expressly carves out an exception for “subscriber records,” defined as “a record or information of a provider of an electronic communication service or remote computing service that reveals the subscriber's or customer's: (a) name; (b) address; (c) local and long distance telephone connection record, or record of session time and duration; (d) length of service, including the start date; (e) type of service used; (f) telephone number, instrument number, or other subscriber or customer number or identification, including a temporarily assigned network address; and (g) means and source of payment for the service, including a credit card or bank account number.” By exempting such subscriber records from the warrant requirement, the Utah law tracks the familiar set of non-content records that can be obtained through a 2703(c)(2) subpoena under the federal Stored Communications Act (SCA), 18 U.S.C. §§ 2701 et seq.

Finally, the new Utah law requires that law enforcement agencies notify the owner of electronic information or data in question, or of the electronic device, once they have executed a search warrant to access that information. This must be completed within 14 days after law enforcement obtains the information pursuant to the warrant. Later, law enforcement must destroy the information in an unrecoverable manner as soon as reasonably possible after it was collected.

 Utah’s new law will no doubt impact how electronic communications and remote computer service providers handle law enforcement requests for electronic evidence – especially as other states follow Utah’s lead – and could well lead to litigation over how such state law requirements operate alongside the federal SCA. In this evolving legal landscape, providers of telecommunications, digital messaging, and other electronic communications or remote computing services should reexamine how they handle law enforcement requests for electronic evidence. Providers facing an uptick in electronic evidence requests may also want to consider sharing specific guidelines through the ISP List used by law enforcement agencies for sending requests.

Copyright © 2019 Womble Bond Dickinson (US) LLP All Rights Reserved.


About this Author

Allen O'Rourke, Womble Carlyle, Cybercrime Prosecution Lawyer, Breach Investigations Attorney

Drawing upon years of experience prosecuting cybercrime, Allen comes to the aid of clients affected by data breaches and cyber-attacks. He works with clients’ legal and information security teams to investigate cybersecurity incidents, coordinate the remediation of any breach, interface with law enforcement as appropriate, and ensure compliance with applicable data breach laws and regulations. In addition to incident response, Allen defends clients facing government investigations, regulatory enforcement actions, consumer class actions, and other litigation arising from...

Ernesto Mendieta Telecom Attorney

Ernesto Mendieta is an experienced bilingual attorney with a history of helping international clients resolve complex matters.  

Ernesto began his career in Mexico as an associate at one of the world’s largest law firms, before specializing in telecommunications law at Mexico’s preeminent telecommunication boutique firm. In that capacity, Ernesto worked with competitive carriers entering the Mexican telecommunications market on all aspects of regulatory compliance and corporate formation. He helped several U.S. companies start operations in Mexico as ISPs, MVNOs, resellers and e-commerce providers.

After earning an LL.M. from Georgetown University and passing the New York bar, Ernesto continued his career in the United States where he dedicated a substantial part of his practice to international investment arbitration as counsel in an ICSID arbitration proceeding brought pursuant to the North American Free Trade Agreement (NAFTA). In that role, Ernesto has coordinated with technical experts and economists from throughout the United States and Latin America.

In addition, Ernesto counsels domestic and foreign telecommunications companies on compliance with FCC regulations, including the Telephone Consumer Protection Act (TCPA), and assists companies with monitoring telecommunications policy developments at home and abroad that may impact their business.

*Ernesto Mendieta is not licensed to practice law in the District of Columbia. He is supervised by attorneys licensed to practice in the District of Columbia.