(a) Absent federal, state, or local law to the contrary, agencies may request that a third party (an individual or an entity) turn over, or provide access to, data, records, or physical evidence that either belong to, or contain personally identifiable information about, an individual who is the target of an investigation. When making such a request, agency officials should provide written or oral notice to the third party that makes clear whether there is any legal obligation to comply and, if not, that the third party will face no negative consequences for declining the request.
(b) Legislatures should adopt statutes regulating agency access to personally identifiable data, records, or physical evidence held by nongovernmental entities, as well as to data gathered by government agencies for purposes other than the investigation of unlawful conduct. In doing so, legislatures should consider:
- (1) whether the entity or agency that holds the data should be permitted to disclose the information to law-enforcement officials in the absence of a court order, a warrant, or a written request;
- (2) the predicate or level of cause that an agency must have in order to request data or records;
- (3) the process, if any, with which the agency must comply to obtain the information, including whether a warrant, subpoena, or other order is required;
- (4) the circumstances pursuant to which the entity or agency that holds the data should be permitted or required to notify the individual whose personally identifiable information is contained in the data or records at issue regarding the order or request; and
- (5) whether to impose any limitations on how any data that are acquired may be used or retained.
(c) Orders prohibiting third parties from disclosing to the target of an investigation that a government agency has requested or demanded the target’s personally identifiable information should be issued only by a court of law, should be subject to challenge by the entity that holds the records, should be used sparingly, and should be limited to a set period of time. Such orders should be based on a showing that disclosure would significantly impair a specific and ongoing investigation and, absent extraordinary circumstances, should be used only to delay notification rather than to prohibit it entirely.
Comment:
a. Animating concerns. The acquisition of information from third parties implicates two sets of interests: the interests of the third party from whom the government seeks the information, and the interests of the individual or entity about whom the government seeks information. Although present law conflates them at times, these two sets of interests are distinct.
With regard to the entity or individual who is subject to the order or request, there are a number of related concerns. When the government seeks access to data, records, or physical evidence held by a third party, a chief concern is that the third party may feel obligated to comply even if law enforcement lacks the authority to require compliance. A storeowner, for example, may fear that denying a request for information would lead police officials to conclude that the storeowner himself or herself has something to hide—and therefore might comply even though he or she would strongly prefer not to do so. Although individuals and entities should of course feel free to share information with law enforcement, it is essential to ensure that they do so understanding whether they in fact have the right to refuse the request. A related concern, which applies both to requests and compulsory orders, is that repeated requests for information may impose significant burdens on the individual or entities subject to the requests, including the time it takes to respond to them. Requests also potentially implicate the relationship between the entity and its customers. Companies may lose business after it becomes publicly known that they have shared data and records with law-enforcement agencies.
With regard to the individuals about whom the information is sought, the concern is that third parties hold a great deal of sensitive information that individuals may not wish to have disclosed to the government. As discussed above, banks hold our financial records and credit-card purchase histories; cellular-phone providers know our location and communication history; e-mail providers and cloud-storage providers store our e-mails, documents, and photographs. Courts have recognized that the acquisition of certain kinds of information from third parties—including e-mails and long-term location-tracking information—may in fact constitute a search within the meaning of the Fourth Amendment. But even if the acquisition is not considered a search, it nevertheless may implicate important interests that warrant at least some regulation. And in fact, legislatures have long recognized this to be the case. A panoply of federal laws regulate law-enforcement access to a variety of records held by third parties—from health records to video-store-rental histories. But, as commentators have pointed out, there are notable gaps. The goal of this Section is to encourage comprehensive regulation of access to third-party records and provide some guidance to legislatures in deciding what sort of regulation may be warranted.
b. Scope. This Section applies to any government acquisition of data, records, or physical evidence from a third party, i.e., from someone other than the individual who either owns the data, records, or property, or whose personally identifiable information is contained in the data or records. This includes, for example, bank records and credit-card receipts, metadata from e-mails or text messages, location information from cellular phones or GPS devices, hotel registries, and video footage from pawnshops and convenience stores. Acquisition of these data, either through purchase or compulsory process, is considered “information gathering” for the purposes of these Principles, and also must comply with the requirements of either Chapter 3 or Chapter 5.
Subsection (b) of this Section, which urges legislative regulation of police access to personally identifiable data and records, applies not only to requests for information from private parties, but from other government agencies as well, to the extent that the information at issue was obtained originally for purposes other than the investigation of unlawful conduct. What both private and public databases have in common is that they contain vast stores of personal information about the day-to-day lives of individuals, the vast majority of whom are innocent of any prohibited conduct. Government agencies, like private companies, provide a variety of public-service functions, from housing to medical care; in doing so, they gather a great deal of sensitive information about the individuals who rely on those agencies for services. The individuals who look to the government to provide essential services should not necessarily lose any expectation of privacy in the information that they provide.
Legislatures should, consistent with this Section, give careful consideration to whether, and under what circumstances, data gathered by government agencies for non-law enforcement purposes should be made available to policing agencies for the purpose of investigating unlawful conduct. And even in the absence of legislative action, Chapters 3 and 5 make clear that the agencies themselves should have policies in place to regulate when and how data and records kept by other agencies may be accessed and used. Chapter 6 performs the same function with respect to databases maintained by law-enforcement agencies themselves.
c. Minimizing coercion. Agencies should inform third parties in writing or orally whether they have a legal obligation to comply with a request for information and, in the absence of such an obligation, should inform them that they will face no negative consequences for declining the request. This Section strikes a balance between the government’s need to obtain information from third parties, who often are willing to cooperate with law enforcement, and the interest in ensuring that those who wish for whatever reason to withhold their cooperation and insist on legal process understand whether they are within their rights to do so. A familiar and oft-used strategy for balancing these competing goals is for agencies to provide express notice to third parties of their rights and obligations.
Importantly, unlike the Principle on first-party consent searches set forth in § 4.06, this Section does not require that officers have reasonable suspicion of unlawful conduct before requesting data, records, or physical evidence from a third party; nor does it require that officers obtain written consent. The difference in approach reflects a number of important distinctions between first-party and third-party consent searches. As discussed in greater detail in § 4.06, when an officer asks someone for permission to search his or her own person or property, the request itself communicates some degree of suspicion of wrongdoing. As such, it is inherently more coercive and also can undermine police legitimacy if it is perceived to be arbitrary, unfounded, or racially biased. The decision to consent to a search of one’s own property, particularly if there is in fact evidence of wrongdoing to be found, is often more consequential for the individual involved. It therefore is imperative to ensure that individual has been apprised of his or her right to refuse. Although these concerns are not entirely absent in the context of third-party searches—a pawnshop owner, for example, may himself or herself become the target of an investigation if it turns out that he or she had not kept proper records—they are nevertheless more limited and, for that reason, the more modest requirement of notice regarding the third party’s rights and obligations likely is sufficient to protect the interests involved.
d. Legislative regulation. Although there is a great deal that legislatures can do to regulate the various policing practices discussed throughout these Principles, government access to third-party databases is one area in which legislative action is particularly essential. And, in fact, legislatures generally have played a more active role. Congress has adopted more than a dozen statutes to regulate access to various kinds of personally identifiable information, ranging from bank records to cable-subscriber data. State legislatures have imposed additional restrictions.
Many of these statutes rely on a combination of the five protections described in subsection (b). A number of federal statutes, including the Cable Communications Privacy Act, 47 U.S.C. § 551, prohibit third parties from disclosing certain kinds of information to the government in the absence of a court order or written consent from the individual whose records are sought. Others permit third parties to disclose information in response to a written request from the agency itself but nevertheless impose some constraints, ranging from relevance to probable cause, on when information may be sought. Some of these statutes also require the third party to notify the individual about the government’s request so that the individual may challenge the request in court. Finally, existing statutes impose a variety of constraints on how the information that the government obtains may subsequently be used. For example, the Right to Financial Privacy Act, 12 U.S.C. § 3401 prohibits the requesting agency from transferring data to another government agency unless that agency also complies with certain procedural requirements.
e. Gag orders. In some cases, the government agency requesting the information may not want the target of an investigation to know that a request has been made. Particularly in the early stages of an investigation, notification may permit the target to destroy evidence or coordinate with potential witnesses, thereby thwarting the government’s efforts to bring the person to justice. For this very reason, search warrants typically are obtained through ex parte proceedings and are kept under seal until a search is conducted.
At the same time, in the absence of notification, the individual whose records are sought may have no opportunity to challenge the government’s request. Indeed, the target may never learn that a request had been made, even after the investigation is complete. This distinguishes third-party searches from more traditional searches and seizures that typically put the target on notice that a search has been conducted. Gag orders also prevent the third parties from exercising any independent interest they may have in disclosing the frequency, nature, and burdens of information requests in order to facilitate legislative regulation and public debate.
For these reasons, “gag orders” prohibiting third parties from disclosing government requests to their customers should be used sparingly and, more importantly, should be carefully regulated by the courts so that there is at least some neutral party from outside the agency to review the request in order to ensure that it complies with applicable law. Gag orders should not be issued by the agency itself. And they generally should be used to delay notification only until the investigation is complete, and not to prohibit it entirely. Any gag order should be limited in time and expire automatically, rather than being indefinite. While a number of federal privacy statutes already require judicial supervision of gag orders, that has not always been the case, particularly in the national-security context. As a result, federal law-enforcement agencies have requested hundreds of thousands of records from third parties without any meaningful judicial or public oversight of whether these requests have in fact been legitimate. National-security investigations may raise a distinct set of concerns, and they may require supervision from a specialized court. But as a number of leading voices, including a 2013 presidential commission, have recognized, such concerns are insufficient to trump the basic principle regarding the need for external oversight when important privacy rights are at stake.
Subsection (c) does not preclude policing agencies from requesting that a third party keep a request for information confidential for a specified period of time. But, consistent with subsection (a), such a request should make clear that the third party is under no obligation to comply and will not in fact be sanctioned in any manner for noncompliance. And, as described in subsection (b)(4), legislatures may decide for certain categories of information to require notification to targets as a matter of course, subject to specific exceptions and overseen by the courts.
Reporters’ Notes
1. Animating concerns. Increasingly, the information that government agencies seek to obtain is in the hands of third parties, that is, individuals or entities that are not themselves the target of the investigation. See Richard A. Posner, Privacy, Surveillance, and Law, 75 U. Chi. L. Rev. 245, 248 (2008) (“[A] person would have to be a hermit to be able to function in our society without voluntarily disclosing a vast amount of personal information to a vast array of public and private demanders.”); Daniel J. Solove, Digital Dossiers and the Dissipation of Fourth Amendment Privacy, 75 S. Cal. L. Rev. 1083, 1089-1095 (2002) (describing the vast amount of information that third parties hold on their users). Companies like Google, Dropbox, and Facebook maintain a record of all of our e-mails, photos, documents, online search histories, and conversations with friends and acquaintances. Cell-phone providers have a record not only of every number a person has called, but also the phone’s location throughout the day. Banks and credit-card companies maintain a detailed log of individuals’ purchases and transactions. See, e.g., David Gray & Danielle Citron, The Right to Quantitative Privacy, 98 Minn. L. Rev. 62, 139 (2013); Deirdre K. Mulligan, Reasonable Expectations in Electronic Communications: A Critical Perspective on the Electronic Communications Privacy Act, 72 Geo. Wash. L. Rev. 1557, 1572-1576 (2004); Peter C. Ormerod & Lawrence J. Trautman, A Descriptive Analysis of the Fourth Amendment and the Third-Party Doctrine in the Digital Age, 28 Alb. L.J. Sci. & Tech. 73, 146-148 (2018).
Courts, commentators, and policymakers have long recognized the importance of regulating government access to third-party data. See Carpenter v. United States, 138 S. Ct. 2206 (2018) (“As with GPS information, the time-stamped data provides an intimate window into a person’s life, revealing not only his particular movements, but through them his ‘familial, political, professional, religious, and sexual associations.’ These location records ‘hold for many Americans the ‘privacies of life.’”); Christopher Slobogin, Privacy at Risk 216 (2007) (“Technology has reduced or eliminated the practical and fiscal barriers that used to keep law enforcement officials from peering into our homes, watching us on the streets, and accessing our personal records. So today we must depend on the law to keep those barriers intact.”); Orin S. Kerr, The Fourth Amendment and New Technologies: Constitutional Myths and the Case for Caution, 102 Mich. L. Rev. 801, 838 (2004) (“Additional privacy protections are needed to fill the gap between the protections that a reasonable person might want and what the Fourth Amendment actually provides.”); Erin Murphy, The Case Against the Case for Third-Party Doctrine: A Response to Epstein and Kerr, 24 Berkeley Tech. L.J. 1239, 1250-1253 (2009) (discussing possible methods to allow for more protection of information held by third parties); Daniel K. Solove, Digital Dossiers and the Dissipation of Fourth Amendment Privacy, 75 S. Cal. L. Rev. 1083, 1151-1167 (2002) (discussing the need for more protection for information held by third parties and suggesting methods to accomplish this).
And yet, the existing regulatory framework is a patchwork quilt—with more than a few holes. Under the “third-party doctrine,” government access to third-party records traditionally has been exempt from Fourth Amendment scrutiny on the grounds that it is not a “search.” See, e.g., United States v. Miller, 425 U.S. 435, 442-443 (1976) (no Fourth Amendment interest in bank records); Smith v. Maryland, 442 U.S. 735, 743-744 (1979) (phone records). More recently, the Court in Carpenter signaled that government access to at least certain kinds of records—such as detailed location histories, or perhaps the content of e-mail communications—would indeed constitute a search for Fourth Amendment purposes, but the Court declined to overturn the third-party doctrine in its entirety, leaving broad swaths of third-party records beyond the Fourth Amendment’s reach. Carpenter, 138 S. Ct. at 2216-2217 (refusing to extend the third-party doctrine of Miller and Smith to cell-site location information while affirming the continued validity of the third-party doctrine); Orin S. Kerr, The Digital Fourth Amendment(2016) (“Carpenter therefore does not disturb the traditional third-party doctrine cases of Smith and Miller. . . . Carpenter only regulates new law enforcement capacities that did not exist or were rare before the digital age.”); Alan Z. Rozenshtein, Fourth Amendment Reasonableness After Carpenter, 128 Yale L.J.F. 943, 946 (2019) (noting that “[a]lthough the Court did not overrule the third-party doctrine, it substantially limited its scope”).
More than a dozen federal statutes regulate government access to various categories of documents and data, from medical records to video-store rental histories. See Erin Murphy, The Politics of Privacy in the Criminal Justice System: Information Disclosure, the Fourth Amendment, and Statutory Law Enforcement Exemptions, 111 Mich. L. Rev. 485, 546 app. (2013) (listing major federal privacy statutes); see, e.g., Video Privacy Protection Act, 18 U.S.C. § 2710 et seq. (protecting information held by “video tape service providers”); Internal Revenue Code (Tax Reform Act of 1976), 26 U.S.C. § 6103 (protecting tax information); Family Educational Rights and Privacy Act, 20 U.S.C. § 1232g (protecting personal information held by educational institutions); Bank Records Act, 12 U.S.C. § 1952 (protecting bank records). But many of these statutes, most notably the Electronic Communications Privacy Act (ECPA), 18 U.S.C. § 2510, were adopted before the explosive growth of the internet and thus are ill-suited to addressing modern regulatory needs. See Orin S. Kerr, The Next Generation Communications Privacy Act, 162 U. Penn. L. Rev. 373, 390-410 (2014) (explaining that key distinctions drawn by ECPA largely do not make sense in the internet age); Daniel J. Solove, Reconstructing Electronic Surveillance Law, 72 Geo. Wash. L. Rev. 1264 (2004) (discussing problems with electronic surveillance law, including “gaps, lapses in protection, inadequate standards for obtaining authorization to engage in surveillance, and weak enforcement devices”). For instance, under the Stored Communication Act, the government can obtain e-mails that have been stored for more than 180 days with a court order. See 2703 U.S.C. § 2703(a)–(d). In short, this is an area that is ripe for legislative action. See Orin S. Kerr, A User’s Guide to the Stored Communications Act, and a Legislator’s Guide to Amending It, 72 Geo. Wash. L. Rev. 1208, 1233-1235 (2004) (proposing amending the Stored Communications Act to provide more protection for stored content).
The challenge with developing a set of principles to regulate access to information held by third parties is that the interests at stake vary considerably depending on the information at issue and the expectations surrounding its disclosure and use. There are important differences, for example, between physical goods held by a pawnshop and detailed financial statements held by a bank. And it makes sense to regulate them differently. See ABA Standards for Criminal Justice: Law Enforcement Access to Third Party Records 19 (2013) (proposing different classifications for different types of data depending on a variety of factors); Christopher Slobogin, The World Without a Fourth Amendment, 39 UCLA L. Rev. 1, 68-75 (1991) (proposing the “proportionality principle” whereby the level of certainty required to justify a police action depends solely on the level of intrusiveness of the action); cf. General Data Protection Regulation Articles 5, 9 (European Union privacy law establishing greater protection for “special categories” of personal data, including data that reveals an individual’s race, sexual orientation, or political views). At the same time, some of the concerns with third-party information-gathering—most notably the interests of third-party record holders—are present whenever police officials seek to obtain evidence or records from third parties.
For this reason, this Section adopts a two-pronged approach. Subsections (a) and (c) set out two core principles that ought to apply to all requests for evidence or records from third parties. Subsection (b) urges legislatures to consider additional safeguards and sets out specific questions that any regulatory scheme ought to address.
2. Minimizing coercion. Subsection (a) recognizes that third parties may often be willing to cooperate with police investigations and that absent federal, state, or local law to the contrary, police officials should be permitted to ask third parties for access to evidence or records without resorting to compulsory process. See Developments in the Law: More Data, More Problems, 131 Harv. L. Rev. 1714, 1725 (2018) (noting that technology companies “can be persuaded to cooperate with law enforcement by appealing to their patriotism and desire to maintain positive relationships with their regulators—even in the absence of appropriate legal process”); Jon D. Michaels, All the President’s Spies: Private–Public Intelligence Partnerships in the War on Terror, 96 Calif. L. Rev. 901, 910-919, 926-927 (2008) (same). At the same time, repeated requests for data or records may impose considerable burdens on third parties. Requests for User Information, Google, https://transparencyreport.google.com/user-data/overview (showing that Google received over 75,000 user-data disclosure requests from the government in the first six months of 2019 and that Google produced data in response to nearly three-quarters of these requests); Center for Strategic & International Studies, Low-Hanging Fruit: Evidence-Based Solutions to the Digital Evidence Challenge (2018) (finding that in 2017, U.S. law enforcement made over 650,000 requests for digital evidence from major telecommunications and social-media companies). And some companies may face considerable pressure from consumers to keep records private. See, e.g., Orin S. Kerr, The Case for the Third-Party Doctrine, 107 Mich. L. Rev. 561, 598 (2009) (“Protecting customer privacy is good for business, and third-party record holders often have a considerable incentive to keep the government at bay.”). On the other hand, there is an inherent element of coercion in all police–citizen encounters that exists even when it is apparent that the police are investigating someone else. See Erin Murphy, The Case Against the Case for Third-Party Doctrine: A Response to Epstein and Kerr, 24 Berkeley L.J. 1239, 1251-1252 (2009) (noting that the voluntariness fiction is even more doubtful with regard to third parties, who lack the “clear instincts against complying” that data subjects may have). To balance these competing concerns, subsection (a) encourages police officials to make clear, if the law allows, that third parties have the right to deny any request for information without risking any negative consequences for doing so. Id. at 1253 (2009) (proposing that third parties should be informed of the data subject’s Fourth Amendment right to keep the information from the government without a warrant and probable cause).
3. Gag orders. Subsection (c) urges sharp limits on the use of gag orders that are used to prevent third parties from disclosing government requests for information, either to the individual whose information is sought or to the public at large. The need for limits on disclosure, at least in some circumstances, is readily apparent: Gag orders can prevent the data subject from fleeing, destroying evidence, or attempting to intimidate potential witnesses. See Jennifer Daskal, Notice and Standing in the Fourth Amendment, 26 Wm. & Mary Bill Rts. J. 437, 440 (2017) (listing legitimate reasons for delaying or precluding notice to the data subject); Stephen Wm. Smith, Gagged, Sealed & Delivered: ECPA’s Secret Docket, 6 Harv. L. & Pol’y Rev. 313, 315 (2012) (same). At the same time, their use raises a number of serious concerns. Chief among them is the fact that gag orders can shield government requests for information from any meaningful judicial scrutiny. This is because the third parties who hold the data often have less of an incentive to challenge the request, and in some contexts may in fact lack standing to do so. See, e.g., Daskal at 49 (explaining the standing problem and giving examples of judicial decisions holding that third parties lack standing); Developments in the Law: More Data, More Problems, 131 Harv. L. Rev. 1714, 1759 (2018) (noting that data subjects are unaware of the surveillance and thus cannot challenge it and that it is within a data-holder’s discretion whether to challenge such surveillance). Gag orders also interfere with public accountability by withholding from the public and from legislators the information necessary to evaluate how orders and requests for information are used. Hannah Bloch-Wehba, Exposing Secret Searches: A First Amendment Right of Access to Electronic Surveillance Orders, 93 Wash. L. Rev. 145 (2018). These concerns are heightened substantially when gag orders are issued by an agency itself, in the absence of judicial review to ensure its necessity and limit its scope. See Liberty and Security in a Changing World: Report and Recommendations of the President’s Review Group on Intelligence and Communications Technologies 93 (raising significant concerns about the Federal Bureau of Investigation’s authority to issue National Security Letters with gag-order provisions and urging Congress to require judicial oversight).
In view of these competing concerns, various statutes and internal agency regulations have embraced the sorts of limits urged here. A number of statutes, for example, permit delayed notification but make clear that eventually, the target must be told. See Daskal, at 442 (noting that some federal statutes permit delayed notification). The U.S. Department of Justice likewise has instructed attorneys not to seek indefinite gag orders. See Memorandum from Rod. J. Rosenstein, Deputy Attorney Gen., U.S. Dep’t of Justice, to Heads of Dep’t Law Enf’t Components et al., Policy Regarding Applications for Protective Orders Pursuant to 18 U.S.C. § 2705(b) (Oct. 19, 2017) (limiting gag orders to one year in duration, with the possibility of extension in limited circumstances) https://www.justice.gov/criminal-ccips/page/file/1005791/download. Similarly, a number of statutes already provide for judicial review, at least in some circumstances. See 18 U.S.C. § 3511 (outlining the court-review process when the government seeks information under certain parts of the Stored Communications Act, Fair Credit Reporting Act, Right to Financial Privacy Act, and National Security Act).
4. Need for legislative regulation. The threshold question is whether third parties should be permitted to disclose information or evidence to police officials on their own volition. A number of federal privacy statutes prohibit record holders from disclosing certain kinds of information to government officials in the absence of a court order, subpoena, or official written request. See e.g., Right to Financial Privacy Act, 12 U.S.C. § 3402 (prohibiting the government from obtaining financial records of a customer from a financial institution absent an administrative subpoena, search warrant, judicial subpoena, or a formal written request); Internal Revenue Code, 26 U.S.C. § 6103 (requiring a written request before the IRS may disclose tax-return information to state or local law enforcement agencies); Video Privacy Protection Act, 18 U.S.C. § 2710 (prohibiting videotape-service providers from disclosing personally identifiable information to law enforcement unless it is pursuant to a warrant, grand jury subpoena, or court order); HIPAA Privacy Rule, 45 C.F.R. § 164.512 (allowing disclosure of protected health information to law enforcement pursuant to a court order, warrant, or subpoena); Ariz. Rev. Stat. § 41-151.22 (prohibiting libraries from releasing its records absent written consent of the user or a court order); Cal. Gov’t Code § 6267 (same); Me. Stat. tit. 35-A, § 9301 (prohibiting a broadband internet-service provider from “disclos[ing], sell[ing] or permit[ting] access to customer personal information” absent a court order). See generally, Kiel Brennan-Marquez, The Constitutional Limits of Private Surveillance, 66 Kan. L. Rev. 485 (2018) (raising additional concerns about third-party collection of information that is then shared with government agencies).
These sorts of provisions recognize that although an entity may have custody of certain documents or records, the records implicate the privacy interests of the individual whose information they contain and, consequently, a third party should not be able to make the unilateral decision to disclose them to anyone, government officials included. These restrictions also ensure, at a minimum, that there is an official record of all requests for information and that government officials cannot circumvent statutory requirements like warrants or court orders by approaching entities directly. See Christopher Slobogin, World Without a Fourth Amendment, 39 UCLA L. Rev. 1, 12 (1991) (explaining that requiring ex ante review of proposed investigative actions forces “investigatory officials to justify their actions before the fact” and curtails possible illegality); Robert S. Litt, The Fourth Amendment in the Information Age, 126 Yale L.J.F. 8, 16 (2016) (noting that providing for oversight and accountability for investigations helps “ensure compliance with reasonable restrictions on [data] collection and use”).
Legislatures also should determine what predicate or level of cause is necessary to request or compel disclosure of data, records, or physical evidence and the process, if any, with which an agency must comply. As discussed in greater detail in § 2.02, which applies to information gathering more broadly, predicates and process serve a number of important purposes: they limit unnecessary intrusions, guard against arbitrary or discriminatory policing, and ensure that there is some external oversight over government intrusions into private lives. At the same time, a demanding predicate will, almost by definition, preclude access to information in the early stages of an investigation. Existing statutes have balanced these competing interests in various ways. Some statutes, for example, require a relatively high level of cause. See, e.g., ECPA, 18 U.S.C. § 2518 (requiring probable cause to intercept wire, oral, or electronic communications); Cable Communications Policy Act, 47 U.S.C. § 551 (requiring officials to provide “clear and convincing evidence that the subject of the information is reasonably suspected of engaging in criminal activity” before obtaining customer data from a cable provider). Other statutes require a lower level of cause but nevertheless provide for judicial supervision. For example, in order to obtain tax information from the IRS for non-tax-related investigations, law-enforcement officials must obtain an order from a federal judge that is based on “reasonable cause” to believe that the return is relevant to an investigation of a specific crime. Internal Revenue Code (Tax Reform Act of 1976), 26 U.S.C. § 6103(i)(1)(B); see also Fair Credit Reporting Act, 15 U.S.C. § 1681b(a)(1) (court order based on relevance); Family Educational Rights and Privacy Act, 20 U.S.C. § 1232g(b)(2)(B) (court order based on relevance). On the lowest end of the cause spectrum, the Driver’s Privacy Protection Act, 18 U.S.C. § 2721, permits state departments of motor vehicles to disclose personal information it holds on drivers to law enforcement “in carrying out its functions.”
Another important question relates to a third party’s right—or perhaps even obligation—to disclose any government requests for information to the individual whose personally identifiable information the records contain. See Microsoft, Six Principles for International Agreements Governing Law-Enforcement Access 1 to Data, https://blogs.microsoft.com/wp-content/uploads/prod/sites/5/2018/09/SIX-PRINCIPLES-for-Law-enforcement-access-to-data.pdf (proposing a set of principles to govern law-enforcement access to information, including that “[a]bsent narrow circumstances, users have a right to know when the government accesses their data, and cloud providers have a right to tell them”). As discussed above, disclosure facilitates both judicial supervision and public oversight. Although most federal statutes permit disclosure (or at least do not prohibit disclosure), some actually require it. See, e.g., Genetic Information Nondiscrimination Act, 42 U.S.C. § 2000ff(b)(3)(B) (requiring notification of the data subject when genetic information is disclosed in response to a court order if the court order was obtained without the knowledge of the data subject); Right to Financial Privacy Act, 12 U.S.C. § 3412(b) (requiring the agency to send a notice to the data subject when the data subject’s financial records are transferred from the agency that originally obtained the records to another agency or department); Video Privacy Protection Act, 18 U.S.C. § 2710(b)(3) (requiring prior notice to the customer if a videotape-service provider discloses personally identifiable information to law enforcement). And at least one court has held that notice may in fact be constitutionally required if a target of government surveillance ultimately is prosecuted criminally. United States v. Moalin, Slip. Op. 3:10-cr-04246-JM-3, at 7 (9th Cir. Sept. 2, 2020).
Finally, it is essential that legislatures consider limits on how information gathered from third parties may be used or retained. Although there is a tendency for government agencies to wish to hold onto information indefinitely, doing so can significantly increase the privacy and associational concerns at play. See Daniel J. Solove, Digital Dossiers and the Dissipation of Fourth Amendment Privacy, 75 S. Cal. L. Rev. 1083, 1107 (2002) (arguing that unregulated collection, availability, and retention of data from third parties can significantly interfere with First Amendment rights to free association and expression).Permitting agencies to hold onto third-party records indefinitely—and to access them for any purpose—can facilitate precisely the sorts of “fishing expeditions” that the Framers of the Constitution were concerned about. Id. See also Elizabeth E. Joh, Reclaiming “Abandoned” DNA: The Fourth Amendment and Genetic Privacy, 100 Nw. L. Rev. 857, 877 (2006). It also increases the likelihood that the information may be deployed in impermissible ways, or simply put it to uses that the legislators who authorized collection never intended. See, id., at 1109-1112 (noting that retained information could be used to round up disfavored groups or individuals and that “unscrupulous government and law enforcement officials can abuse the availability of personal information databases’); Erin Murphy, Relative Doubt: Familial Searches of DNA Databases,109 Mich. L. Rev. 291, 326 (2010) (pointing out that “familial” DNA searches potentially exceed the scope of legislative authorization and thwart public accountability). For these reasons, a number of federal statutes impose at least some limitations on retention and use. See, e.g., DNA Identification Act, 34 U.S.C. § 12592(d) (requiring agencies to purge DNA records if an individual’s conviction is overturned or if charges are dismissed); Right to Financial Privacy Act, 12 U.S.C. § 3412(a), (f)(2) (limiting the transfer of personally identifiable financial information between agencies, as well as the purposes for which transferred information may be used); cf., Cable Communications Privacy Act, 47 U.S.C. § 551(e) (2006) (requiring cable providers to themselves destroy information when it is “no longer necessary for the purpose for which it was collected and there are no pending requests or orders for access.”); see also Chapter 6 (providing principles governing the retention of and access to police databases, including records obtained from third parties).