On October 8, 2015, Governor Brown signed into law SB 178, titled “Electronic Communications Privacy Act” (“ECPA”). SB 178 amends California’s Penal Code to require that any law enforcement agency or other government entity must obtain a search warrant or court order before it can search or obtain access to any electronic data stored on smart phones, tablets, computers or other electronic devices. While the purpose of this bill was to protect privacy rights of consumers, some public sector unions appear to be taking the position that the law should also apply to government entities in their role as employer, which, if true, could potentially create numerous administrative hazards and complications.
SB 178: The Basics
SB 178, to be codified at Penal Code §§ 1546, et seq., was designed to preclude government agencies from accessing electronic data such as text messages, emails, and photos from consumers without first obtaining a search warrant. The law was lobbied for by entitles such as the American Civil Liberties Union and Electronic Frontier Foundation. California now becomes the third state, the other two being Maine and Utah, to have codified statutory protections against warrantless searches of electronic communication information.
The law, which will take effect on January 1, 2016, applies to any government entity, which is defined as “a department or agency of the state or a political subdivision thereof, or an individual acting on behalf of the state or a political subdivision thereof.”
Prior to SB 178, law enforcement agencies were sometimes able to obtain such data through a subpoena. Now, a government entity will generally need a warrant or court order to compel the production of or obtain access to electronic communication information from an individual or a service provider.
SB 178: Potential ISSUES for Public Agency Employers
In reviewing the legislative history of SB 178, it does not appear the Legislature considered – and likely the bill was not intended to apply to – government entities as employers. Nevertheless, a handful of employee organizations appear to be taking the position that the broad sweep of this bill, intentional or otherwise, requires that a governmental entity apply for a warrant or court order to search for or have access to the electronic information on the devices of its employees, including those devices issued to employees by the employer.
Generally, in an investigation of employee misconduct – conducting personal business on the public agency’s time or harassment or discrimination allegations, for example – an employer may require access to emails, voicemails or text messages that are not stored on the employer’s server but are found on smart phone devices issued by the public agency for employee use. SB 178 does not expressly distinguish as between a governmental entity as an employer and one acting pursuant to its police power. Accordingly, if courts were to apply the language of the statute as advocated by certain by public sector unions, this law could potentially create a nightmare scenario for a public agency attempting to conduct a personnel investigation into allegations of employee misconduct. This is, in part, because search warrants are generally available only where there is probable cause a crime has been committed. Given that most employee misconduct does not involve criminal activity, the practicality of obtaining a warrant is severely limited in most instances. Moreover, the time and costs associated with seeking a warrant would render it prohibitive in many instances.
Notably, the statute generally protects “authorized possessor[s]” of devices, defined as the owner of an electronic device or an individual who “has been authorized to possess the device by the owner of the device.” (Penal Code, § 1546(b).) With respect to devices owned by government employers and issued to employees for job-related use, agencies routinely have the power of revoking agency-issued phones at any time, which would seemingly render the employee no longer an “authorized possessor” under the statute. Of course, for personal phones or electronic devices, the employer would have less control or ability to demand the opportunity to review such devices.
IMPACT AND BOTTOM LINE
While it is true that the statute does not seem to identify an exemption for public agencies acting as employers, the nature of the statute itself and the location of it within California’s Penal Code, seem to belie any intention of the Legislature to make these rules apply to public entity employers and devices owned by such employers and assigned to employees. In other contexts, courts have found principles of sovereign immunity and related concepts to bar the application of otherwise applicable laws to public entity employers absent an express statement. (See, e.g., Campbell v. Regents of the University of California (2005) 35 Cal.4th 311.) Moreover, the United States Supreme Court recently held that Fourth Amendment protections against unreasonable searches and seizures did not apply to a police department’s audit of personal cell devices issued to officers insofar as they did not possess a reasonable expectation of privacy in text messages on department-issued phones. (See City of Ontario v. Quon (2010) 560 U.S. 746.)
Nevertheless, because of the murky and potentially ambiguous language of the statute, it is anticipated that public employees may cite this law to avoid turning over electronic data. This issue is still developing and something of which public employers will want to remain aware and stay on top of.
For more information, contact Steve Shaw (firstname.lastname@example.org, 415-678-3806)