Protecting Privacy of Electronic Data

An increasing amount of personal information is being captured and stored electronically. For example, hospitals and other health care providers collect health information. Electronic communication providers such as Google and Facebook keep email and social media postings on their servers. And law enforcement captures and retains photos of license plates. In addition, new technologies such as drones with high-resolution cameras are able to observe areas where people have traditionally had heightened expectations of privacy. Current state law does not sufficiently address the privacy concerns that these trends raise.

The legislature passed a bill, S.155, that takes significant steps in addressing these concerns. It increases privacy protections for health and other personal electronic information. It also would address privacy concerns related to new technologies including drones used by law enforcement. In dealing with these areas, the law carefully balances personal privacy and public safety interests.

The bill addresses four separate areas, further explained below:

  • Enhances the State’s protection of health information
  • Sets guidelines for law enforcement’s use of drones
  • Establishes procedures for law enforcement to obtain electronic information from electronic communication providers
  • Reauthorizes law enforcement’s use of cameras to capture photos of license plates, but with additional protections related to the use of the captured data.

(1) As to health care privacy, the bill tracks existing privacy protections for protected health information contained in the federal Health Insurance Portability and Accountability Act of 1996 (HIPAA). HIPAA generally prohibits health care providers, insurers, and others (defined as “covered entities”) from disclosing information about a person’s health condition and treatment (defined as “protected health information”). S.155 adopts the HIPAA definitions and prohibits, as a matter of State law, a covered entity from disclosing protected health information.

(2) The bill addresses the use of drones, primarily as used by law enforcement. (the Federal Aviation Administration regulates the private use of drones, so this legislation addresses that area only in a limited manner). Currently, drones are not widely used by law enforcement in Vermont. They could, however, become ubiquitous, particularly as technology advances and costs drop. Drones enable their users to peek into some spaces that may otherwise be difficult to observe, including some spaces where individuals have a reasonable expectation of privacy. In short, the use of drones has the potential to become pervasive and intrusive.

The general rule established by the bill is that a law enforcement agency cannot use a drone or information acquired through the use of a drone for the purpose of investigating, detecting, or prosecuting crime unless the agency has obtained a warrant or unless one of the court-recognized exceptions to the warrant requirement applies. These exceptions include exigent circumstances such as hot pursuit or assisting individuals who are seriously injured or threatened with imminent injury.

When a drone is used pursuant to a warrant or an exception to the warrant requirement, the drone must be operated in a manner intended to collect data only on the target of the surveillance and to avoid data collection on any other person, home, or area. Also, if a drone is used under the exigent circumstances exception to the warrant requirement, law enforcement must obtain a warrant within 48 hours of that emergency if it wishes to use any data collected.

This bill prohibits a law enforcement agency from using a drone to gather or retain data on private citizens peacefully exercising their constitutional rights of free speech and assembly. Law enforcement is not, however, prohibited from using a drone to observe public gatherings in real time for purposes of public safety. In addition, law enforcement agencies may use drones operated for purposes other than the investigation, detection, or prosecution of crime. They may use a drone for search and rescue operations and aerial photography for the assessment of accidents, forest fires and other fire scenes, flood stages, and storm damage.

Finally, taking a different tack than North Dakota, which has legalized drone-mounted tasers, the bill prohibits anyone from equipping a drone with a dangerous or deadly weapon or from firing a projectile from a drone.

(3) S.155 establishes the Vermont Electronic Communications Privacy Act (VECPA), which would address law enforcement access to e-mails, communications data, and other records held by electronic communications companies.  When an e-mail is sent from one person to another, the company that transmits it (Google, Comcast, AT&T, etc.) typically retains a copy of it. Any legal restrictions on law enforcement access to this type of data must be addressed statutorily because the courts have long held, under what is known as the “Third Party Doctrine,” that there is no constitutional protection under these circumstances. The rationale for the Doctrine is that when a person voluntarily turns over information to third parties (as a person does by sending an e-mail and knowing that the communications company will retain a copy), then the person has no legitimate expectation of privacy in the information. In such a situation, a warrant is not required when the third party is asked to provide the information to the government.

S.155 establishes statutory restrictions to protect against warrantless searches of electronic data held by third parties. It requires law enforcement to obtain a warrant before obtaining “protected user information,” defined as the content of the communication, location data, and the subject line of e-mails. A warrant must be based on probable cause to believe the information constitutes evidence of a crime or is relevant to an ongoing criminal investigation.

Law enforcement would not need a warrant to obtain “subscriber information,” which includes data such as names, e-mail addresses of senders and recipients, account numbers, and payment information. Rather, a law enforcement officer may “use legal process” to obtain such information. Information that does not fall into either category of protected user information or subscriber information is subject to a heightened subpoena standard. Such information might include IP addresses or metadata, which may only be obtained if it is relevant to an offense or reasonably calculated to lead to the discovery of evidence of the offense.

Disclosure of protected information without a warrant or subpoena would be permitted under existing, judicially-recognized exceptions to the warrant requirement. The bill would require law enforcement, with certain exceptions, to provide the person who is the target of the warrant with notice that the information was obtained.

(4) S.155 adds additional privacy protections related to the use of Automated License Plate Recognition (ALPR) data and extends a sunset provision to July 1, 2018, for existing law that regulates the use of such systems.  Cameras mounted on certain police vehicles capture photos of license plates, convert the photos into data, and upload the information to a central database maintained by the Vermont Technology Center (VTC). The units on police cruisers retain data for only seven days. The data in the central database can be retained for up to 18 months, however, or longer if extended by a court order. That data maintained by VTC can be accessed by law enforcement for “legitimate law enforcement purposes,” including the detection, investigation, analysis, or enforcement of a crime, or commercial traffic violation (or defending against the same); operation of an AMBER alert; or a missing or endangered person search. To obtain data from the VTC database during the first six months of its retention, law enforcement must provide specific articulable facts showing that there are reasonable grounds to believe that the data are relevant and material to an ongoing criminal, missing person, or commercial motor vehicle investigation or enforcement action. To obtain the data after that period but before the expiration of the 18-month retention period, law enforcement must obtain a warrant.