Capitol

This post was authored by Gage C. Dungy and James Van

Overview

On January 1, 2016, Senate Bill 178 (“SB 178”) – the California Electronic Communications Privacy Act – became law and is codified under Penal Code section 1546, et. seq.  This new law generally limits a government entity from being able to search or access information on an electronic device (e.g., smartphone, computer) or electronic information on a network (e.g., email) without a search warrant or court order.

SB 178 provides that a government entity shall not do any of the following:

(1)  Compel the production of or access to electronic communication information from a service provider.

(2)  Compel the production of or access to electronic device information from any person or entity other than the authorized possessor of the device.

(3)  Access electronic device information by means of physical interaction or electronic communication with the electronic device.

(Pen. Code, §§ 1546.1(a)(1)-(3).)

The legislative intent of SB 178 appears to be aimed at law enforcement agencies conducting criminal investigations. The use of the terms “law enforcement” and “police” generally throughout the bill’s analysis supports this conclusion.  For instance, the stated purpose of the bill is “intended to both codify and expand on existing case law to generally require law enforcement entities to obtain a search warrant before accessing data on an electronic device or from an online service provider.”].”  (Assembly Privacy and Consumer Protection)

Impact on Public Agency Employers

While this new law was generally intended to address privacy concerns around law enforcement searches of electronic devices and communications, if it is determined by courts to broadly apply to government entities it may negatively affect the ability to conduct such searches of an employee’s electronic devices or communications.

SB 178 generally protects an “authorized possessor” of electronic devices, defined as “the possessor of an electronic device when that person is the owner of the device or has been authorized to possess the device by the owner of the device.” (Pen. Code, § 1546(b).)  (emphasis added).  A government entity may only access electronic information “with the specific consent of the authorized possessor of the device.”  (Pen. Code, §§ 1546.1(c)(3).) (emphasis added).

  1. Searches of Government Employer Owned Devices and Electronic Information

We do not believe that this section of SB 178 would be interpreted to allow a public employee who has been provided an electronic device owned by the government entity to exert the rights of an “authorized possessor” under this law and decline a search by the government entity that actually owns the electronic device.  Nonetheless, this ambiguity in the law does highlight the importance for public agencies to clarify in their electronic use policies that an employee’s use of an electronic device owned by the government agency is subject to search and the obligation to surrender the electronic device at any time by the public agency.

In addition, SB 178 does not say that a government entity is prohibited from searching for electronic information on its own network or email system. Rather, the statute provides that a search to “compel the production of or access to electronic communication information from a service provider” can only occur with a warrant or court order. Therefore, SB 178 does not appear to apply to searches of an internal network or email system maintained by the government entity itself.  Interpreting the statute’s restrictions otherwise would mean that a government entity that maintains its own network and email system needs a warrant or court order to search its own network and email system.  We do not believe that is reasonable, nor what the Legislature intended through the passage of SB 178.

  1. Searches of Employee’s Personally Owned Devices or other Electronic Information Not Maintained by the Government Employer

Importantly, the statutory language in SB 178 does appear to limit a government entity from searching an employee’s personal electronic device and personal electronic information maintained by a service provider (e.g., personal email account such as Gmail or Yahoo).  This is because when it comes to such electronic devices, the government entity is not the owner or the “authorized possessor” of the device.  In the case of an employee’s personally owned cell phone, the employee is the owner and/or “authorized possessor” of the cell phone and would either have to give permission to a government entity to search the device or the government entity would have to get a search warrant/court order to conduct such a search of the device.

The same result would also most likely apply for searches of other electronic information provided by an outside service provider.  To the extent that a government entity does not directly control an employee’s electronic information that is being sought, the government entity would need to get permission from the employee to search it or otherwise get a warrant or court order to compel a third party service provider to disclose such information.

Conclusion

While the impact of SB 178 on government entities in the employment context is not yet entirely clear, here are a few best practices public employers can take:

  • Review and revise electronic communications policies to limit an employee’s expectations of privacy in the use of government-owned electronic devices and the use of work email maintained by the governmental entity;
  • Reinforce that a public employee’s authorization to use a government-owned electronic device is at the sole discretion of the government entity and can be modified or revoked at any time, that such electronic devices are subject to search, and an employee is obligated to surrender the electronic device back to the government entity at any time; and
  • Seek legal counsel before compelling a public employee to allow a search of their personally owned electronic devices or of personal electronic information that is maintained by an outside service provider and not directly controlled by the government entity.