On March 14, 2013, the United States District Court for the Northern District of California granted a motion to prohibit the government from issuing National Security Letters (“NSLs”) to electronic communication service providers (“ECSPs”) requesting “subscriber information” and enforcing nondisclosure clauses contained in such letters. The nondisclosure clauses are intended to prevent ECSPs from disclosing that they received an NSL. The court also held that the sections of two federal statutes relating to the nondisclosure provisions of NSLs, 18 U.S.C. §2709(c) and 18 U.S.C. §3511(b), (collectively, the “NSL Nondisclosure Statutes”) were unconstitutional because they violated the First Amendment as well as separation of powers principles. In light of the significant constitutional and national security implications, the court stayed enforcement of its judgment pending appeal to the Ninth Circuit, or for 90 days if no appeal is filed.
In this case, In re National Security Letter, the FBI requested information (i.e., name, address, length of service and toll billing records) via an NSL from an unspecified ECSP. The NSL contained a nondisclosure clause prohibiting the ECSP from disclosing that it had received the request or the contents of the request. According to documents reviewed by the court, the FBI issues tens of thousands of NSLs each year and approximately 97% of them contain a nondisclosure mandate. The ECSP informed the FBI that it intended to contest the request, including the nondisclosure provision, and the government initiated an enforcement action in federal court.
Under the current NSL Nondisclosure Statutes, the FBI may prohibit the recipient of an NSL from disclosing that it has received the request, and the contents of the request, if a high-ranking official at the FBI “certifies” that disclosure by the recipient would (1) endanger national security; (2) interfere with diplomatic relations; (3) interfere with a criminal, counterterrorism or counterintelligence investigation; or (4) endanger the life or physical safety of an individual. If a recipient challenges the nondisclosure mandate, and the Attorney General (or another specified high-ranking government official) also certifies to one of the four scenarios above, the court must treat that certification as “conclusive,” unless it was made in bad faith. Without a certification from the Attorney General (or other high-ranking government official), the court may “modify or set aside” the nondisclosure provision if it determines that “there is no reason to believe” that disclosure would result in one of the four scenarios above.
The court noted that while national security is a compelling governmental interest, the NSL Nondisclosure Statutes are not narrowly tailored, and thus are unconstitutional, because they make no distinction “between a prohibition on disclosing mere receipt of an NSL and disclosing the underlying contents.” Additionally, the court found that the NSL Nondisclosure Statutes are impermissibly overbroad because they do not require or even allow the nondisclosure mandate to expire if the situation no longer requires secrecy.
The procedures for challenging an NSL were deemed unconstitutional as well. The court found that the curtailment of judicial review violated the separation of powers principles, because “[t]reating the government’s certification as ‘conclusive’ diminishes the exacting scrutiny courts must apply to speech restraints down to ‘no scrutiny’ at all.” Moreover, the court asserted that the NSL Nondisclosure Statutes inappropriately place the burden on NSL recipients to initiate court proceedings for challenging nondisclosure provisions, instead of on the censor (i.e., the government).
While enforcement of the court’s order is on hold pending review by the Ninth Circuit, the decision may impact other processes, beyond NSL requests for subscriber information from ECSPs. The process for judicial review that the court held unconstitutional under the NSL Nondisclosure Statutes is the same process applied to recipients’ challenges to certain governmental requests for consumer information pursuant to the Fair Credit Reporting Act, Right to Financial Privacy Act and the National Security Act.
Search
Recent Posts
Categories
- Behavioral Advertising
- Centre for Information Policy Leadership
- Children’s Privacy
- Cyber Insurance
- Cybersecurity
- Enforcement
- European Union
- Events
- FCRA
- Financial Privacy
- General
- Health Privacy
- Identity Theft
- Information Security
- International
- Marketing
- Multimedia Resources
- Online Privacy
- Security Breach
- U.S. Federal Law
- U.S. State Law
- Workplace Privacy
Tags
- Aaron Simpson
- Accountability
- Adequacy
- Advertisement
- Advertising
- American Privacy Rights Act
- Anna Pateraki
- Anonymization
- Anti-terrorism
- APEC
- Apple Inc.
- Argentina
- Arkansas
- Article 29 Working Party
- Artificial Intelligence
- Australia
- Austria
- Automated Decisionmaking
- Baltimore
- Bankruptcy
- Belgium
- Biden Administration
- Big Data
- Binding Corporate Rules
- Biometric Data
- Blockchain
- Bojana Bellamy
- Brazil
- Brexit
- British Columbia
- Brittany Bacon
- Brussels
- Business Associate Agreement
- BYOD
- California
- CAN-SPAM
- Canada
- Cayman Islands
- CCPA
- CCTV
- Chile
- China
- Chinese Taipei
- Christopher Graham
- CIPA
- Class Action
- Clinical Trial
- Cloud
- Cloud Computing
- CNIL
- Colombia
- Colorado
- Committee on Foreign Investment in the United States
- Commodity Futures Trading Commission
- Compliance
- Computer Fraud and Abuse Act
- Congress
- Connecticut
- Consent
- Consent Order
- Consumer Protection
- Cookies
- COPPA
- Coronavirus/COVID-19
- Council of Europe
- Council of the European Union
- Court of Justice of the European Union
- CPPA
- CPRA
- Credit Monitoring
- Credit Report
- Criminal Law
- Critical Infrastructure
- Croatia
- Cross-Border Data Flow
- Cyber Attack
- Cybersecurity and Infrastructure Security Agency
- Data Brokers
- Data Controller
- Data Localization
- Data Privacy Framework
- Data Processor
- Data Protection Act
- Data Protection Authority
- Data Protection Impact Assessment
- Data Transfer
- David Dumont
- David Vladeck
- Delaware
- Denmark
- Department of Commerce
- Department of Health and Human Services
- Department of Homeland Security
- Department of Justice
- Department of the Treasury
- District of Columbia
- Do Not Call
- Do Not Track
- Dobbs
- Dodd-Frank Act
- DPIA
- E-Privacy
- E-Privacy Directive
- Ecuador
- Ed Tech
- Edith Ramirez
- Electronic Communications Privacy Act
- Electronic Privacy Information Center
- Elizabeth Denham
- Employee Monitoring
- Encryption
- ENISA
- EU Data Protection Directive
- EU Member States
- European Commission
- European Data Protection Board
- European Data Protection Supervisor
- European Parliament
- Facial Recognition Technology
- FACTA
- Fair Credit Reporting Act
- Fair Information Practice Principles
- Federal Aviation Administration
- Federal Bureau of Investigation
- Federal Communications Commission
- Federal Data Protection Act
- Federal Trade Commission
- FERC
- FinTech
- Florida
- Food and Drug Administration
- Foreign Intelligence Surveillance Act
- France
- Franchise
- Fred Cate
- Freedom of Information Act
- Freedom of Speech
- Fundamental Rights
- GDPR
- Geofencing
- Geolocation
- Georgia
- Germany
- Global Privacy Assembly
- Global Privacy Enforcement Network
- Gramm Leach Bliley Act
- Hacker
- Hawaii
- Health Data
- Health Information
- HIPAA
- HIPPA
- HITECH Act
- Hong Kong
- House of Representatives
- Hungary
- Illinois
- India
- Indiana
- Indonesia
- Information Commissioners Office
- Information Sharing
- Insurance Provider
- Internal Revenue Service
- International Association of Privacy Professionals
- International Commissioners Office
- Internet
- Internet of Things
- IP Address
- Ireland
- Israel
- Italy
- Jacob Kohnstamm
- Japan
- Jason Beach
- Jay Rockefeller
- Jenna Rode
- Jennifer Stoddart
- Jersey
- Jessica Rich
- John Delionado
- John Edwards
- Kentucky
- Korea
- Latin America
- Laura Leonard
- Law Enforcement
- Lawrence Strickling
- Legislation
- Liability
- Lisa Sotto
- Litigation
- Location-Based Services
- London
- Madrid Resolution
- Maine
- Malaysia
- Markus Heyder
- Maryland
- Massachusetts
- Meta
- Mexico
- Microsoft
- Minnesota
- Mobile App
- Mobile Device
- Montana
- Morocco
- MySpace
- Natascha Gerlach
- National Institute of Standards and Technology
- National Labor Relations Board
- National Science and Technology Council
- National Security
- National Security Agency
- National Telecommunications and Information Administration
- Nebraska
- NEDPA
- Netherlands
- Nevada
- New Hampshire
- New Jersey
- New Mexico
- New York
- New Zealand
- Nigeria
- Ninth Circuit
- North Carolina
- Norway
- Obama Administration
- OECD
- Office for Civil Rights
- Office of Foreign Assets Control
- Ohio
- Oklahoma
- Opt-In Consent
- Oregon
- Outsourcing
- Pakistan
- Parental Consent
- Payment Card
- PCI DSS
- Penalty
- Pennsylvania
- Personal Data
- Personal Health Information
- Personal Information
- Personally Identifiable Information
- Peru
- Philippines
- Phyllis Marcus
- Poland
- PRISM
- Privacy By Design
- Privacy Policy
- Privacy Rights
- Privacy Rule
- Privacy Shield
- Protected Health Information
- Ransomware
- Record Retention
- Red Flags Rule
- Regulation
- Rhode Island
- Richard Thomas
- Right to Be Forgotten
- Right to Privacy
- Risk-Based Approach
- Rosemary Jay
- Russia
- Safe Harbor
- Sanctions
- Schrems
- Scott Kimpel
- Securities and Exchange Commission
- Security Rule
- Senate
- Serbia
- Service Provider
- Singapore
- Smart Grid
- Smart Metering
- Social Media
- Social Security Number
- South Africa
- South Carolina
- South Dakota
- South Korea
- Spain
- Spyware
- Standard Contractual Clauses
- State Attorneys General
- Steven Haas
- Stick With Security Series
- Stored Communications Act
- Student Data
- Supreme Court
- Surveillance
- Sweden
- Switzerland
- Taiwan
- Targeted Advertising
- Telecommunications
- Telemarketing
- Telephone Consumer Protection Act
- Tennessee
- Terry McAuliffe
- Texas
- Text Message
- Thailand
- Transparency
- Transportation Security Administration
- Trump Administration
- United Arab Emirates
- United Kingdom
- United States
- Unmanned Aircraft Systems
- Uruguay
- Utah
- Vermont
- Video Privacy Protection Act
- Video Surveillance
- Virginia
- Viviane Reding
- Washington
- Whistleblowing
- Wireless Network
- Wiretap
- ZIP Code