with contributing authors Matthew Baker and Kedar Bhatia
In a decision that changes the way law enforcement officers collect electronic information, the U.S. Supreme Court ruled in Riley v. California, 573 U.S. ___ (2014), that officers may not search a cell phone during a lawful arrest without first obtaining a search warrant. The ruling was a sweeping embrace of digital privacy, touching upon remotely stored private information—i.e., “cloud” computing—and geographic tracking data that cell phones often contain. The result was the broadest constitutional ruling on privacy in the context of modern technology since the Court’s ruling two terms ago limiting police use of satellite-linked GPS tracking of a suspect’s movements by car. The Court’s embrace and recognition of technological advances and distinctions raises important issues for companies to consider in the context of data retention and management.
The defendant in this case, David Leon Riley, was arrested on August 22, 2009, after a traffic stop resulted in the discovery of loaded firearms in his car.1 The officers seized Riley’s phone and searched through his messages, contacts, videos and photographs. Based in part on data the officers discovered on his cell phone, Riley was charged with a gang-related shooting that had taken place several weeks prior to his arrest.
Chief Justice John Roberts, writing for the majority, held that the Fourth Amendment requires officers to obtain a warrant before searching the contents of an arrestee’s cell phone. The decision is both a full-throated defense of the Fourth Amendment’s warrant requirement and a meaningful clarification of the way electronic information differs from other types of physical evidence.
The Court distinguished cell phones as “minicomputers,” often containing diverse information that “reveal more in combination than any isolated record.” (Slip op. at 18.) More clearly than it ever had before, the Court delineated the distinction between ordinary physical objects—e.g., a diary or a letter—and electronic information stored in a cell phone or other comparable device. Chief Justice Roberts noted that there was both a quantitative and qualitative difference between the information stored on a cell phone and the information typically contained in compact physical storage. Not only is the information quantitatively greater, but often qualitatively more descriptive and personal. Due to the breadth of information stored on a cell phone, allowing officers to search a phone’s contents “would be like finding a key in suspect’s pocket and arguing that it allowed law enforcement to unlock and search a house.” Id. at 21.
The Court summarily rejected the government’s arguments to allow warrantless searches of an arrestee’s cell phone for officer safety or evidence preservation purposes. In rejecting these arguments, the Court emphasized that electronic data rarely, if ever, presents physical threats to an officer. Furthermore, the government employs a multitude of methods to preserve electronic information without a warrantless search. Recognizing the limitations that the ruling imposes, though, the Court held that officers have one option to search a cell phone without a warrant: in truly extraordinary circumstances where officers have reason to expect that electronic data presents imminent dangers, such as locating a missing child or foiling a dangerous plot. (Id. at 11-12, 15.) But even then, the Court explained, those “exigent” circumstances justifying an exception to the warrant requirement would have to satisfy a judge before the government could permissibly use the evidence.
Although the type of technology incorporated into a cell phone was the rationale behind the Supreme Court’s ruling, its constitutional foundation was the founding generation’s fear of the British practice of general searches. In rejecting the government’s argument that it could employ protocols to limit the scope of warrantless searches into an arrestee’s electronic data, the Court noted that the “Founders did not fight a revolution to gain the right to government agency protocols.” (Id. at 22.) The fact that modern technology allows an individual to access personal information on demand “does not make the information any less worthy of the protection for which the Founders fought.” (Id. at 28.)
While the Riley decision has important implications for criminal law, the Court’s recent technology-related privacy cases suggest an evolving awareness by the Court of the shifting nature of technology and the need to reconcile these dynamics with privacy expectations. The Court’s growing concerns center not merely on the mobile phone’s data, but also on the data stored remotely (in the cloud or elsewhere) and accessed “at the tap of a screen.” (Id at 21.) Companies issue employees mobile devices and laptops as a matter of routine business. Some employees even access and retain corporate information through their personal devices. Company information is stored, accessed and “carried in tow” just as often as personal information. Because of these advancements, smartphones and other personal electronic devices—as access points for a range of services—have changed the dynamic of employee productivity and data storage, often leaving valuable and confidential corporate information vulnerable to loss.
The Court’s ruling gives corporations an opportunity to rethink the way their users access and store company information. For example, corporations should consider hosting employee-specific data—such as corporate email accounts—remotely, allowing the user to access the information from a personal device even though the company retains complete control over the data. The data would not reside on the mobile device; rather, the user would initiate a connection with the company-based server, providing the user either consistent or limited access rights to the data. Once the connection with the server is severed, the data is no longer accessible—nothing is permanently stored on a local device.
A company could also consider limiting a user’s rights to move, download and store company data, effectively preventing company information from residing on a personal device. Not only does this allow a company to retain control over confidential data, it can also help facilitate a company’s data retention policy. Troves of corporate data may be protected from a search even if the government obtains a single access device because no company data would physically reside on the device. Though we do not yet know precisely how courts will extend Riley into the world of data privacy, the case seems to support greater privacy rights for data that is properly segregated and secured.
Moreover, implementing such procedures could allow companies to effectively argue that information stored remotely can be seized only through specific warrants or document requests that reach that type of core information. And although the Riley decision expressly addressed only digital privacy in the context of an arrest, companies may be able to use the decision to protect confidential company data against document requests in both civil lawsuits and criminal investigations.
___________________
[1] The case was consolidated with another, United States v. Wurie, for disposition. For purposes of this article, we only address the facts of Riley.