How an outdated law from 1986 puts your company’s communications at risk—and what you can do about it
Last month, a prosecutor at the International Criminal Court found himself locked out of his Microsoft email account. The reason? Microsoft had blocked access as part of US government pressure related to ICC investigations. To regain access to his communications, prosecutor Karim Khan reportedly switched to ProtonMail, a Swiss encrypted email service.
This incident highlights a growing tension in business communications: the precarious balance between security, sovereignty, and government access to your emails. But while Khan’s situation made headlines, there’s a much broader issue affecting every business that uses cloud-based email—one that traces back to a 1986 law written when email was barely a concept.
The 180-Day Problem
The Electronic Communications Privacy Act (ECPA) of 1986 governs how law enforcement can access your digital communications. When Congress wrote this law, they made a crucial assumption: people would download their emails to their personal computers and delete them from servers within six months.
Based on this assumption, they created what’s now known as the “180-day rule.” Here’s how it works:
- Emails stored for 180 days or less: Require a search warrant based on probable cause
- Emails stored for more than 180 days: Can be accessed with just a subpoena—no warrant needed
The legal logic was that after 180 days, emails became “abandoned property.” But in 2025, when businesses routinely store years of email in the cloud, this rule creates a massive privacy gap.
Consider the implications: If law enforcement wants to read emails on your laptop, they need a warrant regardless of the emails’ age. But those same emails stored in Gmail, Outlook 365, or any cloud service? After 180 days, they’re accessible with nothing more than a prosecutorial subpoena.
The Scope of Government Email Access
The extent of government access to digital communications has expanded dramatically. Recent data shows that between 2014 and 2024, major tech companies significantly increased the number of user accounts they shared with law enforcement:
- Meta (Facebook) experienced a 675% surge in government data requests
- In total, Google, Meta, and Apple shared over 3 million user profiles with agencies
- Each company processed thousands of requests annually for user communications
This isn’t necessarily about overreach—much of this access serves legitimate law enforcement purposes. But it highlights how your business communications exist within a framework where government access is routine, not exceptional.
The Foreign Intelligence Surveillance Act (FISA) adds another layer, allowing government agencies to access emails from foreign senders to American recipients without a warrant when national security is involved. For businesses with international operations, this creates additional exposure.
When Email Providers Become Government Partners
The Microsoft-ICC incident revealed something many businesses haven’t considered: your email provider can become an unwilling participant in government policy. Microsoft’s decision to block the prosecutor’s access wasn’t about the company’s policies—it was about complying with US government pressure.
This dynamic has led some secure email providers to shut down entirely rather than compromise user privacy. Lavabit, the encrypted email service used by Edward Snowden, famously closed rather than provide government backdoor access. As the owner stated: “There is no way to do encrypted e-mail where the content is protected.”
Silent Circle followed suit, shutting down their email service before receiving government demands, recognizing the fundamental vulnerability of email systems to government pressure.
The Business Impact
For companies, these realities create several concerns:
Compliance Risks: Industries with strict privacy requirements—healthcare, finance, legal—face potential compliance violations when government access conflicts with client confidentiality obligations.
International Operations: US-based email providers operating globally can create sovereignty issues for foreign subsidiaries, as the Microsoft-ICC case demonstrated.
Business Continuity: When providers are subject to government pressure, access to your communications isn’t guaranteed.
Competitive Intelligence: The metadata alone—who you’re emailing, when, and how often—can reveal competitive strategies even without reading message content.
The Metadata Problem
Even if you’re not concerned about government access to email content, consider what metadata reveals about your business:
- Client relationship patterns
- Vendor negotiations timing
- Executive travel and meeting schedules
- Project timelines and priorities
- Organizational structure and reporting relationships
Under current law, this metadata is even less protected than email content. The government can often access calling and emailing patterns without any warrant at all.
Why Email Hosting Choice Matters
In this environment, where you host your email becomes a strategic business decision. Here’s what to consider:
Jurisdiction: Providers based in different countries operate under different legal frameworks. Swiss-based providers, for example, operate under stricter privacy laws than US-based services.
Data Location: Where your emails are physically stored determines which laws apply. Some providers offer specific data residency guarantees.
Provider Size and Visibility: Smaller, specialized providers may face less government pressure than large tech platforms that are frequent targets of surveillance programs.
Encryption and Access: Providers that can’t access your encrypted emails themselves can’t be compelled to hand them over—though this often comes with usability tradeoffs.
Policy Transparency: Some providers publish detailed transparency reports about government requests; others operate under permanent gag orders that prevent disclosure.
The Sovereignty Solution
Digital sovereignty—the ability to control where and how your data is stored and accessed—has moved from a government concern to a business imperative. European companies have led this movement, with countries like Germany and Denmark banning Microsoft 365 and Google Workspace in government and educational settings due to data sovereignty concerns.
For businesses, this translates to several practical considerations:
Provider Diversity: Relying solely on large US tech platforms creates single points of failure and regulatory risk.
Data Residency: Ensuring your communications are stored and processed in jurisdictions aligned with your business needs.
Exit Strategies: Having plans for data portability if your current provider’s policies or government relations change.
Alternative Infrastructure: Building relationships with providers who prioritize privacy and customer sovereignty over convenience.
What This Means for Your Business
The current legal framework around email privacy was written for a different technological era. While Congress has proposed updating ECPA, meaningful reform has stalled for years. Meanwhile, government access to digital communications continues to expand.
This doesn’t mean you should avoid email or assume every message is monitored. But it does mean that email hosting should be a conscious strategic choice, not a default decision.
Consider these questions:
- How sensitive are your typical email communications?
- What regulatory requirements govern your industry’s data handling?
- How would government access to your emails affect client relationships?
- What are your obligations to protect customer and employee privacy?
- How important is it that your provider shares your values around privacy and digital rights?
Moving Forward
The tension between security and privacy in email communications isn’t going away. If anything, it’s intensifying as businesses become more digital and governments more sophisticated in their surveillance capabilities.
The goal isn’t to achieve perfect privacy—that’s likely impossible with current email technology. Instead, it’s about making informed decisions that align with your business values and risk tolerance.
For some companies, the convenience and integration of major cloud email providers outweigh privacy concerns. For others, particularly those handling sensitive information or operating internationally, specialized providers focused on privacy and sovereignty make more sense.
The key is recognizing that in 2025, email hosting isn’t just an IT decision—it’s a business strategy decision with legal, competitive, and ethical implications.
At Greatmail, we’ve spent 22 years helping businesses navigate these choices. We believe that email sovereignty—knowing where your data is, who can access it, and under what circumstances—should be a basic business right, not a luxury.
The 180-day rule is just one piece of a larger puzzle. But it’s a reminder that in the digital age, the laws governing our most basic business communications are often decades behind the technology we use every day.
Want to learn more about email sovereignty and privacy-focused hosting options? Contact our team to discuss how Greatmail can help protect your business communications in an increasingly connected—and monitored—world.