Thinkstock illustration

A law that allows the government to read email and cloud-stored data that are more than six months old — without a search warrant — is under attack from technology companies, trade associations and lobbying groups, which are pressing Congress to tighten privacy protections.

Federal investigators have used the law to view content hosted by third-party providers for civil and criminal lawsuits, in some cases without giving notice to the individual being investigated.

Cloud computing companies are scrambling to reassure their customers.

But some clients are taking their business from the U.S. and moving to other countries.

Ben Young, the general counsel for Peer 1, a Web-hosting company based in Vancouver, British Columbia, said his customers were keeping their business out of the United States because the country “has a serious branding problem.”

“We’ve enjoyed a competitive advantage in Canada,” he said, “because the public perception in the business community is that American law enforcement has more access to data than in other parts of the world.”

Nearly 30 years after Congress passed the Electronic Communications Privacy Act, government officials have interpreted it to cover newer technologies such as email and cloud computing.

Meanwhile, places such as Germany, Iceland and Switzerland are trading on a reputation of stronger protections for companies, but such safeguards are not universally tighter than those in the U.S. “Some countries are stricter on privacy, and some of them are not,” said Mark Jaycox, a legislative analyst at the Electronic Frontier Foundation, a technology advocacy group.

Privacy has been an increasing concern since Edward Snowden’s revelations last year about bulk data collection by the National Security Agency, but an overhaul of the Electronic Communications Privacy Act has failed to break into the national conversation. “Because it’s not sexy,” said Katie McAuliffe, the executive director for digital liberty at Americans for Tax Reform.

The United States’ image problem has caused “real, tangible harm” for businesses, said Christian Dawson, the chief operating officer at ServInt, a Web-hosting company based in Reston, Va. “It’s very easy for providers outside the country to say, ‘Hey, move your business offshore into an area that cares more about your privacy.’ They don’t have better laws necessarily. They have a better marketing department.”

Silicon Valley giants Facebook, Twitter and Google say they will no longer hand over their customers’ data without a search warrant. But smaller Web-hosting and cloud-computing companies may be outmuscled by law enforcement officials as they try to protect their customers, said Ron Yokubaitis, the co-chief executive of Data Foundry, a data center company based in Texas.

“Mostly, they are going to comply because they don’t know their rights or can’t spend the money to resist,” he said.

A coalition of technology companies, trade associations and lobbying groups, called Digital Due Process, is pushing Congress to bolster privacy rules. Bipartisan bills in the House and the Senate have brought together a hodgepodge of supporters, including liberals and tea party favorites.

Sen. Mike Lee, R-Utah, co-sponsored the Senate bill. He said in a recent interview that “like most Americans,” he was shocked to find that the 1986 statute was on the books.

“Almost every American thinks that it is frightening that we have a law that suggests that the government has the right to read your email after only 180 days,” Lee said. “It’s an easy issue in which to achieve bipartisan compromise and consensus.”

The bill would require a search warrant for access to electronic communications, with exceptions for some emergency situations. It would also require the government to notify individuals within 10 days that their information was being investigated. However, it does not address rules for location data, like GPS information from an individual’s cellphone.

The Senate Judiciary Committee approved the bill a year ago, but it has stalled. One reason is resistance from federal investigating agencies that use subpoenas to gain access to electronic communications in civil cases, particularly the Securities and Exchange Commission.

“The SEC cannot get a search warrant, so a bill that requires a warrant to obtain emails from an (Internet service provider) would undermine the SEC’s ability to protect American investors and hold wrongdoers accountable,” said Andrew Ceresney, the director of the Division of Enforcement at the SEC. Instead, the SEC would have to rely on an individual’s voluntary disclosure of digital content.

But some legal experts, and at least one appeals court, do not find that argument compelling. “The courts say that email on a server somewhere is like email in your virtual home,” said Orin Kerr, a professor at George Washington University Law School. “We wouldn’t say the SEC should have the power to tell your landlord to break into your apartment and get evidence. The same rule should apply.”

The U.S. Court of Appeals for the 6th Circuit, in Cincinnati, ruled in 2010 that part of the Electronic Communications Privacy Act was unconstitutional. Since the decision, most major technology companies have required a search warrant for customers’ content.

“They are an administrative agency that is holding up this process because they are demanding unconstitutional new powers,” said Chris Calabrese, legislative counsel at the American Civil Liberties Union, referring to the SEC.

Texas has taken the matter into its own hands. Last summer, GOP Gov. Rick Perry signed a bill that will force law enforcement officials to obtain a warrant to view any electronic communications in the state, essentially the same measure that waits on Capitol Hill.

But the SEC has indicated that it is open to negotiations. The agency’s chairwoman, Mary Jo White, “supports a number of other ways to address privacy interests and still allow the SEC and other civil law enforcement agencies to gather critical email evidence from ISPs,” Ceresney said.

Rep. Kevin Yoder, R-Kan., and a co-sponsor of the House bill, said that provisions of the Electronic Communications Privacy Act were “frankly much worse” than the NSA’s domestic surveillance program. While the NSA program involves the collection of phone-calling information known as metadata, the privacy act allows law enforcement officials to actually read emails, “and in many cases Americans don’t know it’s happening to them,” Yoder said.

For cloud-computing companies, something is better than nothing when it comes to changes to the law.

“We need a meaningful response from the government,” Young, of Peer 1, said. “It doesn’t have to be sweeping, and it doesn’t have to fix everything overnight. The United States’ status as a leader in Internet innovation is being seriously threatened.”

Dawson, of ServInt, just expanded the company’s operations to Amsterdam, and he said the firm was more likely to grow there, “which is a shame.”