The Supreme Court has issued this year’s most important ruling on privacy in Carpenter v. United States. It is a major development in privacy law, laying the foundation for an interpretation of the Fourth Amendment that protects against generalized government surveillance by electronic means. Together with United States v. Jones, it brings Fourth Amendment jurisprudence into the digital age, and may well effect change in everything from mobile carrier terms of service to the fate of Privacy Shield. By requiring a warrant for historical location-tracking data, the Court effectively states, today, that regardless of how much of an individual’s data exists in the hands of third parties, one can reasonably expect that at least some of it to be protected.

Carpenter is an appeal of a criminal conviction for Timothy Carpenter, who masterminded robberies of a “series of Radio Shack and (ironically enough) TMobile stores in Detroit.”  FBI agents subpoenaed Carpenter’s Metro PCS and Sprint to obtain his cell site location information (CSLI), which provided them with his general location at over 12,000 points in time. Notably, the FBI did not secure a warrant to get the CSLI records. Carpenter argued, under Katz v. United States, that he had a reasonable expectation of privacy in his location data.  Using the CSLI, the prosecution was able to convince a jury that Carpenter was near the site of the robberies.

In reversing the conviction, the Court held that that, if reviewing the cell phone records was a “search” under the Fourth Amendment, then a warrant was required. The government relied on a line of cases, most famously in United States v. Miller, where the Court upheld a fraud conviction based on bank records that the government subpoenaed, but never got a warrant to obtain. The theory is that, by voluntarily transferring his checks and financial documents to the bank, Miller had no reasonable basis for thinking that the records would remain private.  In Carpenter, the lower courts reached the same conclusion when it came to CSLI – MetroPCS and Sprint knew where Carpenter was, so he had no reason to expect that they would keep that information private.

The Court disagreed, saying:

We decline to extend Smith and Miller to cover these novel circumstances. Given the unique nature of cell phone location records, the fact that the information is held by a third party does not by itself overcome the user’s claim to Fourth Amendment protection. Whether the Government employs its own surveillance technology as in Jones or leverages the technology of a wireless carrier, we hold that an individual maintains a legitimate expectation of privacy in the record of his physical movements as captured through CSLI. The location information obtained from Carpenter’s wireless carriers was the product of a search.

By cabining the right of government to obtain these location records without a warrant, the Court effectively says that, rather than having a privacy interest in the record held by Sprint or MetroPCS, Carpenter (and we all) have a privacy interest in the data underlying those records. In other words, because the location information reflected in the CSLI is subject to our reasonable expectation of privacy, so are the cell phone records themselves.

That may either sound like hair-splitting legalese or major change; often it’s hard to know the difference in the law. One thing is certain: five Justices consider the wholesale collection of location data without a warrant to be unconstitutional. Interestingly, Justice Gorsuch would go even further, arguing that Miller, Stevens, and even Katz should be set aside in favor of a pure reasonableness test. That merits a blog post of its own, but more broadly, that means that the Court seems to sit 6-3 in favor of greater protections for individual data.

There are profound consequences for this ruling. If nothing else, wholesale collection of cell phone data is now immediately suspect, unless it is either a) pursuant to a warrant or b) one of the long-standing exceptions (for instance, pen registers). I can imagine a series of challenges to the entire array of data collected and stored – emails, texts, geolocation tags, etc etc – making their way through the courts. That would provide the Court with ample opportunity to tweak the ruling announced today.

More broadly, we see Carpenter as a major movement towards data based privacy, rather than simply property-law based privacy. Historically, the courts have treated the Fourth Amendment as creating “zones” of privacy (e.g., the home is a high-privacy “zone,” while an airport is a low-privacy “zone.”) But if privacy may evolve into a concept that protects an individual as the creator and owner of their data: that is, a “data subject.”  That would bring American law more in line with the European model, and it would lay the foundation for a more aggressive approach to enforcement of privacy rights.

And therein lies the potential for a seismic shift in American law. Determining whether an individual would consider a particular document “private” is not the same thing as whether that individual believes that information about them is a central component of their personal right to privacy. Put another way, the judicially-created concept of a “reasonable expectation of privacy” is nearly always about whether a person believes that an object is a safe place to keep things private — your car, your wallet, the confines of a telephone book, an airport. And while Katz famously said that the Fourth Amendment “protects people, not places,” that is not exactly how subsequent cases have played out.

Carpenter revives that notion, and gives it new meaning. By any reasonable interpretation, Miller and Smith were right on point, because it would be entirely unreasonable (under prevailing law) to expect that your location data would be private once the cell phone company knows it. But the Court flatly rejects this concept to say that “this case is not about ‘using a phone’ or a person’s movement at a particular time. It is about a detailed chronicle of a person’s physical presence compiled every day, every moment, over several years. Such a chronicle implicates privacy concerns far beyond those considered in Smith and Miller.”

Do you see what the majority does in those sentences? They accept that Smith and Miller are technically applicable, and then reject those cases because in Carpenter, we are dealing with a much more important privacy concern for the Court. The concern is not about a place, or even about a person moving through a place. It is about a person’s right to have their whereabouts protected from government intrusion unless a judge concludes that probable cause exists to invade that protection. This is why Carpenter is so important, and why it can have such lasting effects. It might be the beginning of a change in the law so fundamental that it reshapes our very concept of privacy. If it does, then Carpenter will be one of the most important decisions of our time.