What recent court cases or legislation (post-2023) changed exemptions for encrypted services?
Executive summary
Since 2023, changes affecting exemptions for encrypted services have largely come through regulatory rulemaking and proposed legislation rather than a single landmark court decision: Treasury rulemakings and Federal Register notices around the “Outbound Order” and Privacy Act exemptions are significant (Treasury NPRMs Aug 2023; Federal Register notice Dec 17, 2024) [1]. State-level privacy laws enacted in 2023–24 often include exemptions (nonprofits, B2B, health data) that shape how encryption is treated in practice (examples summarized in a 2024 guide) [2].
1. Federal rulemaking reshaped exemptions for national‑interest transactions
The Department of the Treasury began rulemaking after the Outbound Order, proposing exemptions from Privacy Act notification or prohibition requirements for transactions deemed in the national interest; Treasury published multiple notices and a Systems Exemption NPRM in 2024 that explicitly contemplate exempting portions of systems of records (Aug 9, 2023 advance notice; NPRMs and Federal Register entries in 2024) [1]. These administrative actions do not directly rewrite criminal‑law access to encrypted services, but they loosen transparency/notification obligations that can affect how encrypted data transfers or services are regulated at the federal level [1].
2. State privacy statutes created practical carve‑outs that affect encrypted services
Several 2023 state privacy laws enacted since mid‑2023 include explicit exemptions—commonly for nonprofits (often temporarily), B2B data, and certain health data—which influences which actors must implement privacy and encryption controls and which do not; a 2024 “short guide” catalogs those exemptions across laws like Montana’s, Oregon’s, and others effective in 2024–25 [2]. Those exemptions change the universe of covered entities who are legally required to deploy or report on encryption, even if they don’t alter the underlying legal status of end‑to‑end encryption itself [2].
3. Export and national‑security rules preserve broad exceptions — and limits
Commerce/BIS guidance and related export‑control pages make clear that many encryption products can be exported under License Exception ENC and that there is no single “unexportable” level of encryption under that exception; those regulatory frameworks contain targeted exemptions and reporting obligations rather than blanket bans, shaping which encrypted services face controls [3]. The Commerce Department’s technical criteria (e.g., throughput thresholds and category rules) also create specific thresholds that exempt many common uses from stricter controls [4] [3].
4. Court battles over compelled decryption remain fragmented — no new Supreme Court resolution
Post‑2023 reporting and longstanding case law show the compelled‑decryption issue remains litigated in lower courts with divergent outcomes; historic cases and legal surveys document a split over Fifth Amendment protections and the “foregone conclusion” doctrine, but the Supreme Court has not definitively settled the issue in the period covered by available sources (cases and law reviews reviewed through 2024/earlier) [5] [6] [7]. Available sources do not mention a definitive post‑2023 appellate or Supreme Court ruling that changes constitutional exemptions for compelled decryption (not found in current reporting).
5. Legislative threats and pushes to force access — many proposals, mixed results
Advocacy and reporting show multiple bills and proposals aimed at limiting encryption or imposing access requirements have circulated (including high‑profile state efforts and federal proposals discussed by advocacy groups), but several high‑profile attempts have failed or been withdrawn—Florida’s 2025 backdoor bill did not pass its 2025 regular session, for example [8] [9]. Civil‑society organizing has blocked or delayed measures in multiple jurisdictions, producing an uneven legislative landscape [8] [9].
6. Competing perspectives: national security vs. security‑by‑design
Proponents of access argue law enforcement needs workable access (and have sought All Writs Act or statutory fixes), while privacy and tech groups insist backdoors or forced access would weaken security globally and have resisted both in courts and legislatures — these competing frames drive why rulemaking, not a single court case, has been the more active arena recently [10] [11]. Sources show both sustained government pressure and effective civil‑society pushback, producing incremental regulatory changes and many stalled legislative efforts [10] [9].
7. What this means for providers and users
Practically, developers and service providers must monitor state privacy exemptions (nonprofit, B2B, health) that determine compliance obligations and encryption requirements, follow Commerce/Treasury rulemakings about export and “national interest” exemptions, and watch for patchwork compelled‑decryption decisions in lower courts; the legal environment remains unsettled and jurisdictionally fragmented [2] [1] [3] [5]. For constitutional claims about compelled decryption, available sources do not show a new definitive legal standard after 2023 (not found in current reporting).
Limitations: this analysis uses the supplied sources only and therefore may not reflect post‑2024 events outside those materials; where reporting is silent I note it rather than assert absence.