In the 2006 case, O'Grady v. Superior Ct., the Sixth Appellate District in California has interpreted the Stored Communications Act (18 U.S.C. §§ 2701-2712) as limiting the ability of civil litigants to obtain the contents of stored communications from Internet Service Providers (ISPs) through the subpoena process. While this is a narrow application of the law, the interpretation will significantly affect e-discovery strategies and tactics in California - especially when litigants cannot obtain the original communications from the recipient.
This case has received wide attention in both the traditional media and the blogosphere, primarily because it involves issues of journalistic protection for online news providers who blur the lines between traditional news outlets and blogs. Most commentators have focused on the application of California's reporter's shield to the defendants, as well as the constitutional privileges against disclosure of confidential sources, while the case's e-discovery issues have largely passed below the radar. The court found that the journalistic protections did in fact apply to the website operators, which represented a major victory for new media journalists. In the end, however, the portion of the case dealing with discovery requests to ISPs will likely affect more aspects of California litigation than the highly-publicized decision concerning web-based news outlets.
Background
Apple sued the operators of a website dedicated to reporting on the company and its products after the website published several articles regarding a new Apple device. Apple claimed that the website operators had misappropriated its trade secrets by exposing technical details and images of the new product, which is designed to allow users to record from analog sources, such as microphones and guitars, directly into an Apple computer.
Apple also sued several Doe defendants - presumably company insiders who provided the information published on the website, including a slide presentation which contained proposed product specifications, release dates and a drawing of the device. Apple then sought a subpoena against the ISP that hosted the disputed website that would require it to produce documents relating to the identity of these insiders, as well as the content of all communications between them and the site operators that pertained to the new product.
Defendants filed a motion for a protective order, arguing that the ISP could not comply with the subpoenas without violating the Stored Communications Act (SCA). The district court denied the motion and issued the subpoenas, at which point the defendants filed a petition for a writ of mandate directing the district court to set aside its denial.
Why Subpoena the ISP?
Apple chose to subpoena the ISP in case the courts determined that the defendants were indeed protected by California's reporter shield and constitutional privileges. Under those protections, the site operators could not be compelled to turn over the communications or the identities of the Apple insiders. Thus, Apple attempted to run an end-around whereby they would obtain the desired information from the service provider rather than the user. It was working, too, until the appellate court considered the applicability of the SCA to the matter at hand.
Protections Under the SCA
The SCA directs that "a person or entity providing an electronic communication service to the public shall not knowingly divulge to any person or entity the contents of a communication while in electronic storage by that service . . . ." (18 U.S.C. § 2702(a)(1).) Apple did not claim that the requirements for application of the SCA were not met here. Under the statute, the ISP is an entity and the emails requested were communications in electronic storage by the ISP. Apple's main contention was that the subpoenas fell under several enumerated exceptions to the SCA and/or an implied exception that it asked the court to read into the statute.
The ISP's Interests: The Rights and Property Exception
Apple first argued that the ISP could comply with the subpoenas since the SCA provides an exception allowing for disclosure when "necessarily incident . . . to the protection of the rights of property of the provider of that service." Apple reasoned that a failure to comply with the discovery orders would expose the ISP to possible sanctions, which would threaten the ISP's rights or property. Thus, compliance with the orders would protect the ISP's rights or property, and could proceed under this exception.
The appellate court pointed out a circularity in Apple's logic, however: in order to expose the ISP to sanctions for noncompliance, the subpoenas would first have to be valid and enforceable. The subpoenas would only be valid if they fell within an exception to the SCA. Apple assumed that the subpoenas fell within the rights and property exception, which would consequently trigger the very same exception. The court dismissed this argument by pointing out that a refusal to comply with a disclosure that is not authorized by the Act cannot expose the ISPs to sanctions, and the disclosure thus cannot be incidental to the protection of the ISP's interests. Therefore, this exception does not support the issuance of the subpoenas.
Adrift in a Sea of Discovery: the Safe Harbor Provisions
The next argument Apple raised concerned the Safe Harbor provisions of the SCA. Those provisions give a complete defense for an ISP's compliance with a court warrant or order, even if that warrant or order would violate the SCA. The court correctly pointed out that the provisions do not make such compliance legal; rather, they provide an escape route for ISPs stuck between a rock and a hard place when facing a court order that would have them violate a federal statute. Moreover, the provision would only assist an ISP that voluntarily complied with the order and was then charged with violation of the Act, not one that refused to comply and challenged the validity of the order. The Safe Harbor does not create a substantive legal right to disclose, it simply gets ISPs off the hook if they decide to comply with an order that violates the SCA. Thus, it does not validate the subpoenas at issue here.
The Implied Exception to the SCA
Despite having fallen short of fitting the subpoenas into one of the enumerated exceptions to the SCA, Apple also attempted to convince the court to read an implicit exception into the SCA for compliance with civil discovery. The court noted that Congress wrote many exceptions into the Act, thus demonstrating that it understood how to make exceptions to the Act's general rule. However, it also proceeded to consider the SCA in light of its objects and policy in order to determine whether the Act did in fact contain an implied exception.
The court determined that the purpose of the Act was to protect privacy interests in personal and proprietary information, while protecting the law enforcement ability of the Government. Limiting civil discovery would not impede this purpose, the court argued, and would not impose any new burdens on civil litigants. The nature of electronic communications is such that it affords greater opportunity for replication and storage, which in turn makes it easier to violate the privacy rights of individuals by releasing copies of the communications. Congress, the court continued, could reasonably determine that allowing civil discovery from ISPs would provide a windfall to litigants, while possibly impairing the utility and further development of modes of electronic communication. Thus, the court refused to read an implied exception into the SCA, and declared that the Act rendered the subpoenas unenforceable.
Whodunnit: Disclosure Limited to the Sender's Identity?
In an amicus brief, Genentech, Inc. argued that the SCA should not prohibit enforcement of the subpoenas since: 1) Apple only sought the identity of the author of a stored communication; and 2) the Act expressly authorizes the disclosure of "a record or other information pertaining to a subscriber or customer of such service (not including the contents of communications. . ." (18 U.S.C. § 2703(c)(1).) The court quickly dismissed the first argument by noting that the subpoenas specifically requested all communications from any disclosing person that were related to the product. The court continued on to state that, even if Apple only requested the identity of any disclosing person who had sent an email related to the product, such a revelation would necessarily disclose the contents of the communications by acknowledging that there were in fact emails related to the product in the ISP's system.
The court also rejected the second argument, since the authors of the incoming communications were not subscribers or customers of the ISP. Genentech mistakenly relied on Jessup-Morgan v. America Online, Inc. 20 F.Supp.2d 1105 (E.D. Mich. 1998), which held that the SCA did not prohibit the disclosure of the identity of an actual subscriber who anonymously posted a malicious message on a website. The court distinguished the present case by demonstrating that the senders of the communications were not subscribers to the ISP, but simply external individuals who sent a message into the ISP's email servers. The authorization for the release of customer records would therefore not apply.
What the Decision Means Going Forward
By refusing to enforce these subpoenas, the court limited the options available to civil litigants for the retrieval of electronic communications from the recipient's ISP when the original communications are not otherwise available. In this context, the unavailability arose from the protections afforded to journalists under the California reporter's shield and constitutional privileges, but unavailability could arise in many different ways. The original recipient could have deleted the files, the party serving the subpoena might be unable to locate the recipient, or the communications might be protected under some other privilege. The issue is likely to arise in many different situations, and affects how every party in a litigation will go forward.
For businesses, this decision will warrant a reexamination of data-retention policies to determine what kinds of communications should or should not be retained, and what the time periods for retention should be. For plaintiffs and their attorneys, this will mean a rise in the need for digital forensic experts, since the removal of the ISP as a source of the communications will most likely lead to parties seeking to recover more lost information from computer hard drives. Finally, law firms on both sides of the aisle will need to ensure that they have the most effective case-, discovery- and knowledge-management systems in place in order to properly catalogue information and prevent any superfluous discovery requests that may waste client resources.