October 04, 2011
9th Cir.: ECPA Protects Non-Citizen Communications Stored in the US -- Suzlon Energy v. Microsoft
[Post by Venkat Balasubramani]
Suzlon Energy Ltd. v. Microsoft Corp., 10-35793 (9th Cir. Oct. 3, 2011) [pdf]
Suzlon Energy sought emails from Microsoft for use against Sridhar, an Indian citizen, in a civil lawsuit pending in Australia. It filed a petition for the production of documents, which the district court initially granted. In response, Microsoft and Sridhar filed objections. The district court agreed with Microsoft and Sridhar and held that, although Sridhar was not a United States citizen, the Electronic Communications Privacy Act precluded Microsoft's disclosure of the emails.
The Ninth Circuit affirmed, finding that the text of the statute answers the question of whether the protections of the ECPA are limited to United States citizens. The statute prohibits disclosure of communications which fall under the statute and contains numerous exceptions, but citizenship is not listed as an exception. Additionally, the statute defines a user as "any person or entity" who uses an electronic communications service with authorization:
The Court finds that the plain language of the ECPA extends its protections to non-citizens. The Court is therefore obligated to enforce the statute as written.
Although the court found that the text of the statute answered the question, it nevertheless analyzed the legislative history of the statute "for its instructive value." The court notes that Congress' intent in passing the ECPA is to protect the privacy interests of American citizens. But nothing indicates an intent to protect the privacy rights of only American citizens. Although the language of the legislative history is inconclusive, the passage quoted by the court is interesting and one that Congress may want to take a look at when thinking whether and how to revamp the ECPA:
With the advent of computerized record keeping systems Americans have the ability to lock away a great deal of personal and business information. . . . [T]he law must advance with technology to ensure the continued validity of the fourth amendment.
The court makes clear (citing to Zheng v. Yahoo!) that it's only deciding that ECPA protections apply to information stored in the United States. (Zheng was a case where the district court concluded that a dissident in China could not sue Yahoo! for allegedly turning over email messages to the Chinese government.)
The court also addresses the issue of consent, finding that Sridhar did not impliedly consent by being involved in the Australian litigation. The court does not see the logic in Suzlon's consent argument. The court also says that he did not consent to Microsoft producing the emails on his behalf. Microsoft's terms of service only say that any emails would be disclosed in accordance with United States law and in other circumstances not relevant to the case. Microsoft "never told Sridhar that his communications might be monitored or disclosed." There are no facts supporting an implied consent based on waiver.
It's tough to quibble with the court's interpretation of the statute, but it's interesting that the court specifically carved out and reserved judgment on communications that are not stored in the United States. Zheng v. Yahoo! didn't expressly rely on the storage issue; the court determined that the predicate acts occurred abroad and therefore the ECPA did not apply.
Is the location of the server where the email is stored a workable basis to determine whether ECPA protection should be lost? Does this type of a rule allow an ISP to play games as to what emails are subject to ECPA protection and which are not? If an ISP decides to change its storage practices and decides to store emails offshore, does this suddenly mean that those emails are no longer entitled to protection under the ECPA? (I recall some proposed legislation which would prohibit US companies from storing data outside the United States to avoid foreign governments being able to impose different rules.) From a consumer standpoint, the location of storage doesn't offer much clarity. I imagine customers have no idea what jurisdiction the servers which house their communications are located in.
[Clarification: I revised the post to indicate that the court did not hold that foreign-stored communications are outside the scope of ECPA protection. My zeal to highlight an interesting issue got the better of me! Thanks to the emailer who pointed this out.]
Additional coverage: Ninth Circuit Says ECPA Protects Foreign Citizens (Tom O'Toole/BNA)
Posted by Venkat at October 4, 2011 03:35 PM | Privacy/Security