Accessing content of emails – the 2nd Californian Gmail case. A summary and some post scriptum thoughts

Yesterday I stumbled upon the ‘Order denying the motion to dismiss as to the merits of plaintiff’s claims’, issued by the US District Court – Northern District of California on 12 August 2016 in the case of Matera v. Google.  The order allows the trial against Google to move forward.

This is the second case brought in front of the Californian Court alleging that Google’s practice to scan the content of emails sent through its Gmail service violates US wiretap laws. The first try was not successful because the plaintiffs could not constitute a ‘class’ (there’s a short history of the first case recalled in the Order). What’s interesting is that most of the findings in this Order are in fact re-statements of findings from the previous case. And with this case moving forward for now, there’s a chance we’ll see a real assessment of the facts of the case and an actual Court decision in the end.

Now, the plaintiff seeks to represent non-Gmail users ‘who have never established an email account with Google, and who have sent emails to or received emails from individuals with Google email accounts’.

‘Google allegedly intercepted the emails for the dual purposes of (1) providing advertisements targeted to the email’s recipient or sender, and (2) creating user profiles to advance Google’s profit interests.’

According to the plaintiff, Google utilizes the user profiles ‘for purposes of selling to paying customers, and sending to the profiled communicants, targeted advertising based upon analysis of these profiles’ (p. 3).

Google defends itself by stating, among other things, that this practice is a part of their ‘ordinary course of business’ and therefore it falls under an exception of the Wiretap Law that allows them to look at the content of communications.

I read the Order with the mind of an EU data protection lawyer that was part of the team assessing the EU-US Privacy Shield for the Article 29 Working Party and this is a list of findings that caught my eye:

1. The Court found it plausible that the use of data to target ads is not ‘routine and legitimate commercial behaviour’ that is part of Google’s ordinary course of business, so it’s not exempted under the Wiretap Act.

• The Court reiterated that it stands by the findings in Gmail I, according to which ‘the ordinary course of business exception protected electronic communication service providers from liability where the interceptions facilitated or were incidental to provision of the electronic communication service at issue‘ (p. 11).
• In other words, the Court concluded that there ‘must be some nexus between the need to engage in the alleged interception and the provider’s ultimate business, that is, the ability to provide the underlying service or good‘ (p. 12).
• Otherwise, the Court explained, ‘an electronic communication service provider could claim that any activity routinely undertaken for a business purpose is within the ordinary course of business, no matter how unrelated the activity is to the provision of the electronic communication service‘ (p. 15).
• The Court further restated an argument of Chief Judge Hamilton from a previous case, who noted that ‘it is untenable for electronic communication service providers to ‘self-define’ the scope of their exemption from Wiretap Act liability‘.
• Google used this following argument: ‘the alleged interception of email enables Google to provide targeted advertising, which in turn generates the revenue necessary for Google to provide Gmail. Google further contends that “the use of data to target ads is routine and legitimate commercial behavior”‘ (p. 24).
• The Court in fact found that, because Google ceased intercepting and analysing the contents of emails transmitted via Google Apps for Education, ‘Google is able to provide the Gmail service to at least some users without intercepting, scanning and analyzing the content of email for advertising purposes’ (p. 24).

2)  Google claims that California’s Invasion of Privacy Act does not apply to email and does not apply to new technologies in general. The Court is ‘unpersuaded’ by these claims and follows California Supreme Court’s philosophy according to which, when faced with two possible interpretations of CIPA, the CSC construes CIPA ‘in accordance with the interpretation that provides the greatest privacy protection’. 

• Section 631 of the California Penal Code creates liability for any individual who ‘reads, or attempts to read or to learn the contents or meaning of any message, report or communication while the same is in transit or passing over any wire, line or cable, or is being sent from or received at any place within this state‘.
• There is also a Section 630, according to which:

The Legislature hereby declares that advances in science and technology have led to the development of new devices and techniques for the purpose of eavesdropping upon private communications and that the invasion of privacy resulting from the continual and increasing use of such devices and techniques has created a serious threat to the free exercise of personal liberties and cannot be tolerated in a free and civilized society.

The Legislature by this chapter intends to protect the right of privacy of the people of this state.

• The Court refers to the California Supreme Court’s findings in Flanagan v. Flanagan that ‘In enacting [CIPA], the Legislature declared in broad terms its intent to protect the right of privacy of the people of this state from what it perceived as a serious threat to the free exercise of personal liberties that cannot be tolerated in a free and civilized society. This philosophy appears to lie at the heart of virtually all the decisions construing [CIPA]’ (p.33). (Flanagan v. Flanagan, 27 Cal. 4th 766, 775 (2002)).
• Replying to Google’s claim that CIPA cannot refer to emails, as emails did not exist at the time CIPA was adopted, the Court quotes again the California Supreme Court, which regularly reads statutes to apply to new technologies where such a reading would not conflict with the statutory scheme (p. 34, 35):

“Fidelity to legislative intent does not ‘make it impossible to apply a legal text to technologies that did not exist when the text was created. . . . Drafters of every era know that technological advances will proceed apace and that the rules they create will one day apply to all sorts of circumstances they could not possibly envision.” (Apple Inc. v. Superior Court, 56 Cal. 4th 128, 137 (2013))

• Finally, the Court refers to two other courts in its district that already decided to apply Section 631 of CIPA to ‘electronic communications similar to email’ (re Facebook Internet Tracking Litig., 140 F. Supp. 3d at 936 – holding that section 631 applies to “electronic communications”; Campbell, 77 F. Supp. 3d at 848 – finding that plaintiffs stated a claim under section 631 when defendant allegedly intercepted online Facebook messages). (p. 37).

Some post scriptum thoughts:

When the Court says there must be a ‘nexus between the need to engage in the alleged interception and the provider’s ultimate business, that is, the ability to provide the underlying service or good’ for the interception of the content of the communications to be lawful, it’s almost like the Court would be saying that the interception must be ‘strictly necessary’ for the ordinary course of business (for a background of the ‘necessity’ condition in EU data protection law, click HERE).

If we were to transpose this case into the realm of EU law, we may not even get to think whether the interception (which amounts to an interference) is strictly necessary or not to achieve a purpose ‘allowed’ by the applicable law. The main question that would be there to answer is ‘does accessing all the content of emails and profiling all the users for marketing purposes touches the essence of the fundamental right to private life and that of the fundamental right to data protection?’.

There are very good chances the answer would be ‘yes’…