Though the subject of litigation for twenty-five years now, ECPA cases still address what most would consider basic issues. The Ninth Circuit, in Sulzon Energy v. Microsoft Corp., No. 10-35793 (9th Cir. Oct. 3, 2011), marked another one of those basic issues off the checklist, finding clearly and unambiguously that ECPA’s protections extend to foreign citizens whose communications are stored on servers here in the United States. In doing so, the Ninth Circuit simply relied on the fact that ECPA, on its face, applies to “any person” without qualification and providers are not required to investigate their users’ citizenship before responding to requests. By doing so, the Ninth Circuit has provided domestic providers with a powerful arrow in their quiver when responding to foreign requests for data located in the United States.
Sulzon involved a request under 28 U.S.C. 1782 by Sulzon, a civil fraud litigant in an Australia, for hotmail emails belonging to an Indian citizen currently imprisoned in India. Microsoft, however, stored the emails in question, on servers in the United States. Because the request called for the production of email content to a civil litigant, Microsoft objected on a number of grounds, including that ECPA prohibited their production.
The Ninth Circuit resisted the urge to overcomplicate the issue and turned directly to the statute’s text to find that ECPA applied to foreign citizens. It found that “the plain text of the ECPA applies its terms to ‘any person,’ without qualification. 18 U.S.C. 2510(3). Any person means any person, including foreign citizens.” Slip Op. at 18685. While the Court could have stopped there, it went on to note that 18 U.S.C. 2510(13) supports this reading as well, by defining a user as “any person or entity who — (A) uses an electronic communication service; and (B) is duly authorized by the provider of such service to engage in such use” and making no exception for citizenship (or any other attribute) and the exceptions contained in 2702(b) & (c) similarly make no mention of citizenship as an exception for disclosure.
The Court went on to address the legislative history, even though it noted such an inquiry was unnecessary because Sulzon had argued that the legislative history repeatedly referred to protecting the privacy rights of “American Citizens.” In rejecting that limitation as inconsistent with ECPA’s plain text, the Court observed that limiting ECPA’s protections to United States citizens would have placed electronic communication service providers in the untenable position of making the “costly, fact-intensive, and difficult determination” of whether a user was or was not a United States citizen during the relevant time frames. Such an outcome would have been neither good law, nor good policy.
Interestingly, Sulzon also argued that the foreign citizen consented to production of his documents impliedly because the account owner had a duty to produce documents under Australian rules of court. The Ninth Circuit rejected that argument and confirmed an argument providers have made for years. The Court held that regardless of the implied consent argument, the subpoena should have been directed to the account owner not the provider, because if anyone had a duty to produce email content under Australian rules of court it was the account owner not Microsoft. See Flagg v. City of Detroit, 252 F.R.D. 346, 366 (E.D. Mich. 2008) and Bower v. El-Nady Bower, No. 10-cv-10405-rgs (D. Mass. April 5, 2011) (holding that fugitive user did not impliedly consent to production and that proper procedure for obtaining content was to subpoena user directly). As the Ninth Circuit explained, “[Defendant] himself is the person who should be responsible for disclosing his own emails. Sulzon’s supposed implied consent argument has no bearing on its efforts to get those emails from Microsoft, who is not a party to the litigation.” Id. at 18689.
In the end this simple case reinforces two important points: (1) ECPA applies to “any person” and it really means it; and (2) civil litigants seeking content are barking up the wrong tree when they request that content from the provider—and not from the account owner.