The Stored Communications Act and Document Subpoenas to Cloud Computing Providers

Posted: April 11, 2013

The continued adoption of cloud computing tools, like web-based email, cloud data storage, and hosted software services, means that important communications will often be maintained by third-party electronic service providers rather than the author of the communication. During litigation, if a party suspects that the other side used a cloud-based service to communicate about the subject of the dispute, the party needs to figure out the best way to acquire the communication. The answer may seem simple: the electronic service provider is a non-party in possession of relevant documents – so just serve a third party subpoena requesting the documents. After all, the service provider might produce a stockpile of valuable communications, and the requesting party can avoid the headaches of fighting with the opposing side over issues of relevance, responsiveness, or privilege. If the service provider resists, the requesting party can always invoke the power of the court to enforce the subpoena.

But not so fast – some may argue that the Stored Communications Act (“SCA”) puts all of those great cloud-stored communications beyond the reach of a non-party subpoena, and, even worse, serving such a subpoena could lead to some serious and expensive discovery disputes with the opposing side.

The SCA, enacted in 1986 as Title II to the Electronic Communications Privacy Act, certainly impacts both voluntary and involuntary disclosure of electronic communications. In a sense, the SCA establishes privacy rights for users who store their data remotely with electronic service providers in that it generally prohibits a service provider from disclosing its users’ electronic communications. At its core, the SCA: (1) limits a service providers’ ability to voluntarily disclose the content its user’s stored communications; and, (2) establishes situations where a service provider may be compelled by the government to disclose that content. For the purposes of determining whether a service provider is in compliance with the SCA, disclosure under a civil subpoena is treated as voluntary disclosure sought by a private party rather than disclosure compelled by a governmental entity. Notably, the SCA only restricts a provider from disclosing the “content” of users’ communications; the Act imposes no restriction on the disclosure of non-content information.

Although communications sought might be protected by the SCA, the general prohibition on voluntary disclosure is subject to several exceptions. For example, providers may voluntarily disclose the content of protected communications where disclosure is necessary for the rendition of services or to law enforcement if the provider has a good faith belief that an emergency situation requires disclosure. Providers may also disclose the content of communications where the user of the service consents to the disclosure. Despite the numerous exceptions to the prohibition on disclosure, the SCA contains no exception for disclosure in response to a civil discovery subpoena. Accordingly, most courts interpreting the SCA have found that service providers are precluded from disclosing the content of covered communications in response to a civil subpoena, absent a clear statutory exception. To be clear, the SCA does not merely absolve a service provider from responding to a request for covered communications, it actively prohibits disclosure and authorizes a civil action against the provider for unauthorized disclosure. In some cases, a party who acquires protected communications through a subpoena could even be exposed to sanctions and liability in a civil suit, if the party acquires protected communications through an improper subpoena. See Theofel v. Farey-Jones, 359 F.3d 1066, 1077 (9th Cir. 2004). Recognizing the strength of the protections under the SCA, courts in some cases have granted a party’s motion to quash subpoenas to non-party service providers.

But whether communications are even protected by the SCA is a tricky question in itself. The first step to determining if communications are covered by the SCA is to determine what type of service provider maintains the communication. The SCA makes a distinction between electronic communication service (“ECS”) providers and remote computing service (“RCS”) providers. ECS providers are defined as providing users with “the ability to send or receive wire or electronic communications,” while RCS providers offer “computer storage or processing services by means of an electronic communications system.” Courts have struggled with the distinction, and have recognized that a service provider may provide both RCS and ECS to a single customer, depending on the circumstances. Several commentators have criticized the ECS/RCS distinction and have advocated for amended legislation, arguing that the distinction is out-dated and that modern service providers do not fit neatly into one category or the other. Regardless, for now courts and litigants are stuck with the distinction and must analyze the limitations on service providers accordingly.

Under the SCA, ECS providers are precluded from voluntarily disclosing communications that are “in electronic storage” with the provider. The provision has been interpreted broadly, prohibiting disclosure of basically all communications stored with ECS providers. On the other hand, RCS providers are precluded from disclosing communications “carried or maintained” by the provider, but only where the communication is maintained “solely for the purpose of providing storage or computer processing services,” and only where “the provider is not authorized to access the contents of any such communications for purposes of providing any services other than storage or computer processing.” In other words, the SCA provides no protection for communications maintained by RCS providers where the communications are not maintained by the provider for the provision of storage or processing services or if the provider can access the communication for purposes other than for the provision of such services.

The limitations on communications maintained with RCS providers can be critical. Many cloud-based computing services are offered free-of-charge, but only in exchange for allowing targeted marketing to the users of the services. Indeed, many cloud-based service agreements allow the service provider to access its users’ content in order to create user-specific advertising. Under a strict reading of the RCS provisions, such access may constitute authorized access for “providing any services other than storage or computer processing.” As such, the communications maintained with the RCS provider would not be protected by the SCA given that the targeted advertising constitutes an additional protection-destroying access. The result highlights the importance of the ECS/RCS distinction. Merely defining a provider as an RCS provider may place a user’s communications outside the scope of the SCA.

Despite the technicalities in the definitions under the SCA, the general rule remains that a service provider is prohibited from disclosing the contents of its users’ communications in response to a civil discovery subpoena. Even so, requesting parties still have an avenue for acquiring the documents. The SCA allows voluntary disclosure of communications where the user consents to disclosure. Thus, a requesting party can serve a request for production of documents on the opposing side, requesting all relevant communications stored with a cloud-based service provider, and the party would be obligated to retrieve and produce the documents. See Flagg v. City of Detroit, 252 F.R.D. 346 (E.D. Mich. 2008). Parties responding to requests for documents (under Federal Rule of Civil Procedure 34 or its state law equivalents) are typically obligated to produce all documents in their possession, custody, or control. In most jurisdictions, documents within a party’s custody or control are considered to be those documents to which the party has legal access. Because a user typically has legal access to documents stored with a cloud-computing service, the documents are generally considered to be within the users’ custody or control. So, while the SCA prohibits serving a subpoena directly on the cloud-based service provider, it does not prohibit serving a document request on the user of that service, and a user of the service will not be able to rely on the SCA’s protections in refusing to produce the requested documents.

When looking for that smoking-gun status update or email, it might be tempting to go straight to provider that maintains an opponent’s data. But the limitations imposed by the SCA should not be overlooked. The opposing side might invoke the SCA’s protections and turn an otherwise simple document request into a murky and contentious discovery dispute. A requesting party can likely avoid the trouble by serving a document request on the opposing party instead of going directly to the cloud-based service provider. Ultimately, litigants should remember that a treasure trove of information may be stored in the cloud, and utilizing the right discovery mechanism can ensure that the information will be produced.

For more information, please contact Benjamin Cheesbro or Alison Grounds.