Personal Business on a Business Device: Is Anything Private?

Email. Where office workers are routinely carpet-bombed with everything from complaints about over-cooked popcorn in the office microwave to requests for "an important project before you head out for the long weekend." And in the case of business lawsuits, it is where the smoking guns are often found. Along with flying bullets. And a confession. It was not that long ago that Apple and Google were accused of having a no-hire agreement with each other. Proving the case was made fairly simple when emails like the following were uncovered: 

When a single email can change the trajectory of a case, it is no surprise that discovery in civil litigation is often geared towards electronic communications - email, texts, voicemails, and the like. But what happens when a party or third-party raises privacy concerns? Is a personal email or text on a non-personal computer private? Article I, section 1 of the California Constitution provides that:

All people are by nature free and independent and have inalienable rights. Among these are enjoying and defending life and liberty, acquiring, possessing, and protecting property, and pursuing and obtaining safety, happiness, and privacy. 

The phrase "and privacy" was added to Section 1 by an initiative adopted by California voters in 1972 (the Privacy Initiative or Amendment). See e.g., Hill v. National Collegiate Athletic Assn., 7 Cal. 4th 1, 15 (1994). But although a privacy right is identified as fundamental, it is not absolute. It can be waived, and it can give way to the extent necessary to accommodate competing interests. 

The Privacy Framework: Countervailing Interests or Compelling Need?   

In Williams v. Superior Court, 3 Cal. 5th 531 (2017), California's Supreme Court examined whether contact information of putative class members should be protected from disclosure for, among others, privacy reasons. The plaintiff Williams sued Marshalls of California (Marshalls) for alleged wage and hour violations. Id. at 538. Williams filed a representative action on behalf of the State of California pursuant to Labor Code section 2698 (the Labor Code Private Attorneys General Act of 2004) and, in the course of discovery, sought contact information for fellow California employees. Id. Marshalls resisted the discovery, and among its arguments was that the information was protected from disclosure by Article I, section 1 of the California Constitution. Id. at 542. When Williams brought a motion to compel, the trial court granted the motion as to the store where Williams worked, but it denied discovery as to every other California store. Later, the Court of Appeal denied Williams' writ petition, but California's Supreme Court granted review. 

On review, the Court began its analysis emphasizing a party's broad and liberal rights to discovery: "In the absence of privilege, the right to discovery in this state is a broad one, to be construed liberally so that parties may ascertain the strength of their case and at trial the truth may be determined." Id. at 538. Indeed, "[a]ny party may obtain discovery regarding any matter, not privileged, that is relevant to the subject matter involved in the pending action ... if the matter either is itself admissible in evidence or appears reasonably calculated to the discovery of admissible evidence." Cal. Civ. Proc. Code § 2017.010. Because of these "prodiscovery policies[,]" trial courts are required to "be mindful" of the following:

[1] [T]he Legislature's preference for discovery over trial by surprise[;]

[2] [Trial courts] must construe the facts before it liberally in favor of discovery[;]

[3] [Trial courts] may not use its discretion to extend the limits on discovery beyond those authorized by the Legislature[;] and

[4] [Trial courts] should prefer partial to outright denials of discovery.

Williams, 3 Cal. 5th at 540, citing Greyhound Corp. v. Superior Court, 56 Cal. 2d 355, 383 (1961).

It is against this prodiscovery backdrop that the Williams Court turned to the issue of privacy. Although privacy is not defined in California's Constitution, the first step in a privacy analysis is identifying the "specific, legally protected privacy interest." Id. at 35. Even when the interest is identified, "privacy interests are best assessed separately and in context." Id. For example, "[o]ne factor relevant to whether an [alleged privacy] intrusion is 'highly offensive to a reasonable person' is the extent to which the person whose privacy is at issue voluntarily entered into the public sphere." Hill, 7 Cal. 4th at 26, citing Melvin v. Reid, 112 Cal. App. 285, 290 (1931). 

Very generally, there are two recognized classes of privacy interests: (1) informational privacy: a person's interest in precluding the dissemination or misuse of sensitive and confidential information; and (2) autonomy privacy: a person's interest in making intimate personal decisions or conducting personal activities without observation, intrusion or interference. Hill, 7 Cal. 4th at 35. Informational privacy was "the core value furthered by the Privacy Initiative." Id., citing White v. Davis, 13 Cal. 3d 757, 775 (1975). The Ballot Argument in favor of the Privacy Initiative explained that a constitutional right of privacy "prevents government and business interests from [1] collecting and stockpiling unnecessary information about us and from us, and [2] misusing information gathered for one purpose in order to serve other purposes or to embarrass us." Ballot Pamp., Proposed Stats. and Amends. to Cal. Const. with arguments to voters, Gen. Elec. (Nov. 7, 1972) p. 27. Whether something is informational or autonomy privacy can sometimes be murky, but Williams swiftly decided that "absent employees have a bona fide interest in the confidentiality of their contact information." Id. at 554.

Williams is significant because it debunked the notion that disclosure of private information can only be ordered upon a showing of a "compelling state interest" or "compelling need." Williams reiterated the framework identified in Hill, which first requires that "[t]he party asserting a privacy right must establish [1] a legally protected privacy interest, [2] an objectively reasonable expectation of privacy in the given circumstances, and [3] a threatened intrusion that is serious. Id., citing Hill, 7 Cal. App. 4th at 35 - 37. Next, "[t]he party seeking information may raise in response whatever legitimate and important countervailing interests disclosure serves...." Id. The party seeking privacy protection respond by "identify[ing] feasible alternatives that serve the same interests or protective measures that would diminish the loss of privacy." Id. From there, the trial court "balance[s] these competing considerations." Id.

Williams identified a series of cases that stood for the proposition that a "compelling state interest" or "compelling need" was required once a privacy right is identified. Williams explained that these cases are wrong: "To the extent prior cases require a party seeking discovery of private information to always establish a compelling interest or compelling need, without regard to the other considerations articulated in Hill ..., they are disapproved." Id. at  557. To be sure, "[a] 'compelling interest' is still required to justify an 'obvious invasion of an interest fundamental to personal autonomy.' But whenever lesser interests are at stake, the more nuanced framework [of Hill] applies, with the strength of the countervailing interest sufficient to warrant disclosure of private information varying according the strength of the privacy interest itself, the seriousness of the invasion, and the availability of alternative measures." Id. at 556, citing Hill, 7 Cal. App. 4th at 35 - 40. 

Based on the proper Hill analysis, the Court ordered Marshalls to provide statewide employee contact information. Williams concluded that there was no reasonable expectation of privacy in the particular circumstances because the court "doubt[s] William's fellow employees would expect that information to be withheld from a plaintiff seeking to prove labor law violations committed against them and to recover civil penalties on their behalf." Id. at 554. Nor was there a serious invasion of privacy. There were mechanisms available where employees could opt out of having their information shared: "[T]here is not justification for concluding disclosure of contact information, after affording affected individuals the opportunity to opt out, would entail a serious invasion of privacy." Id. at 555, citing Pioneer Electronics (USA) Inc., v. Superior Court, 40 Cal. 4th 360, 373 (2007). Without the threshold requirement of establishing a serious invasion of a legally protected privacy interest, the Williams Court did not have to engage in any balancing of interests. Id. at 555. 

Personal Conduct on a Non-Personal Computer: The Hill Test Applies 

When it comes to employee information on business devices, TBG Insurance Services Corp. v. Superior Court, 96 Cal. App. 4th 443 (2002), is illustrative. The plaintiff Robert Zieminski sued his former employer TBG Insurance Services Corp. (TBG) for wrongful termination. TBG alleged that it properly terminated Zieminski when it discovered that he "had violated TBG's electronic polices by repeatedly accessing pornographic sites on the Internet while he was at work." Id. at 446.

During the course of discovery, TBG requested that Zieminski return his home computer (which TBG purchased for him). Id. Zieminski refused. Zieminski acknowledged that TBG purchased his computer, but he argued that it contained private information. Therefore, he offered to "either return it or purchase it, but said [if he were to return it] that it would be necessary 'to delete, alter, and flush or destroy some of the information on the computer's hard drive since it contain[ed] personal information which is subject to a right of privacy.'" Id. at 446 - 447. TBG filed a motion to compel production, which the trial court denied. The trial court reasoned that the information on the computer was "merely corroborative of facts already in [TBG's] possession; since [TBG] already has extensive evidence, any additional evidence that the [home computer] may disclose does not outweigh the fact that the computer contains personal information." TBG filed a petition for a writ of mandate, and the Court of Appeal granted review. 

The Court began its analysis by noting that "the trial court's finding that TBG already has 'extensive evidence' misses the mark." Id. at 448. "TBG is entitled to discovery of any nonprivileged information, cumulative or not.... Admissibility is not the test, and it is sufficient if the information sought might reasonably lead to other, admissible evidence." Id. at 448 - 449 (emphasis in original).

The Court then turned to Zieminski's claim that production of his home computer invaded his right to privacy. Utilizing the Hill test, the court assumed that Zieminski had a privacy interest in at least some of the information on his home computer. Id. at 449.

However, turning to the second threshold factor from Hill, the Court concluded that Zieminski did not have a reasonable expectation of privacy because (1) Zieminski consented to TBG's policy, which allowed for monitoring of his computer, (2) accepted community norms did not support a reasonable expectation of privacy, and (3) Zieminski had the opportunity to consent or reject the very thing that constitutes the invasion. Id. at 450. 

To illustrate, TBG provided Zieminski with its policy statement (which Zieminski signed), which provided that TBG had the right to have "authorized personnel ... monitor messages and files on an 'as needed' basis." Id. at 453. The policy further provided that monitoring could "include the review, copying, or deletion of messages, or the disclosure of such messages or files to other authorized persons." Id. The Court explained:

To state the obvious, no one compelled Zieminski ... to use the home computer for personal matters, and no one prevented him from purchasing his own computer for his personal use. With all the information he needed to make an intelligent decision, Zieminski agreed to TBG's policy and chose to use his computer for personal matters. 

Id. Zieminski's consent was dispositive: "By any reasonable standard, Zieminski fully and voluntarily relinquished his privacy rights in the information he stored on his home computer, and he will not now be heard to say that he nevertheless has a reasonable expectation of privacy." Id.   

With respect to "community norms," the Court explained that "'plaintiff's interest in his privacy must be relative to the customs of the time and place, to the occupation of the plaintiff and to the habits of his neighbors and fellow citizens.'" Id. at 450, citing Hill, 7 Cal. 4th at 37. With respect to the monitoring of employee computers, the Court explained that "[w]e are concerned in this case with the 'community norm' within 21st-century computer-dependent businesses." Id. at 451. According to a 700,000-member management association, for example, "more than three-quarters of this country's major firms monitor, record, and review employee communications and activities on the job, including their telephone calls, e-mails, Internet connections and computer files." Id. Accordingly, "the use of computers in the employment context carries with it social norms that effectively diminish the employee's reasonable expectation of privacy with regard to his employer's computers." Id.   

Finally, the Court explained that Zieminski could have avoided this potential invasion of privacy by simply using his TBG-issued computer for work purposes. In Hill, for example, the case involved mandatory drug testing for student athletes via urine samples. If the athletes refused to participate in the drug test, they could not participate in sports. This was no the case with Zieminski: "When an employer requires consent to computer monitoring, the employee may have his cake and eat it too—he can avoid any invasion of his privacy by using his computer for business purposes only, and not for anything personal." Id. at 450 n.5.   

Beyond Privacy: Attorney-Client Communications On Employer's Computer? 

What about communications with an attorney over an employer's computer? While a person's right of privacy is often balanced against other competing interests, the attorney-client privilege is absolute. See Costco Wholesale Corp. v. Superior Court, 47 Cal. 4th 725, 732 (2009). If a timely claim of privilege is made and the requisite foundation is established, no disclosure may be ordered regardless of the relevance, necessity, or circumstances peculiar to the case. Id. However, the attorney-client privilege only applies to confidential communications. And the waiver analysis in privacy cases has a similar application to attorney-client communications on a company computer. See e.g., Holmes v. Petrovich Development Company, LLC, 191 Cal. App. 4th 1047 (2011) 

In Holmes, the plaintiff Gina Holmes sued her former employer, Petrovich Development Company, LLC (Petrovich) for wrongful termination related to her anticipated pregnancy leave. After a series of emails with her employer about the timing of her pregnancy leave, Holmes used a company computer to email an attorney. Id. at 1056. Holmes and her attorney claimed the communications were protected by the attorney-client privilege and demanded their return during pretrial litigation. The trial court refused and allowed their introduction during trial, which Holmes lost. On appeal, Holmes argued that the trial court's rulings required reversal of her adverse judgment. Id. at 1064. 

The Court of Appeal affirmed the trial court's rulings. Petrovich's handbook provided that employees had "no right of privacy" with respect to company emails. It stated plainly that "[e]mail is not private communication, because others may be able to read or access the message. E-mail may be best regarded as a postcard rather than as a sealed letter...." Id. 1052. As result, even under the higher protections afforded to the attorney-client privilege, the Court held that Holmes waived the privilege: "[Holmes] used [Petrovich's] computer, after being expressly advised this was a means [of communication] that was not private and was accessible by [Mr.] Petrovich, the very person about whom Holmes contacted her lawyer and whom Holmes sued. This is akin to consulting her attorney in one of defendants' conference rooms, in a loud voice, with the door open, yet unreasonably expecting that the conversation overheard by Petrovich would be privileged." Id. at 1068.        

Holmes next argued that notwithstanding Petrovich's handbook, she did not think that Petrovich actually monitored any emails. The Court was unmoved: "Just as it is unreasonable to say a person has a legitimate expectation that he or she can exceed with absolute impunity a posted speed limit on a lonely public roadway simply because the roadway is seldom patrolled, it was unreasonable for Holmes to believe that her personal email sent by company computer was private simply because, to her knowledge, the company had never enforced its computer monitoring policy." Id. at 1071. 

Conclusion

Employee handbooks almost invariably provide an employer the right to monitor employee emails and computers. In TBG, the Court explained that "the use of computers in the employment context carries with it social norms that effectively diminish the employee's reasonable expectation of privacy with regard to his employer's computers." That was in 2002. It will be difficult, if not impossible, for an employee to argue—seventeen years later—that any expectation of privacy on a work computer has done anything but decrease.     

David Sugden is a shareholder at Call & Jensen. He can be reached at [email protected].