IAPP-GDPR Web Banners-300x250-FINAL
Sensationalist Headlines Might Drive Page Views, but Not Good Privacy Law or Policy

Skimming through my daily privacy law newsfeeds last week, I came across the following headline on multiple occasions:  Google says e-mail users have “no reasonable expectation of privacy.” In quotes. Meaning Google actually said that. “Really?” I thought. That can’t be right. I bet Google did not actually say that.

Guess what? Google did not actually say that.

I’ll preface the rest of this piece by making clear that I am not in the business of defending or apologizing for Google. Those who know me well know that’s not the case. Not in the least. But what happened last week reaches far beyond Google and demonstrates the folly of letting the media drive the privacy debate in this country—and, consequently, the development of privacy law and policy.

What did Google say, and why do we care?

Here’s the situation. Google is defending a multi-district litigation in the U.S. District Court for the Northern District of California involving allegations that Google, through its Gmail service, is illegally intercepting e-mails when it scans them. In June (yes, in June – there’s the first sign that something is amiss here since this story broke in August – hmmm), Google filed a motion to dismiss. The hearing on the motion to dismiss is set for September 5.

A little legal context is needed to understand what is going on here. This is a motion to dismiss, so Google is challenging the plaintiffs’ pleadings. The court must assume that the facts as alleged by plaintiffs are true, and Google is not allowed to introduce any extraneous facts. So “truth” has very little to do with the proceeding here.

Plaintiffs assert claims under the federal Electronic Privacy Communications Act (ECPA) and California’s eavesdropping law–referred to by the parties as the California Invasion of Privacy Act (CIPA).  Not surprisingly, Google’s arguments are legal arguments as to why those laws don’t apply here. Google asserts numerous arguments in its motion to dismiss, among other things:  (1) Plaintiffs’ wiretapping claims under ECPA fail because the alleged scanning practices are part of Google’s ordinary course of business as an electronic communications service (ECS) provider; (2) the senders and recipients of the e-mails at issue have all consented to the processing of their e-mails by Google; (3) CIPA does not apply to e-mail communications; (4) plaintiffs have no Article III standing to pursue a CIPA claim; (5) plaintiffs fail to allege any connection to California; and (6) plaintiffs allege no facts to show that their e-mails were “confidential communications” within the meaning of CIPA.

Where in here did Google allegedly say anything about people having no reasonable expectation of privacy in their e-mails? In the context of its arguments as to why users have consented to the Gmail practices for purposes of the California law, Google argued that even the plaintiffs who do not use Gmail “nonetheless impliedly consent to Google’s practices by virtue of the fact that all users of e-mail must necessarily expect that their e-mails will be subject to automated processing.” In other words, Google says, e-mail users must expect that their e-mails will be processed by a third party. This is followed by the paragraph that caused the advocacy group Consumer Watchdog, and the media, to go crazy:

“Just as a sender of a letter to a business colleague cannot be surprised that the recipient’s assistant opens the letter, people who use web-based e-mail today cannot be surprised if their communications are processed by the recipient’s ECS provider in the course of delivery. Indeed, “a person has no legitimate expectation of privacy in information he voluntarily turns over to third parties.” Smith v. Maryland, 442 U.S. 735, 743-44 (1979). In particular, the Court noted that persons communicating through a service provided by an intermediary (in the Smith case, a telephone call routed through a telephone company) must necessarily expect that the communication will be subject to the intermediary’s systems. For example, the Court explained that in using the telephone, a person “voluntarily convey[s] numerical information to the telephone company and ‘expose[s]’ that information to its equipment in the ordinary course of business.” Id. at 744 . . .

That’s it. Google cited to a 34-year-old Supreme Court case that articulates the well-established third-party doctrine. Google was quoting Supreme Court law. If you want to learn more about the third-party doctrine, read any one of the articles authored by Prof. Orin Kerr of George Washington University Law School on the subject, in particular, “The Case for the Third-Party Doctrine.” I cannot do that justice here, and that’s really not my objective. My point is a broader one.

By glossing over what actually happened here, and the complexities of the pending litigation, Consumer Watchdog and the media are missing the complexities of this issue, complexities that must be discussed in order to arrive at the right conclusion. I’ll mention two here since my space is limited.

Number one:  Privacy is contextual and encompasses a number of things – while an individual’s e-mails may be scanned, whether that person’s privacy has been violated depends, at least in part, on the use to which that information has been put, whether that information has been shared, and whether the user consented to that use and/or sharing. The mere fact that Google asserts that an individual must expect his or her e-mail will be processed when sent – a noncontroversial proposition in today’s day and age – does not mean that the individual’s privacy has been violated. If you cannot accept the notion that a third party is going to process your e-mail, you might as well shut down your computer, throw away your smartphone and go off the grid entirely. Gmail users get free e-mail in exchange for agreeing to receive targeted advertising based on automated scanning of e-mails. If you cannot accept that notion, don’t use Gmail. Non-Gmail users who send e-mails to Gmail users know that someone is going to process that e-mail to send it to the recipient. Whether those users also consent to having their e-mails scanned for other purposes – that’s the real question that requires analysis. But that’s lost in this mess.

Number two:  There is a legitimate question requiring legal analysis – and that the court will presumably evaluate in ruling on Google’s arguments – as to whether the Fourth Amendment third-party doctrine should apply in the context of a California statutory claim challenging Gmail scanning of users’ e-mail for advertising or other purposes. That’s also an important legal debate that deserves attention.

But the headlines did not read, “Google Erroneously Claims That Non-Gmail Users Should Expect Their E-mails Will Be Scanned for Advertising Purposes” or “Google Improperly Invokes the Third-Party Doctrine In Defending Gmail Privacy Claims.” Nope. Instead, the headlines read, “GOOGLE: If You Send To Gmail, You Have 'No Legitimate Expectation Of Privacy'.” And, even better, in Consumer Watchdog’s response to clarifications regarding the story, “Google Is Either Lying To The Court Or To The Public, Consumer Watchdog Says.”

What do such headlines accomplish? They sell newspapers. (Well, no, probably not, but they might draw page views.) They incite anger and suspicion as to whether corporate America is flat-out lying to the public about privacy practices, anger that is already at an all-time high due to the recent revelations regarding the NSA surveillance programs. When I posted a short note on a popular legal and information security listserv last week clarifying the facts as to what Google said, I was greeted with the famous Spiderman quote, “With great power comes great responsibility.” Yes, really. Because I pointed out that Google cited a Supreme Court case.

Google is entitled to defend itself based on existing law. Privacy advocates, consumers and regulators who take issue with Google’s position should contest Google’s interpretation of the law in court. But mischaracterizing Google’s legal argument to suggest that Google doesn’t care about people’s privacy, for lack of a better description, doesn’t serve to advance the interests of privacy or consumer protection.

Written By

Tanya Forsheit, CIPP/US


If you want to comment on this post, you need to login.

  • jb Aug 21, 2013

    I was also skeptical, and read the case immediately to see if 'Google really said that.' I agree that the recent headlines have been reductionist, if not outright misleading. However, as I read through Google's privacy polices and GMAIL terms of use, I couldn't find anything to indicate one's email would be kept confidential. If there is anything to that effect, I'd love to see it.
    In that light, are the recent headlines really that far from the truth?


Board of Directors

See the esteemed group of leaders shaping the future of the IAPP.

Contact Us

Need someone to talk to? We’re here for you.

IAPP Staff

Looking for someone specific? Visit the staff directory.

Learn more about the IAPP»

Daily Dashboard

The day’s top stories from around the world

Privacy Perspectives

Where the real conversations in privacy happen

The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

Privacy Tracker

Alerts and legal analysis of legislative trends

Privacy Tech

Exploring the technology of privacy

Canada Dashboard Digest

A roundup of the top Canadian privacy news

Europe Data Protection Digest

A roundup of the top European data protection news

Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

Latin America Dashboard Digest

A roundup of the top privacy news from Latin America

IAPP Westin Research Center

Original works. Groundbreaking research. Emerging scholars.

Get more News »

Find a KnowledgeNet Chapter Near You

Network and talk privacy at IAPP KnowledgeNet meetings, taking place worldwide.

Women Leading Privacy

Events, volunteer opportunities and more designed to help you give and get career support and expand your network.

IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

Join the Privacy List

Have ideas? Need advice? Subscribe to the Privacy List. It’s crowdsourcing, with an exceptional crowd.

Find more ways to Connect »

Find a Privacy Training Class

Two-day privacy training classes are held around the world. See the complete schedule now.

Online Privacy Training

Build your knowledge. The privacy know-how you need is just a click away.

The Training Post—Can’t-Miss Training Updates

Subscribe now to get the latest alerts on training opportunities around the world.

New Web Conferences Added!

See our list of upcoming web conferences. Just log on, listen in and learn!

Train Your Staff

Get your team up to speed on privacy by bringing IAPP training to your organization.

Learn more »

CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

CIPT Certification

The industry benchmark for IT professionals worldwide to validate their knowledge of privacy requirements

Certify Your Staff

Find out how you can bring the world’s only globally recognized privacy certification to a group in your organization.

Learn more about IAPP certification »

Get Close-up

Looking for tools and info on a hot topic? Our close-up pages organize it for you in one easy-to-find place.

Where's Your DPA?

Our interactive DPA locator helps you find data protection authorities and summary of law by country.

IAPP Westin Research Center

See the latest original research from the IAPP Westin fellows.

Looking for Certification Study Resources?

Find out what you need to prepare for your exams

More Resources »

GDPR Comprehensive: Spots Going Fast

With the top minds in the field leading this exceptional program, it's no wonder it's filling quickly. Register now to secure your spot.

Be Part of Something Big: Join the Summit

Registration is open for the Global Privacy Summit 2016. Discounted early bird rates available for a short time, register today!

Data Protection Intensive Returns to London

Registration is now open for the IAPP Europe Data Protection Intensive in London. Check out the program!

P.S.R. Call for Speakers Open!

P.S.R. is THE privacy + cloud security event of the year, and you can take a leading role. Propose a session for this year's program.

Sponsor an Event

Increase visibility for your organization—check out sponsorship opportunities today.

Exhibit at an Event

Put your brand in front of the largest gatherings of privacy pros in the world. Learn more.

More Conferences »

Become a Member

Start taking advantage of the many IAPP member benefits today

Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits

Join the IAPP»