City of Ontario v. Quon—The Supreme Court’s First Foray into Digital Privacy

How did the Supreme Court decide these critical issues? It didn’t, really. Justice Kennedy explained the high court’s trepidation as follows, “Prudence counsels caution before the facts in the instant case are used to establish far-reaching premises that define the existence and extent of privacy expectations enjoyed by employees when using employer-provided communication devices.” City of Ontario, California v. Quon, 130 S.Ct. 2619, 2629 (2010). However, the Supreme Court’s first foray into digital privacy was not for naught. The decisions from the trial judge and the court of appeals offer excellent outlines for business managers, IT specialists, and HR professionals to follow when developing risk-management policies and procedures, and when identifying and resolving digital-privacy situations. Also, the Supreme Court did not entirely resist the urge to drop helpful hints about some key business and legal issues here. In fact, Justice Kennedy seeded his opinion with enough insightful comments that he drew a rhetorical objection from Justice Scalia, who commented that, “in saying why it is not saying more, the Court says much more than it should.” Id. at 2635.

One crucial lesson for businesses to learn from this case is they need well-conceived policies establishing expectations for employees with respect to digital privacy in the workplace. One other key lesson is that business people should know enough about the existing and emerging digital technologies to identify potential privacy issues and obtain competent advice before the issues become legal problems. The facts of Quon’s lawsuit against the City of Ontario, and the decisions issued by the trial judge, court of appeals, and Supreme Court highlight the importance of these and other digital-privacy issues.

The Facts—The Realities of a Modern Day Workforce

“This case has its genesis in gross malfeasance which, no one disputes, took place in the Ontario Police Department’s dispatch center.” Quon, 445 F. Supp. 2d at 1121. The police department suspected that one of its dispatchers was feeding information to her boyfriend, who was a member of the Hell’s Angels motorcycle gang, about a police investigation of the gang. The department ran a sting, having a narcotics officer place a mock call to the dispatcher about the license plate of a known gang member. As soon as the dispatcher received the call, she sent a text message to another police dispatcher, asking the second dispatcher to warn the suspect that the narcotics officer was following him. After doing so, the second dispatcher sent a text informing a third dispatcher, April Florio, that the second dispatcher had taken care of the matter.

In concert with the sting, the city discovered that other police department employees were exchanging illicit text messages. The department had issued pagers to its SWAT team to facilitate coordination and rapid response in emergency situations. Some SWAT team members, including Jeff Quon, incurred overages by repeatedly exceeding their monthly data plans. The department reviewed 46 pages of texts that Quon had sent over a two-month period, and discovered numerous messages he had sent while on duty that “were, to say the least, sexually explicit.” Some such texts were sent between Quon and his wife, Jerilyn (who also was a police officer in the department), while others were exchanged between Quon and his mistress, April Florio.

The department had adopted and disseminated an appropriate written policy concerning its employees’ use of department-owned electronic devices, including the use of pagers and the exchange of text messages. The policy stated that the department “reserves the right to monitor and log all network activity”; that the employees’ use of the department’s computer systems “is not confidential”; that the systems “should not be used for personal or confidential communications”; that information “produced either in hard copy or in electronic form is considered city property”; and, most importantly, that employees “should have no expectation of privacy or confidentiality when using these resources.”

Despite this written policy, the department also had an unwritten procedure of not reviewing texts sent on department-owned devices. Even if an officer exceeded his or her data limit, the department did not review the texts if the officer paid the overage. The department only reviewed texts if the officer asked the department to pay the overage on the basis that the excess data usage was job related. Until it decided to review Quon’s texts, the department had followed this unwritten procedure.

Jeff Quon, Jerilyn Quon, and April Florio sued the City of Ontario and the officers who had reviewed their texts. They alleged that the city and the officers violated their common-law and constitutional rights to privacy. Jeff Quon also sued Arch Wireless Operating Co., Inc., with whom the department had contracted for text messaging service for department-owned pagers, alleging that Arch Wireless had violated the Stored Communications Act by disclosing his texts to the department.

The Trial Judge’s Decision—A Victory for Businesses

Businesses won a resounding victory in the trial court. The judge dismissed Quon’s claim against Arch Wireless, concluding that it had a right to disclose Quon’s texts to the department because the department was the subscriber of the text message services. While the judge initially found that Quon had a reasonable expectation that the texts he sent using the department-owned pager were private, the judge ultimately concluded at trial that the department was not be liable because it had reviewed the texts in the course of a reasonable workplace investigation. The judge’s decision highlights just how technically complex, legally difficult, and fraught with peril digital-privacy issues can be.

In 1986, Congress enacted a law called the Electronic Communications Privacy Act (ECPA). The purpose of that law is to protect the privacy of electronic communications, just as aural telecommunications are protected by the federal wiretap law. The ECPA thus prohibits unauthorized interception of electronic transmission. At the same time, Congress enacted the Stored Communications Act, the purpose of which is to protect the privacy of certain stored electronic communications.

The problem with the SCA is that it was written over two decades ago, long before the conception of the technologies of today. As the judge explained, because the SCA preceded “the mass use of the Internet and world wide web, its framework is at times ill-suited to address modern forms of communication. . . . Such a clash of technology and the current state of the law” took center stage in Quon’s case.

The SCA classifies a service provider like Arch Wireless as either a “remote computing service” or an “electronic communication system.” A remote computing service has the right under the law to disclose electronic communications to the subscriber of the service, typically a business or an employer like the City of Ontario. By contrast, an electronic communication system provider may disclose data held by it only if authorized to do so by the author or addressee of the communication. See 18 U.S.C. § 2702(b)(3). Thus, a service provider’s liability under the SCA (and a business’s or employer’s potential aiding or abetting liability) can depend on how these terms are applied in a particular situation. Unfortunately, the SCA’s 1986-based definitions of these terms (suited to email, at best) are often inadequate to classify the technologies that exist just 20 years later (e.g. text and instant messages, web mail, and Facebook and Twitter communications) as well as emerging new technologies (e.g., Android and iPhone applications).

A service provider qualifies as a remote computing service if it provides to the public “computer storage or processing services by means of an electronic communication system.” 18 U.S.C. § 2711(2). Alternatively, an electronic communications system consists of “computer facilities or related electronic equipment for the electronic storage” of “wire or electronic communications.” 18 U.S.C. § 2510(14) and (15). The judge struggled mightily to distinguish these two terms to classify Arch Wireless under the SCA. After a lengthy review of the history of the law and countervailing policy arguments, he ultimately concluded that Arch Wireless met the definition of a remote computing service, because it provided “long-term storage of communications not incidental to the transmission of the communication itself and not meant for backup protection.”

The trial judge’s decision on Quon’s claim for violation of his right to privacy was far less technical, but equally perilous. He would have agreed with the city’s argument that Quon had no reasonable expectation of privacy in his texts if all that had occurred was that he was

informed in writing and in person that the city considered the use of the pagers to fall within its e-mail policy, and that the city would monitor the use of its pagers, including auditing what messages were sent and received by them at any time. All of this would have put any employee on fair notice that the communications that were transmitted over the pager were, in essence, open to the public for view. Quon, 445 F. Supp. 2d at 1140.

But Quon’s expectation of privacy was “fundamentally transformed” by the department’s “conscious decision not to enforce” its policy. Before the department reviewed Quon’s texts, it “did not audit any employee’s use of the pager for the eight months the pagers had been in use. This was true even when overages were involved. [The department] in effect turned a blind eye to whatever purpose an employee used the pager, thereby vitiating [its] policy of any force or substance.” The department’s actions even “could be said to have encouraged employees to use the pagers for personal matters.” The judged therefore found that the department “effectively provided employees a reasonable basis to expect privacy in the contents of the text messages they received or sent over their pagers.”

The judge’s conclusion that Quon had a reasonable expectation of privacy in his texts resulted in that claim proceeding to trial. The jury concluded, however, that the department reviewed the texts in the course of a legitimate workplace investigation to assess if its monthly data limit was sufficient for the business purposes of its police officers. As a result, the judge found that the department’s review of the texts was reasonable under the circumstances, absolving the department of liability.

The Court of Appeals Decision—A Reversal of Fortunes

The victory for businesses was short lived, with round two awarded decisively to privacy advocates. Three judges on the U.S. Court of Appeals for the Ninth Circuit completely reversed the fortunes of the parties.

The judges reinstated Quon’s claim under the SCA, finding that Arch Wireless hosts an electronic communication system and is not a remote computing service. An electronic communication system, the judges reasoned, is nothing more than a service provider that affords its users “the ability to send or receive wire or elec­tronic communications” using its systems.

On its face, this describes the text-messaging pager services that Arch Wireless provided. Arch Wireless provided a service that enabled Quon . . . to send or receive electronic communications, i.e., text messages. Contrast that [with the] definition for [a remote computing service], which means the provision to the public of computer storage or processing services by means of an electronic communications system. Arch Wireless did not provide to the city computer storage; nor did it provide processing services. Quon v. Arch Wireless Operating Co., Inc., 529 F.3d 892, 901 (9th Cir. 2008).

The appellate judges also disagreed with the trial judge’s decision on Quon’s privacy claim. They reinstated that claim as well, finding it unreasonable for the department to review the actual texts just to determine if the usage limits were sufficient. There “were a host of simple ways to verify the efficacy of the . . . limit . . . without intruding on Quon’s rights,” they reasoned.

For example, the department could have warned him that for the month of September he was forbidden from using his pager for personal communications, and that the contents of all of his messages would be reviewed to ensure the pager was used only for work-related purposes during that time frame. Alternatively, if the department wanted to review past usage, it could have asked Quon to count the characters himself, or asked him to redact personal messages and grant permission to the department to review the redacted transcript. Id. at 909.

The decision of the three Ninth Circuit judges displeased some of their colleagues. Seven other judges on that court of appeals asked that case be reconsidered, but were unsuccessful in convincing enough of their colleagues to reconvene the matter. These dissenters raised commonsense reasons why it would have been unreasonable for Quon to expect any privacy in his text messages.

Given that the pagers were issued for use in SWAT activities, which by their nature are highly charged, highly visible situations, it is unreasonable to expect that messages sent on pagers provided for communication among SWAT team members during those emergencies would not be subsequently reviewed by an investigating board, subjected to discovery in litigation arising from the incidents, or requested by the media. . . . In light of these operational realities, a police officer could not reasonably expect to keep communications over a SWAT pager confidential. Rather, Quon could have avoided exposure of his sexually explicit text messages simply by using his own cell phone or pager. Quon v. Arch Wireless Operating Co., Inc., 554 F.3d 769, 776–77 (9th Cir. 2009).

The marked differences of opinion between the trial judge, the initial three appellate judges, and the seven other appellate judges highlight just how divisive digital-privacy issues often are, and just how technically complex and legally difficult it can be to resolve them, even for the brightest legal minds.

The Supreme Court Decision—Hints for the Future

The Supreme Court’s first decision was that it would not consider one of the main issues in the case. It declined to hear Arch Wireless’s appeal of Quon’s SCA claim, leaving businesses and legal counsel to struggle with the continuing uncertainties inherent in the law and conflicting lower-court precedents.

The high court instead focused solely on Quon’s claim that the city had violated his constitutional right to privacy. All nine justices agreed that the viability of that claim rested on whether the department’s review of Quon’s texts was reasonable under the circumstances (and they found that it was reasonable), not whether Quon could have reasonably expected the texts to be private.

The justices even acknowledged that unnecessary pronouncements about societal expectations of privacy in digital communications would be dangerous. For example, it noted that courts “must proceed with care when considering the whole concept of privacy expectations in communications made on electronic equipment owned by [an] employer. The judiciary risks error by elaborating too fully on the . . . implications of emerging technology before its role in society has become clear.” 130 S.Ct. at 2629. The court further elaborated on the risks of addressing digital privacy:

Rapid changes in the dynamics of communication and information transmission are evident not just in the technology itself but in what society accepts as proper behavior. [For example,] many employers expect or at least tolerate personal use of such equipment by employees because it often increases worker efficiency. . . . [As a result,] the law is beginning to respond to these developments, as some states have recently passed statutes requiring employers to notify employees when monitoring their electronic communications. . . . [However, at] present, it is [still] uncertain how workplace norms, and the law’s treatment of them, will evolve.

[T]he Court would have difficulty predicting how employees’ privacy expectations will be shaped by those changes or the degree to which society will be prepared to recognize those expectations as reasonable. . . . Cell phone and text message communications are so pervasive that some people may consider them to be essential means or necessary instruments for self-expression, even self-identification. That might strengthen the case for an expectation of privacy. On the other hand, the ubiquity of those devices has made them generally affordable, so one could counter that employees who need cell phones or similar devices for personal matters can purchase and pay for their own. Id. at 2629–30.

Despite clearly understanding the hazards of wading into a sea of digital-privacy issues, Justice Kennedy nonetheless seeded his opinion with helpful hints about some of the most important business and legal factors at issue here. For example, and most importantly, he stated that an employer’s policies concerning electronic communications in the workplace “will of course shape the reasonable expectations of [its] employees, especially to the extent that such policies are clearly communicated.”

The high court also acknowledged that the differing circumstances of each workplace must inform an employee’s expectations of privacy. For example,

[a]s a law enforcement officer, [Quon] would or should have known that his actions were likely to come under legal scrutiny, and that this might entail an analysis of his on-the-job communications. Under the circumstances, a reasonable employee would be aware that sound management principles might require the audit of messages to determine whether the pager was being appropriately used. Given that the city issued the pagers to Quon and other SWAT team members in order to help them more quickly respond to crises—and given that Quon had received no assurances of privacy—Quon could have anticipated that it might be necessary for the city to audit pager messages to assess the SWAT team’s performance in particular emergency situations. Id. at 2631.

Finally, Justice Kennedy recognized that an employer’s legitimate business needs to access and review an employee’s electronic communications impacts the scope of the employee’s reasonable expectation of privacy. In Quon’s case, for example, it would “be necessary to consider whether a review of messages sent on police pagers, particularly those sent while officers are on duty, might be justified for other [legitimate business] reasons, including performance evaluations, litigation concerning the lawfulness of police actions, and perhaps compliance with state open records laws.”

Justice Scalia admonished his colleagues for engaging in such judicial activism, stating that

lower courts will likely read the Court’s self-described “instructive” expatiation[s] . . . as a heavy-handed hint about how they should proceed. Litigants will do likewise, . . . bombarding lower courts with arguments about employer policies, how they were communicated, and whether they were authorized, as well as the latest trends in employees’ use of electronic media. Id. at 2635.

Whether advisable or not, businesses and their legal counsel welcome the guidance, limited though it may be, that the Supreme Court furnished here.

The Conclusion—Be Prepared to Address Digital Privacy Issues

Electronic communications invaded our workplaces long ago. It will be (indeed, already is) impossible to avoid facing digital-privacy issues. Businesses should prepare themselves to address these issues before they arise, not after they become legal problems.

To do so, every employer should adopt an electronic-communication policy tailored to the business needs and corporate culture of the company. The policy should, at a minimum, instruct employees that (1) they cannot expect that the communications they have or the data they create on company-owned devices will be private; (2) their communications and data constitute company property; and (3) the company reserves the right to access and review, and does, in fact, periodically access and review, employees’ electronic communications and data on company-owned devices. While the policy can provide an employer with appropriate flexibility, a business must also ensure compliance with its policy to avoid the problems experienced by the City of Ontario with respect to Jeff Quon.

Finally, businesses should also learn to recognize digital-privacy situations that could lead to liability under the ECPA and SCA. Although these two laws are neither unambiguous nor simple to apply, with the assistance of qualified legal counsel, businesses should be able to minimize or avoid risk by planning ahead rather than simply forging ahead.

_{Cameron G. Shilling practices with McLane, Graf, Raulerson & Middleton, P.A. in Manchester, New Hampshire.}

^{Copyright © 2011, American Bar Association. All rights reserved. This information or any portion thereof may not be copied or disseminated in any form or by any means or downloaded or stored in an electronic database or retrieval system without the express written consent of the American Bar Association. The views expressed in this article are those of the author(s) and do not necessarily reflect the positions or policies of the American Bar Association, the Section of Litigation, this committee, or the employer(s) of the author(s).}