Skip to main content

Court: Protections of Electronic Communications Privacy Act Extend to Non-US Citizens

Written by Julia Siripurapu

In an important ruling for Internet service providers, the U.S. Court of Appeals for the Ninth Circuit has  unanimously affirmed the ruling of a district court that the provisions of the Electronic Communications Privacy Act of 1986 (ECPA) prohibiting internet service providers from disclosing the contents of stored communications protect the U.S.-stored electronic communications of foreign citizens.  The ECPA consists of three statutes: the Wiretap Act, the Pen Register statute, and the Stored Communications Act.

Suzlon Energy Ltd , an Indian company, demanded via a civil subpoena that Microsoft Corp. produce e-mail communications from the Microsoft Hotmail email account of Rajagopalan Sridhar, an Indian citizen. Suzlon sought the emails under Section 1782 of Title 28 of the United States Code to use in civil fraud proceedings pending against Sridhar in the Federal Court of Australia. The Ninth Circuit held in a 2004 case that the ECPA limits § 1782 by making it illegal for an entity that provides an “electronic communication service” to the public to produce the contents of its stored communications. Section 2510(15) of the ECPA defines "electronic communication service" as "any service which provides to users thereof the ability to send or receive wire or electronic communications" and Section 2510(13) defines a "user" as "any person or entity who — (A) uses an electronic communication service; and (B) is duly authorized by the provider of such service to engage in such use."

The district court initially granted Suzlon's petition for production of the documents and in response, Microsoft filed objections, arguing, that the production of the emails would violate the ECPA. The district court agreed with this argument, held that the plain terms of the statute applied the ECPA to all persons, including foreign citizens like Sridhar, and granted Microsoft’s motion to quash. Suzlon appealed the district court’s decision and argued that since based on the ECPA’s legislative history Congress’ primary intent in passing the ECPA was to protect the privacy interests of U.S. citizens, Congress could not have intended for the ECPA protections to extend to non-U.S. citizens.

In rejecting Suzlon’s legislative history argument, the Court noted that “to fully protect American citizens it might be necessary to extend the ECPA to all domestic communications, regardless of who sent them” and that Suzlon’s narrow interpretation of the ECPA would put internet service providers in the “untenable” position of having to engage in the “costly, fact-intensive and difficult determination” of whether each account holder is entitled to Fourth Amendment protection.

The Court focused on the plain language of the ECPA and the interpretation of the term "any person" in Section 2510(13) of the statute. In affirming the district court’s decision that the plain language of the ECPA extends its protections to non-U.S. citizens, the Court interpreted the term “any person” as “any person, including foreign citizens” and found that the ECPA as a whole confirms Congress’ intention that the protection of the ECPA extent to non-U.S. citizens. The Court noted that “it is clear that the ECPA at least applies whenever the requested documents are stored in the United States” and, in this case, because Sridhar’s emails were stored on a domestic server by a domestic corporation, the ECPA protections apply to him although he is an Indian citizen. The Court made it clear that it did not address whether the ECPA applies to documents stored or acts that occurred outside of the United States and cited a prior Ninth Circuit decision that the ECPA does not cover acts outside of the United States (Zheng v. Yahoo! Inc.,2009 WL 4430297 at *4, No. C-08-1068 MMC (Dec. 2, 2009)).

Subscribe To Viewpoints

Author

Cynthia J. Larose

Member / Co-Chair, Privacy & Cybersecurity Practice

Cynthia J. Larose is Chair of the firm's Privacy & Cybersecurity Practice, a Certified Information Privacy Professional-US (CIPP-US), and a Certified Information Privacy Professional-Europe (CIPP-E). She works with clients in various industries to develop comprehensive information security programs on the front end, and provides timely counsel when it becomes necessary to respond to a data breach.