The intersection of individual employee privacy and the proliferation of the use of hand-held devices and smart phones for business purposes, including the increasing popularity of bring-your-own-device (BYOD) policies, continues to generate thorny questions for employers. In determining whether and how personal electronic communications are protected from third parties, one important aspect of the analysis is the scope of the Stored Communications Act (SCA).1
Recently, the Fifth Circuit Court of Appeals affirmed that the SCA does not apply to data stored by an individual on a cell phone, thus joining several other courts in limiting the scope of the SCA.2 In so holding, the Fifth Circuit found that the SCA protects data stored by an electronic communications service provider (e.g., the provider of cell phone or internet service), but not data stored on an individual’s personal hand-held device or computer.
Garcia v. City of Laredo: Fifth Circuit Adopts a Narrow Construction of the SCA
The SCA is part of the Electronic Communications Privacy Act that Congress passed in 1986 “to protect intrusions on individual privacy that the Fourth Amendment did not address.” It prohibits the unauthorized access of a “facility through which an electronic communication service is provided” and the “electronic communications” stored on that facility.
The key issue in Garcia v. City of Laredo was whether a cell phone qualified as a “facility” under the SCA. The Fifth Circuit found that it did not. First, the court reasoned that while the statute did not define the term “facility,” it did define the terms “electronic communication service” and “electronic storage.” The court found that these definitions made clear that Congress intended the statute to apply to providers engaged in the actual transmission of electronic communications, not to physical devices of individuals.
Second, the court favorably cited the decisions of a number of other courts that have interpreted the SCA to apply to communications stored by service providers, but not to individual computers or cell phones. The court agreed with the reasoning that such personal devices only enable individuals to use an electronic communication service, but are not electronic communication services themselves. Finally, the court noted that this narrow reading of the SCA is consistent with the SCA’s legislative history, which “deals only with facilities operated by electronic communications services such as ‘electronic bulletin boards’” and the risk that hackers could access these facilities.
Possible Impact of Decision
The Fifth Circuit’s decision signals that the SCA does not apply to communications stored on personal devices regardless of who accesses the communication or for what purpose. In Garcia, the plaintiff was a police dispatcher in Laredo, Texas. The wife of a police officer removed the plaintiff’s cell phone from an unlocked locker in a police station. When she found text messages and images she believed were in violation of department policy, she gave the cell phone to police department supervisors and alerted them to the content. The police department concluded that the plaintiff had violated department rules and regulations and terminated her employment based “in whole or in part” on the images and text messages on the plaintiff’s personal cell phone. The Fifth Circuit affirmed the district court decision that the SCA did not prohibit the plaintiff’s employers from accessing personal electronic communications on her cell phone and then using those communications as the primary (or only) reason for terminating her employment.
This narrow reading of the SCA serves to emphasize the complexities surrounding the use of personal devices in the workplace and the uncertain legal landscape that applies to such devices. In this case, the employee attempted to use the SCA to protect against her employer’s unauthorized access and use of information stored on her personal device, only to have the court reject the application of the SCA to such data.
While the Garcia decision does indicate that an employer need not worry about the SCA when it comes to the access or use of employee data stored on personal devices, the decision does not indicate that an employer may access and use such information with impunity. Any employer should approach these issues with caution and may want to consider implementing policies and procedures relating to the use of personal devices in the workplace or for work-related activities as well as to employer access to such devices.
For more information about the Garcia opinion, or any other matter raised in this Legal Update, please contact Anthony J. Diana at +1 212 506 2542, Therese Craparo at +1 212 506 2312, Marcia Goodman at +1 312 701 7953, Andy Rosenman at +1 312 701 8744 or John Nadolenco at +1 213 229 5173.