Tsibouris & Associates Home | Practice Areas | Attorneys | Contact | Publications | Clients | Blog Home

Tuesday, November 11, 2008

Federal Rule of Evidence 502: Protecting Against the Inadvertent Waiver of the Attorney-Client Privilege

By Kelly Prior, Esq.

President Bush recently signed a bill creating new Federal Rule of Evidence 502, which addresses the disclosure of communications and information protected by either the attorney-client privilege or the work-product doctrine. The purpose of FRE 502 is two-fold: 1) to resolve the conflicts which have arisen between courts in the area of inadvertent disclosure and subject matter waiver; and 2) to bring some measure of control over spiraling discovery costs that are due in part to the concern that any disclosure, however small or unintentional, will result in the subject matter waiver of all protected communications and information. The Rule provides several protections, as follows:

Subsection (a) applies to disclosures which are made in a federal proceeding or to a federal office or agency. When a disclosure is made in that context and the privilege or protection is waived, the waiver will only apply to undisclosed communications or information when the waiver is intentional, the same subject matter is involved and “fairness” dictates that the disclosed and undisclosed communications or information be considered together. Thus, subject matter waiver is reserved for those cases where a party intentionally produces protected information in a selective, misleading and unfair manner.

Subsection (b) applies to inadvertent disclosures which are made in a federal proceeding or to a federal office or agency. In such cases, the inadvertent disclosure does not constitute a waiver if the holder of the privilege or protection took “reasonable steps” to both prevent the disclosure and to rectify the error.

Subsection (c) addresses the difficulties which often arise when the disclosure of protected communication or information is made in a state proceeding, the communication or information then becomes part of a federal proceeding on the grounds that the disclosure constituted a waiver, and there is a conflict between the state and federal laws as to whether a waiver occurred. Rule 502(c) instructs the federal court to apply the most protective law as between the two.

Subsection (d) provides that the terms of confidentiality orders (pertaining to the disclosure of privileged or protected communication or information) entered into in federal proceedings are enforceable against non-parties in any state or federal proceeding.

Subsection (e) makes it clear that while the parties in a federal proceeding may enter into a binding agreement to limit the effect of waiver by disclosure between themselves, such an agreement is not binding on non-parties. The agreement must be made part of a court order in order for it to bind non-parties.

It will be interesting to see over the next few years how effective the new rule is in preserving attorney-client privilege and work product protections and in reducing discovery costs.

Labels: , ,


Monday, November 10, 2008

Google Updates IP Address Log Retention Policy

By Dino Tsibouris & Mehmet Munur

On September 8, 2008, Google announced that it will reduce the amount of time it retains distinct IP addresses from 18 months to 9 months due to pressure from European regulators. This is not the first time, and likely not the last time, Google will have to amend its IP log retention period in order to comply with the European regulators’ strict policies.

In June of 2007, Google had to reduce the amount of time it retained distinct IP addresses from 24 months to 18 months, due to pressure from the EU Article 29 Data Protection Working Party. After 18 months of obtaining the IP addresses, Google anonymized its IP logs by replacing the last byte of the IP address with hashes (for example 216.54.106.###). Then, Google “firmly reject[ed] any suggestions that [it] could meet [its] legitimate interests in security, innovation and anti-fraud efforts with any retention period shorter than 18 months.”

This recent change in IP log retention policy is certainly in part due to the Working Party’s Opinion on Data Protection Issues Related to Search Engines released in March 2008. The Working Party suggested that the “retention of personal data and the corresponding retention period must always be justified (with concrete and relevant arguments) and reduced to a minimum, to improve transparency to ensure fair processing, and to guarantee proportionality with the purpose that justifies such retention.” More importantly, if “search engine providers retain personal data longer than 6 months, they will have to demonstrate comprehensively that it is strictly necessary for the service.” The Working party then concluded that “[i]n view of the initial explanations given by search engine providers on the possible purposes for collecting personal data, the Working Party does not see a basis for a retention period beyond 6 months.” It appears that Google’s rejection was not firm enough.

Before issuing this opinion, the Working Party sent questionnaires to many search engines. Undoubtedly, Google was one of the search engines that received a questionnaire. Google must have predicted that the Working Party would issue an opinion on IP addresses and cookie use as a result of this questionnaire. Google probably provided all the justifications that it could, but the Working Party was not satisfied. Considering that the Working Party concluded that logs should be retained for 6 months—not 9—Google either has a better justification, or another revision to its privacy policy awaits Google in the near future.

Google may also have problems with the methods it uses to anonymize the logs. The Working Party opinion also commented on Google’s anonymization methods and suggested that they may not be satisfactory under all circumstances. “Currently, some search engine providers truncate IPv4 addresses by removing the final [byte], thus in effect retaining information about the user's ISP or subnet, but not directly identifying the individual. The activity could then originate from any of 254 IP addresses. This may not always be enough to guarantee anonymisation.”

Furthermore, Google has not finalized the methods it is going to use to anonymize IP addresses. In its recent announcement, Google stated that it had not “sorted out all of the implementation details, and [it] may not be able to use precisely the same methods for anonymizing as [it] d[id] after 18 months . . . .” In other words, the anonymization used after 18 months and anonymization used after 9 months are different methods of anonymization. Considering that the Working Party is not satisfied with the first method under all circumstances, arguably, the Working Party may not be satisfied with the new method, either.

One reason for this continuous disagreement over Google’s privacy policy may be about how Google and the European regulators think about privacy. IP address logs are an invaluable source of competitive information for Google; therefore, it would like to retain them unless they are shown to be personal data. In other words, presume the data to be non-personal unless proven otherwise. To support this view, Peter Fleischer, Google’s Global Privacy Counsel, argued in NY Times Bits and in his own blog that he did not think that IP addresses were private data under all circumstances. Both Mr. Fleischer and a Google engineer stressed that IP addresses did not always return to a unique individual but could shared among many users.

The Working Party disagreed. The Working Party opinion stated that “increasing number of ISPs distribute fixed IP addresses to individual users.” Then, the Working Party turned the presumption on its head by stating that “unless the [Search Engine] is in a position to distinguish with absolute certainty that the data correspond to users that cannot be identified, it will have to treat all IP information as personal data, to be on the safe side.” In sum, Google would like a sliding scale approach to IP addresses privacy while the Working Party sees all IP addresses as personal data. This stark difference in approach to privacy is likely to result in more revisions for Google’s IP address logs.

Certainly, Google appears to be taking a serious approach to privacy by creating Google Privacy Channel on YouTube, and drafting a reader friendly Terms of Use. Despite all its efforts, Google’s actions are likely to stay on the spotlight for some time to come. One cannot expect Google to give up so easily on IP address logs that allow Google to provide better services and get the upper hand on its competitors.

Labels: ,