Case stems from infamous incident when Facebook user data was deployed in the run up to the 2016 presidential election
By Kris Olson
BridgeTower Media Newswires
BOSTON — The Supreme Judicial Court next month will be asked to determine whether a Superior Court judge’s ruling that the Attorney General’s Office should have access to the fruits of an internal investigation overseen by Facebook lawyers threatens lasting damage to the benefits of the work product doctrine and attorney-client privilege in Massachusetts.
The case, Attorney General v. Facebook, is scheduled to be argued on Dec. 4 and stems from an infamous incident in which Facebook user data was misappropriated and deployed in the run up to the 2016 presidential election.
In addition to its popular social networking service, Facebook in 2007 launched the Facebook Platform, which allows third-party app developers to integrate certain Facebook technologies into their own apps.
In its initial form, the Platform allowed app developers to access and obtain data not only from the Facebook accounts of users who installed an app, but also data from the accounts of the user’s “friends.”
As would become apparent, the Platform exposed vast troves of data to those inclined to mischief, including Cambridge University researcher Aleksandr Kogan, who in November 2013 created a personality quiz app on the Platform called “thisisyourdigitallife.”
In December 2015, The Guardian reported that the data Kogan’s app had accumulated found its way to Cambridge Analytica, a British political consulting firm, which used the data to create “psychographic profiles” of American voters.
Kogan, Cambridge Analytica and others promised that they would delete the user data, but stories broke in March 2018 indicating that that did not happen.
Facebook predicted — correctly — that it would soon be besieged by lawsuits and investigations related to the Cambridge Analytica scandal. In addition to 66 cases at last count, Facebook also received inquiries from numerous domestic and international regulators.
As a result, Facebook retained the services of Gibson, Dunn & Crutcher, a law firm with extensive experience in conducting cybersecurity and data privacy internal investigations. The firm designed and embarked on an “App Developer Investigation” to get a sense of where the data to which more than 9 million apps and websites had gained access through the Facebook Platform may have gone.
Now, Attorney General Maura T. Healey wants to know what Facebook learned through that investigation. In a civil investigative demand issued under G.L.c. 93A, §6, Healey asked for the identity of, and additional information about, apps and developers that may have misused consumer data, and Facebook’s internal communications about those apps and developers.
Facebook balked, but in a Jan. 16, 2020, decision, Superior Court Judge Brian A. Davis gave Facebook 90 days to respond to the AG’s requests or, in the alternative, produce a detailed privilege log, identifying the documents to which attorney-client privilege might apply.
Facebook appealed, and the SJC accepted direct review.
—————
‘Business as usual’?
Part of the SJC’s assessment of whether the results of the App Developer Investigation should be shielded by the work product doctrine or attorney-client privilege depends on whether Facebook embarked on the internal investigation “because of” the prospect of litigation.
The attorney general asserts that Davis got it right when he concluded that the ADI “is fairly described as ‘business as usual’” for Facebook, given that Facebook began to police app developers no later than 2012.
The ADI was merely an expansion of those efforts in response to the public outcry from the Cambridge Analytica revelations, Davis found.
Just because Facebook introduced attorneys into its program to investigate app developers in 2018 “does not categorically confer work product protection on ADI materials,” the AG argues.
But Facebook contends that the exception to the work product doctrine that applies to materials that would have been prepared “irrespective of the prospect of litigation” is a narrow one.
Moreover, it asserts that Davis failed to heed an admonition in the 2nd U.S. Circuit Court of Appeals decision in Schaeffler v. United States: that courts should not construct hypothetical scenarios that “ignore reality.”
That is essentially what Davis did when he hypothesized that Facebook would have generated the documents at issue even without the threat of litigation, the company claims.
Facebook also argues that whether the prospect of litigation was its primary motive is “irrelevant” to the determination of whether the work product doctrine applies, noting that such a standard was expressly rejected in the SJC’s decision in Commissioner of Revenue v. Comcast Corporation, et al.
There is no dispute that Facebook was facing a very real threat of litigation when the ADI was launched, the company notes.
“That the Investigation also might incidentally promote good business practices, such as assuring users that Facebook takes their privacy seriously, does not change the analysis,” Facebook argues.
—————
‘Piggybacking’ attempt
Healey claims that, at most, the contested material is “fact” work product that may be disclosed, stressing that it is not looking for the mental impressions, conclusions, opinions or legal theories of Facebook’s counsel.
But Facebook counters that such information would unavoidably be conveyed if it complied with the AG’s request.
Facebook’s attorneys gave considerable thought to identifying the types of app features or activities that might indicate potential violations of the company’s policies, as well as to where Facebook’s data and privacy vulnerabilities might potentially lie.
“In other words, but for the involvement, analysis, and advice of counsel, the lists and other information the Attorney General seeks would not exist,” Facebook argues, calling the material “quintessential ‘opinion’ work product.”
Facebook says Healey could have developed her own criteria to investigate potential misuse of Massachusetts residents’ Facebook user data but instead is seeking to “piggyback,” impermissibly, on the work of Facebook’s counsel.
The practical effects of finding waiver of otherwise privileged communications solely because they “pertain to the results” of a publicly disclosed investigation are staggering, it further argues.
“That is, if announcing or generally describing an internal investigation were all it takes to defeat privilege over attorney-client confidences, every company operating in Massachusetts would be incentivized not to investigate potential wrongdoing, or to withhold information from the public if it chose to do so,” Facebook writes.
But the AG’s Office said that it is mostly looking to get factual information developed in the ADI, such as the identity of apps that Facebook was investigating, the apps’ developer, and the number of users affected by those apps.
“As the Superior Court observed, Facebook cannot conceal these facts ‘simply by sharing them with its attorneys,’” the AG’s brief reads.
“Facebook cannot both herald the efforts it is taking to protect consumers and hide behind the work product protection or attorney-client privilege when others seek to probe those efforts further,” Healey writes.
Through a spokesperson, Healey declined to comment on the case. Facebook’s lead counsel, Felicia H. Ellsworth of WilmerHale in Boston, did not respond to a request for comment.
—————
Difficult bind
To flesh out the bind the SJC would put chief legal officers in if it ratified Davis’ decision, the Association of Corporate Counsel in its amicus brief lays out hypotheticals premised on hotlines many hospitals use to allow employees to report anonymously possible violations of the law by their colleagues or bosses.
“If this Court adopts the Attorney General’s position in this case and affirms the Superior Court’s decision, many hospital CLOs — even if they anticipate litigation — will be hesitant to conduct thorough, ‘business as usual,’ investigations, and many hospital employees may be reluctant to cooperate in those investigations,” the association argues.
Such a result “would be contrary to the public interest, safety, and fisc,” it adds.
One prominent problem of the Superior Court judge’s analysis with troubling implications for corporations is the idea that a company that has an ongoing compliance program somehow has less of an expectation of confidentiality in its work product and attorney-client communications than one that lacks such an ongoing program, said Kevin P. Martin, co-author of a brief in support of Facebook that was submitted on behalf of the U.S. Chamber of Commerce and New England Legal Foundation.
Also problematic is the suggestion that a company might waive its rights under the work product doctrine or with respect to attorney-client privilege merely by providing public updates, Martin said.
He noted that many companies provide such updates in various forms, through filings with the Securities and Exchange Commission or notices to shareholders or other stakeholders.
Martin said the AG and the amici supporting her seem to be missing a fundamental point about the other side’s case. No one is arguing that the AG should be unable to conduct fact discovery from Facebook. Instead, it is a question of how that fact discovery should be conducted, he said.
“Nothing would stop the attorney general from formulating her own requests for information based upon criteria she independently develops,” he said.
Martin noted that the case is coming before the SJC at a time when AGs around the country have grown more aggressive in pursuing high-profile investigations with national ramifications.
Given that, it is all the more essential that companies have one uniform, national standard to rely on when it comes to the bounds of work product doctrine and attorney-client privilege, Martin said.
“The Superior Court’s reason, if affirmed by the SJC, would make Massachusetts an outlier and put corporations in a bind over whether and how to structure counsel-driven investigations,” he said.
—————
Few other options
But public policy considerations cut in the other direction as well.
Joseph Jerome noted that the brief he authored on behalf of the San Francisco-based organization Common Sense Media is part of a larger campaign in support of efforts by AGs around the country to hold big tech companies accountable for their missteps.
With regard to the Cambridge Analytica scandal, he said, “we still don’t have a full picture of what happened and how Facebook has fixed things.”
Common Sense sees the ADI as a typical example of tech companies generating positive headlines by committing to protect privacy and do better, but then going silent.
“Using lawyers to shield from public view something Facebook claims it’s doing to protect users is a problem, and we hope the Supreme Judicial Court won’t stand in the way of the Massachusetts AG shining a light on how Facebook shared its users’ data,” he said.
Megan Iorio of the Washington, D.C.-based Electronic Privacy Information Center, which also submitted an amicus brief, added that investigations like Healey’s are particularly important in light of the settlement Facebook reached last year with the Federal Trade Commission, which EPIC believes did not go far enough to change the company’s behavior.
