Attorney Gen. v. Facebook, Inc.

• Decision Date: 24 March 2021
• Docket Number: SJC-12946
• Parties: ATTORNEY GENERAL v. FACEBOOK, INC.
• Court: United States State Supreme Judicial Court of Massachusetts Supreme Court

487 Mass. 109

164 N.E.3d 873

ATTORNEY GENERAL

v.FACEBOOK, INC.

SJC-12946

Supreme Judicial Court of Massachusetts, Suffolk..

Argued December 4, 2020.

Decided March 24, 2021.

The following submitted briefs for amici curiae:

Felicia H. Ellsworth, Boston, for the respondent.

Sara E. Cable, Assistant Attorney General, for the petitioner.

Thomas O. Bean & Anuj Khetarpal, Boston, for Association of Corporate Counsel.

Ariel Fox Johnson, of the District of Columbia, & Joseph Jerome, for Common Sense Media.

Steven P. Lehotsky, Kevin P. Martin, Boston, William E. Evans, Boston, Ben Robbins, & Martin J. Newhouse, Boston, for Chamber of Commerce of the United States of America & another.

David A. Vicinanzo, Boston, of New Hampshire, Mark Tyler Knights, Hannah R. Bornstein, Boston, & Marissa Elkins, Amherst, for National Association of Criminal Defense Lawyers.

Alan Butler & Megan Iorio, of the District of Columbia, & Caitriona Fitzgerald for Electronic Privacy Information Center.

James M. Campbell, Boston,, for Lawyers for Civil Justice.

Present: Budd, C.J., Gaziano, Lowy, Cypher, & Kafker, JJ.

KAFKER, J.

In this case we address the applicability of the attorney-client privilege and the work product doctrine to an internal investigation conducted by the respondent, Facebook, Inc. (Facebook). After public reporting revealed potential widespread misuse of Facebook user data by third-party applications (apps), Facebook hired a law firm, Gibson, Dunn & Crutcher LLP (Gibson Dunn), to conduct a far-reaching investigation to identify the extent to which apps had misused user data and advise Facebook on potential resulting legal liabilities. This investigation is known as the app developer investigation (ADI). Around the same time, the Attorney General opened an investigation into Facebook under G. L. c. 93A, focusing on whether Facebook misrepresented the extent to which it protected or misused user data.

As part of that investigation, the Attorney General served Facebook with several civil investigative demands (demands). At issue are six requests contained within these demands that sought the identities of the apps and developers that Facebook reviewed at various stages of the ADI, other information associated with the review of the identified apps, and internal communications about those apps. Facebook asserted that both the attorney-client privilege and the work product doctrine protected this information. The Attorney General filed a petition in the Superior Court seeking an order compelling Facebook to comply with the disputed requests. A judge concluded that most of the information is neither privileged nor work product, as it was not prepared in anticipation of litigation, and that even if it was prepared in anticipation of litigation, it is all factual information.

We conclude that the Attorney General's targeted requests allow Facebook to tailor its responses to the first five of the six requests to avoid disclosure of communications protected by the attorney-client privilege. We also conclude, however, that the documents sought by the first five requests were prepared in anticipation of litigation and therefore are covered by the work product doctrine. We further conclude that a remand is required to separate "opinion" work product from "fact" work product for at least some of these documents. To the extent the work product is fact work product, we conclude that the Attorney General has satisfied the heavy burden of demonstrating a substantial need for the information. Finally, as for the sixth request, seeking internal communications about the apps, we have determined that this request encompasses both privileged and nonprivileged communications, and therefore requires preparation of a privilege log and further review as determined by the judge.¹

1. Background. a. Facebook Platform. Facebook provides social networking services through its website and mobile app. It has over 1 billion daily users and over 2 billion active accounts. Users generate a variety of data through their use of Facebook. In 2007, Facebook launched the first version of the Facebook Platform. The Platform connects Facebook users with third-party app developers and enables users to share Facebook data with the apps and developers. The Platform allows these third parties to integrate their apps with the data generated by users and collected by Facebook. For our purposes, the practical effect of the Platform is that third-party developers are given access to Facebook user data. The Attorney General alleges that over 9 million apps and websites had integrated with the Platform as of March 31, 2012.

Use of the Platform by apps and developers is governed by various policies, including Facebook's Platform policy, terms of service, and data use policy. As relevant here, these policies prohibited third-party developers from selling or licensing the data they obtained from Facebook users. The policies also prohibited developers from sharing user data with "any ad network, data broker or other advertising or monetization-related service." A developer had to register to use the Platform and affirmatively agree to comply with the various policies governing use of the Platform; however, as of late 2013, apps generally could be launched on the Platform without any review or approval by Facebook.

Facebook has an internal enforcement program that monitors and responds to developer misuse of the Platform. This is known as its developer operations team.² This enforcement team monitors daily app and developer behavior with the goal of "identifying abnormalities that might signal potential policy violations." The activities of this enforcement program generally are not led by attorneys, however. In addition to monitoring compliance, this team enforces Facebook's policies according to its own rubrics and protocols. By way of illustration, Facebook estimates that it took enforcement action against about 370,000 apps in 2017 as a result of these routine enforcement efforts.

In April 2014, Facebook revised its Platform and the accompanying policies to improve protections for user data.³ These changes "enhance[d] users’ ability to control app developers’ access to their information." Specifically, they restricted the categories of information apps could access and gave users more tools to limit the type of information apps could access. Facebook also added a screening mechanism that required apps and developers to obtain Facebook's approval before getting access to many advanced categories of user data. After this screening mechanism was put in place, Facebook rejected the requests of roughly fifty percent of apps that sought access to the additional user data.

b. Cambridge Analytica incident. In March 2018, several news outlets reported on an incident involving Facebook, an individual named Aleksandr Kogan, and a company named Cambridge Analytica. Briefly, Kogan used an app on the prior version of the Platform to access and collect the data of as many as 87 million Facebook users worldwide, roughly 70 million of whom were located in the United States. Kogan sold this data to Cambridge Analytica, a political data analytics and advertising firm, and other related entities. Cambridge Analytica used this data to create "psychographic profiles" on the Facebook users. Cambridge Analytica then used these profiles to target Facebook users with political advertising. According to Facebook, this conduct violated the Platform policies described above in multiple ways.⁴

The 2018 reporting of this incident sparked a wave of litigation against and investigations into Facebook. By the end of 2018, Facebook faced at least five securities class actions, eight derivative actions, three books and records actions, and thirty-nine consumer-based suits, most of which also were class actions.⁵ This number swelled to at least sixty-five litigations before the end of 2019. Facebook is also being investigated by a number of State, Federal, and foreign regulators.

c. ADI.⁶ Facebook launched the ADI investigation soon after the reporting on Cambridge Analytica in March 2018. According to Facebook, the purpose of the ADI is to "gather the facts necessary for providing legal advice to Facebook about litigation, compliance, regulatory inquiries, and other legal risks facing the company resulting from potential data misuse and activities by third-party app developers operating on the prior version of the Platform." The goal of the ADI, therefore, is to identify any other apps that misused user data on the prior version of the Platform and assess Facebook's potential legal liability as a result of any uncovered misuse. Facebook states that the ADI has been "designed, managed, and overseen" by Gibson Dunn and Facebook's in-house counsel, and these attorneys "devised and tailored the ADI's methods, protocols, and strategies to address the specific risks posed by these legal challenges." Gibson Dunn recruited and retained the outside technical experts and investigators involved in the ADI.

Counsel also developed the framework for the ADI. In broad terms, the ADI consists of three separate phases. The first phase focuses on detection and identification. The goal of this phase is either to elevate an app or developer for closer investigation or to exclude apps that pose less risk. Using four different methods, Facebook has reviewed millions of apps and determined which ones should be investigated further.⁷ If an app is identified by one of the methods used during the first phase, then the app warrants further review by the ADI team. The second phase focuses on enhanced examination. This phase involves "background" or "technical" investigations of the apps escalated in the first phase. The third phase involves engagement with, and potentially enforcement against, apps or developers that violated Facebook's policies.

The ADI involves various types of personnel. Facebook's in-house legal team and Gibson Dunn hired multiple...