On 22 January 2013 I published a post on the guidelines that Lawyers should at least consider when using cloud services. In that post I reviewed as an example, Microsoft Service Agreement. I reproduced Microsoft Clause 5 on Privacy, which for convenience I again set out below
5. Privacy
5.1. Does Microsoft collect my personal information? Your privacy is important to us. We use certain information that we collect from you to operate and provide the services. Additionally, as part of the services, we may also automatically upload information about your machine, your use of the services, and services performance. We may use technologies, such as placing cookies on your machine, to help us gather such information. Please read the Microsoft Online Privacy Statement (http://go.microsoft.com/fwlink/p/?LinkId=253457) to learn how we use and protect your information.
5.2. Does Microsoft disclose my personal information outside of Microsoft?
You consent and agree that Microsoft may access, disclose, or preserve information associated with your use of the services, including (without limitation) your personal information and content, or information that Microsoft acquires about you through your use of the services (such as Internet Protocol address or other third-party information) when Microsoft forms a good faith belief that doing so is necessary (a) to comply with applicable law or to respond to legal process from competent authorities; (b) to enforce this agreement or protect the rights or property of Microsoft or our customers; or (c) to help prevent a loss of life or serious physical injury to anyone.
5.3. How does Microsoft respond to legal process? Similar to other providers of Internet services, Microsoft is served with legal demands and requests from law enforcement, government entities, and private litigants for content stored on our network. This information may relate to an alleged crime or civil matter and is usually requested pursuant to the normal legal process of the country or locality where the activity occurred. Microsoft may be obligated to comply with requests for your information or your content as part of such investigations or legal proceedings.
Last Monday week (5 March 2013), my son, Tim referred me to Google’s Terms of Service and the fifth clause. He then posed this question “is it fair to say that they could take photos randomly from Google drive and put them as the background for Google (users photos which happen to be stored on Google drive)?. The clause that Tim was referring to reads:
Your Content in our Services
Some of our Services allow you to submit content. You retain ownership of any intellectual property rights that you hold in that content. In short, what belongs to you stays yours.
When you upload or otherwise submit content to our Services, you give Google (and those we work with) a worldwide license to use, host, store, reproduce, modify, create derivative works (such as those resulting from translations, adaptations or other changes we make so that your content works better with our Services), communicate, publish, publicly perform, publicly display and distribute such content. The rights you grant in this license are for the limited purpose of operating, promoting, and improving our Services, and to develop new ones. This license continues even if you stop using our Services (for example, for a business listing you have added to Google Maps). Some Services may offer you ways to access and remove content that has been provided to that Service. Also, in some of our Services, there are terms or settings that narrow the scope of our use of the content submitted in those Services. Make sure you have the necessary rights to grant us this license for any content that you submit to our Services.
You can find more information about how Google uses and stores content in the privacy policy or additional terms for particular
Those terms of their face do not comfort me as to the confidentiality of any information I may store in Google Drive, contained in a Gmail email or in any other Google Apps document. I then looked at Google’s Privacy Policy.On review of that policy I did not get the assurance I was wanting… Google went to great lengths to explain they will preserve the privacy of the information which they collect (“Information We Collect“). Information We Collect however seemed restricted to a user’s meta data, log on information, location information, device information etc. and not information stored in their services. Coincidentally, the following day I received an email news letter from Blawgworld that included a link to a post by William Peacock titled “Does Google Privacy Policy Compromise Attorney-Client Privilege? In that post, William refers to the same Google provisions and raises a similar question as my son even though he was referring to information in Gmail emails as opposed to photographs stored in Google Drive. William correctly raises the question,
Does a client’s use of Gmail constitute a waiver, since the terms of service allow Google to access and use that information? Doesn’t voluntary disclosure to a third party destroy the privilege? While Google only scans emails via robot, and not via human, the consent and disclosure of the information is what seems to matter – not what the third party does with it.
The answer to that question can be found:
6. Confidential Information.
6.1 Obligations.
Each party will: (a) protect the other party’s Confidential Information with the same standard of care it uses to protect its own Confidential Information; and (b) not disclose the Confidential Information, except to Affiliates, employees and agents who need to know it and who have agreed in writing to keep it confidential. Each party (and any Affiliates’ employees and agents to whom it has disclosed Confidential Information) may use Confidential Information only to exercise rights and fulfill its obligations under this Agreement, while using reasonable care to protect it. Each party is responsible for any actions of its Affiliates’ employees and agents in violation of this Section.
6.2 Exceptions.
Confidential Information does not include information that: (a) the recipient of the Confidential Information already knew; (b) becomes public through no fault of the recipient; (c) was independently developed by the recipient; or (d) was rightfully given to the recipient by another party.
6.3 Required Disclosure.
Each party may disclose the other party’s Confidential Information when required by law but only after it, if legally permissible: (a) uses commercially reasonable efforts to notify the other party; and (b) gives the other party the chance to challenge the disclosure.
-
Confidential Information.
5.1 Obligations. Each party will: (a) protect the other party’s Confidential Information with the same standard of care it uses to protect its own Confidential Information; and (b) not disclose the Confidential Information, except to Affiliates, employees and agents who need to know it and who have agreed in writing to keep it confidential. Each party (and any Affiliates, employees and agents to whom it has disclosed Confidential Information) may use Confidential Information only to exercise rights and fulfill its obligations under this Agreement, while using reasonable care to protect it. Each party is responsible for any actions of its Affiliates, employees and agents in violation of this Section.
5.2 Exceptions. Confidential Information does not include information that: (a) the recipient of the Confidential Information already knew; (b) becomes public through no fault of the recipient; (c) was independently developed by the recipient; or (d) was rightfully given to the recipient by another party.
5.3 Required Disclosure. Each party may disclose the other party’s Confidential Information when required by law but only after it, if legally permissible: (a) uses commercially reasonable efforts to notify the other party; and (b) gives the other party the chance to challenge the disclosure.
5.4 FERPA The parties acknowledge that (a) Customer Data may include personally identifiable information from education records that are subject to FERPA (“FERPA Records”); and (b) to the extent that Customer Data includes FERPA Records, Google will be considered a “School Official” (as that term is used in FERPA and its implementing regulations) and will comply with FERPA.
and
- Possibly for all other customer by clause 6 of the Google Apps (Free) Agreement (although the links to this agreement only appear on the page Google Apps for Government). That clause appears to be identical to Clause 6 of the Business Agreement.
All Agreements defines “Confidential Information” as meaning “information disclosed by a party to the other party under this Agreement that is marked as confidential or would normally be considered confidential under the circumstances. Customer Data is Customer’s Confidential Information“. Whilst it may be very difficult to find, Google’s “fine print” does contain provisions at least addressing, and trying to preserve the confidentiality of customer data stored in Google’s Apps. Those provisions should have effect not withstanding the contradictory provisions in the more general Terms of Service.
To answer Tim’s question: Google could not use a person’s photograph stored on Googles Drive.
To answer William’s question: Willam’s question goes further than just asking, whether privilege is lost by disclosing to a third party in circumstances whether that third party did not agree to keep the information confidential. The answer to that question is a simple, NO; privilege is not lost because the third party is agreeing to remain the confidentiality of that information. The second part of William’s question is whether privilege is lost because Google has scanned the email to identify the subject matter for purposes of matching advertisement (what Microsoft calls “Sgroogled“). The answer to that question is also NO because:
- To waive privilege, there has to be intentional disclose of confidential information by the client. Privilege is not lost because confidential information has been inadvertently disclosed.
- Google to transmit the information would be considered to be the agent of either the client or the lawyer, and had no authority to disclose that information ; and
- No confidential information would be disclosed by the scroogling. Any resultant information that is disclosed, in any case would only be displayed to the email recipient in the form of advertising.
JDC published 16 March 2013.
Amended 17 March 2013 and 21 March 2013