Judge Blocks Plaintiffs’ Broad Discovery Requests in Google Privacy Suit

A federal magistrate judge in San Francisco limited the scope of document requests in a privacy lawsuit against Google, ruling that plaintiffs’ demands for broad system documentation were not proportional to the needs of the case.

SAN FRANCISCO (LN) — U.S. Magistrate Judge Susan Van Keulen on Thursday denied several of plaintiffs’ requests to compel Google to produce documents describing its internal systems and data storage methods, finding the demands exceeded the bounds of proportional discovery under Federal Rule of Civil Procedure 26(b)(1).

The dispute centered on Plaintiffs’ “Identifiability” Requests for Production, which sought documents describing systems where Google links, maps, or associates identifiers to each other, including encryption keys and design documents for systems like “The Unified Identity Service” and “Sawmill logs.”

Google argued the requests were overly broad and not proportional to the needs of the case, noting that the lawsuit seeks to impose liability only for the collection of communications containing individually identifiable health information as defined by HIPAA.

Judge Van Keulen agreed, denying RFP 20, which sought documents sufficient to identify and describe all systems, databases, logs, or other sources where Google links identifiers.

“The request is not proportional to the needs of the case,” Van Keulen wrote in her order. “While it is possible that geo-location data alongside other identifiers may demonstrate an ability to tie data back to an identifiable person, that argument applies to any Google product and is therefore boundless.”

The judge also denied RFP 46, which sought documents showing the methods by which Google collects or generates browser, device, or network fingerprints, including TLS, JA3, and Google ReCAPTCHA.

“Plaintiffs’ reference to a single field referencing ‘an apparent JA3 fingerprint’ is not sufficient to support a sweeping document request into this tool,” Van Keulen wrote.

However, the judge granted in part Google’s motion to seal certain internal system names reproduced in the plaintiffs’ requests, finding good cause to maintain such information under seal.

The order also addressed RFPs 28, 47, and 48, which sought data associated with specific identifiers like Gaia, Zwieback, and Biscotti. The judge ruled that Google must produce data associated with identifiers plaintiffs have already provided in response to prior requests, but no further production is required.

“Plaintiffs acknowledge that this Court has previously found satisfactory support for the fact that ‘Google does not maintain long-term linkages between authenticated, GAIA-tied user data and pseudonymous identifiers course of business,'” Van Keulen wrote.

The case, Doe I et al v. Google LLC, is pending before the U.S. District Court for the Northern District of California.

Case

The case is Doe I et al v. Google LLC, case number 3:23-cv-02431, in the Northern District of California.

Court

cand

Case Name

Doe I et al v. Google LLC

Docket

3:23-cv-02431

View on PACER ↗