*1 In early 2018, the public learned that “Cambridge Analytica, a British political consulting firm, used personal information from millions of Facebook accounts to send targeted political messages during the 2016 presidential election.” In re Facebook, Inc. Consumer Privacy User Profile Litigation, 402 F.Supp.3d 767, 777 (N.D. Cal. Sep. 9, 2019). “In the months that followed, reports emerged suggesting that the ability of ... entities like Cambridge Analytica to obtain sensitive Facebook user information was the norm rather than the exception.” Id. Following the disclosure, Facebook initiated an app developer investigation (ADI) that involved a review of all “apps that had access to large amounts of data before [Facebook] changed [its] platform policies in 2014.” See https://about.fb.com/news/2019/09/an-update-on-our-app-developer-investigation/. As the ADI, or, more precisely, the information the ADI uncovered, is directly relevant to Plaintiffs’ claims in this MDL action, Plaintiffs seek information learned from and generated by the ADI. While Facebook has agreed to produce some data, it resists disclosure of reports, audits and interviews created or conducted by non-attorneys on the grounds that such documents are protected by attorney-work product or the attorney-client privilege. After several rounds of briefing and attempts among the parties to resolve, or at least narrow, the dispute, the issue is now ripe for decision.

Facebook's ADI consisted of three phases: (1) Detection and Identification of offending apps, (2) Enhanced Examination, and (3) Enforcement. In the Enhanced Examination Phase, the ADI forensic team conducted intensive background and technical investigations of the identified apps that, among other things, might identify the potential for data misuse. (Dkt. No. 699-5 ¶ 17.) In the Enforcement phase, to assist Facebook with deciding whether to take action against an app, additional investigation might be conducted including interviews or audits of data security or storage infrastructure. (Id. ¶ 19.). Plaintiffs seek material from the second and third phases that does not involve communications with lawyers or content created by lawyers. While Facebook has agreed to produce some information (Dkt. No. 699-1 at 4), it refuses on privilege grounds to produce the reports, audits and interviews, and non-attorney communications related to the same.

The parties agree that federal law governs this dispute. (Dkt. Nos. 611-2 at 16, 612-2 at 12, 699 at 4, 727 at 5 n.1) (applying federal law).) “The work product doctrine protects from discovery documents and tangible things prepared by a party or his representative in anticipation of litigation.” United States v. Richey, 632 F.3d 559, 567 (9th Cir. 2011). “To qualify for work-product protection, documents must: (1) be ‘prepared in anticipation of litigation or for trial’ and (2) be prepared ‘by or for another party or by or for that other party's representative.’ ” In re Grand Jury Subpoena (Mark Torf/Torf Envtl. Mgmt, 357 F.3d 900, 907 (9th Cir. 2004). A finding that a document was prepared in anticipation of litigation, however, does not always end the inquiry.

Richey, 632 F.3d at 567-68 (emphasis added). The party resisting production of material based on the work product privilege bears the burden of proving that the privilege applies. See Hernandez v. Tanninen, 604 F.3d 1095, 1102 (9th Cir. 2010).

Facebook has met its burden of proving that the documents were prepared in anticipation of litigation. Shortly before Facebook initiated the ADI, a nationwide consumer class action was filed against Facebook in this Court. (Dkt. No. 1). Within weeks, more than 40 actions were filed which were consolidated into this Multi-District Litigation. Facebook offers evidence that the ADI was launched in part to address potential regulatory and litigation risks posed by apps that had been on the Facebook platform since before Facebook changed in policies in 2014. (Dkt. No. 699-5, Dkt. No. 720.)

Facebook's own public pronouncements about the ADI, however, demonstrate that the documents were not created exclusively in anticipation of litigation and that, in fact, Facebook would have conducted the ADI in substantially similar form even in the absence of potential litigation. See Richey, 632 F.3d at 568.

On March 21, 2018, Mark Zuckerberg, Facebook's CEO, publicly posted:

Mr. Zuckerberg concluded:

https://www.facebook.com/zuck/posts/1010471203790007. This statement specifically identifies the purpose of the ADI as serving Facebook's business goal of protecting Facebook's customers’ data by figuring out what happened, how it happened, and removing apps that misused customers’ data so that Facebook could “secure our platform further and make our community safer for everyone going forward.” Id.

*3 Two months later, Facebook updated the public on the “app investigation and audit” Mr. Zuckerberg promised on March 21, 2018.

https://fb.com/new/2018/05/update-on-app-audit/. This statement again demonstrates that a “core purpose” of the ADI was a business rather than legal purpose: to assure its customers that it was conducting a thorough investigation to remove bad apps and advise customers if their data may have been misused. And the ADI was being conducted “as quickly as possible,”—not because of fast-tracked litigation, as the pace of this MDL surely demonstrates—but because of the need to weed out the bad apps to protect Facebook's consumers, its good will, and its business.

Facebook provided a further update on “our ongoing App Developer Investigation” on September 20, 2019. Facebook explained that its investigation

Facebook explained further

https://about.fb.com/news/2019/an-update-on-our-app-developer-investigation/. Facebook told the public about its investigation, including the background and technical analysis it now claims is privileged work product, to assure the public that Facebook was cleaning up its platform and thus generate trust in its site—a classic business purpose. The ADI team members Facebook identified were enlisted to help Facebook “better understand patterns of abuse in order to root out bad actors.”

*4 In light of Facebook's own statements, the Court finds that Facebook would have conducted the ADI in substantially the same form even in the absence of potential litigation; that is, that Facebook did not initiate the ADI because of the prospect of litigation. See Phoenix Techs. Ltd. v. VMware, Inc., 195 F. Supp. 3d 1096, 1105 (N.D. Cal. 2016) (holding that dual purpose documents were not protected work product because they served a business purpose independent of litigation). Facebook's assertion that the ADI served only a litigation purpose (Dkt. No. 727 at 3) is patently implausible in light of Facebook's public pronouncements. It is inconceivable that Facebook would not have initiated a speedy, large-scale-subject matter specialist investigation into app data misuse in the absence of potential litigation. Such assertion could only be true if the Court found that Facebook was lying to the public when it stated that the purpose of the ADI was to root out bad apps and secure Facebook's platform so that consumers could have faith in the company. Facebook, unsurprisingly, does not offer any evidence to support such a finding. Indeed, after asking the Court for the opportunity to submit additional evidence, it provided a declaration from outside counsel which does not even acknowledge these statements. There is no evidence from anyone at Facebook that addresses the repeated public proclamations as to the obvious business purpose of the ADI.

Facebook's suggestion that these materials may also be protected by the attorney-client privilege is unpersuasive given that Plaintiffs are not seeking documents created by counsel, counsel's edits, or any communications with counsel. Facebook has not explained how a non-attorney's interview or audit of a developer would be protected from discovery by the attorney-client privilege under federal law. At best such material would be attorney work product. For the reasons explained above, it is not under the totality of the circumstances here given Facebook's public exhortations of the business purpose behind its ADI.

Facebook moves to strike Plaintiffs’ response to Facebook's supplemental declaration. (Dkt. No. 727.) For the most part the response addresses the declaration and thus is unobjectionable. The new argument as to the attorney-client privilege “primary purpose” test is stricken and, in any event, is moot as the Court is not addressing the application of the attorney-client privilege. The documents discussed in this Order—background and technical reports, audits, and interviews prepared and conducted by non-attorneys—are work product, not attorney-client privilege material. The Court has nonetheless reviewed Facebook's motion to strike's substantive arguments, including the cases buried in footnote 1, and none persuade the Court otherwise.

In light of Facebook's unchallenged public proclamations as to the business purpose of the ADI, the Court finds that the ADI served a dual purpose and that, as a general matter, documents generated as part of that investigation were not created because of litigation. On or before September 21, 2021, Facebook shall produce the background and technical reports, audits and developer interviews of the six exemplar apps chosen by the parties as Facebook has offered no special reasons why those particular documents are privileged other than what has been addressed. The parties shall work with the Special Master regarding production of additional materials consistent with the guidance offered by this Order.

This Order disposes of Docket Nos. 611, 612, 699, 720, 727.

IT IS SO ORDERED.