In Lim v. Expel, Inc., No.: 3:24-cv-02284-W-AHG (S.D. Cal. Dec. 1, 2025), California Magistrate Judge Allison H. Goddard granted the plaintiff’s motion for protective order in part, preventing the review and disclosure of personal email data that was stored on the company laptop that she used while employed by Defendant Expel and ordering Expel and their forensic consultant (Control Risks) to delete all copies in their possession.

Case Discussion and Judge’s Ruling

This case involved claims alleging race discrimination, retaliation, and wrongful termination. During her employment, Plaintiff Lim had accessed her personal Gmail account on a company-issued laptop, a practice expressly permitted under Expel’s Employee Handbook, as follows:

“Company property refers to anything owned by Expel: physical, electronic, intellectual, or otherwise. Employees may use Company property only for business purposes. You may use Company property for incidental personal reasons only if this use doesn’t: interfere with others’ ability to work, place undue burden on Expel, or violate confidentiality…”

Following her termination, Expel retained the laptop rather than wiping it, citing Lim’s retaliation allegations. Years later, during litigation, Control Risks discovered that Lim’s Gmail data – covering more than fifteen years – had been downloaded and stored on the laptop’s hard drive. Although the consultant limited its review to metadata and did not review content, Expel sought the right to review the data in its entirety to determine relevance, leading to Lim’s protective order.

Judge Goddard framed the “central question” as “whether Expel’s proposed review of the personal email data would violate Lim’s constitutional right to privacy”. She examined whether Lim had established a prima facie invasion of privacy by showing: (1) a legally protected privacy interest, (2) an objectively reasonable expectation of privacy, and (3) a serious threatened intrusion. Judge Goddard had little difficulty concluding that the first element was satisfied. Lim’s personal email data included “financial records, medical information, and home security images—core categories of information recognized as protected by California’s constitutional and common law right to privacy”.

Turning to the expectation of privacy, Judge Goddard rejected Expel’s argument that Lim waived her privacy rights simply by accessing personal email on a company laptop. Judge Goddard noted that Expel’s policy “expressly allows use of company-issued equipment…for incidental personal purposes” and “does not state that Expel has the right to review personal data on the laptop”.

Although the policy stated that data stored on the laptop belonged to Expel, Judge Goddard found this language “at best ambiguous as to personal data,” and held that “that ambiguity must be construed against Expel” as the drafter of the policy. She also stated that doing so would lead to “the absurd result suggested by Expel here: that Expel is entitled to peruse more than 15 years of Lim’s highly personal and confidential information, including communications with her attorneys, without any restrictions”.

She also rejected the cases cited by Expel, noting that Expel’s policy “is the opposite of the policies at issue in those cases” because it affirmatively permitted personal use. As Judge Goddard explained: “Permitting employees to use company-owned devices does not diminish their expectation of privacy; it increases it”. Noting that Expel sought “unrestricted review” of emails spanning a period “nearly ten times the length of her employment with Expel” and beginning “more than a decade before her start date”, Judge Goddard stated that was “patently unreasonable and overbroad” and resembled an impermissible fishing expedition under Rule 26.

Judge Goddard also rejected Expel’s contention that an existing confidentiality designation would suffice, stating that “[l]abeling the personal email data ‘confidential’ does nothing to offset the harm to privacy caused by allowing an adverse third party to comb through more than a decade of personal information that is of remote relevance, at best”.

Judge Goddard catalogued the extensive discovery already conducted, including detailed interrogatories, document productions, depositions, and “more than 50 subpoenas on Lim’s past and prospective employers and her medical and health providers”. These efforts, Judge Goddard found, provided Expel “ample opportunity to obtain relevant discovery without unnecessarily subverting Lim’s privacy rights”.

As a result, Judge Goddard ordered that “neither Expel nor Control Risks may access or review the personal email data without Judge Goddard’s advance authorization upon a showing of good cause,” and that within thirty days after the termination of the action, “Expel and Control Risks must delete the personal email data…and certify in writing” that they have done so.

So, what do you think? Do you agree that Expel had no rights to review the personal email data on their company laptop? Please share any comments you might have or if you’d like to know more about a particular topic.

Case opinion link courtesy of Minerva26, an Affinity partner of eDiscovery Today.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by my employer, my partners or my clients. eDiscovery Today is made available solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Today should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.