Internet Law
California Federal Court Certifies Damages Class in Apple iCloud Suit
By Mwangala Simataa, Georgetown University Law Center
Judge Lucy Koh of the U.S. District Court of the Northern District of California recently granted plaintiffs’ motion to certify a damages class, but denied certification of an injunctive-relief class in a case against Apple for breach of contract. Williams v. Apple Inc., No. 5:19-cv-04700-LHK (N.D. Cal. May 28, 2021). Andrea Williams and James Stewart, the named plaintiffs, sought class certification on behalf of iCloud subscribers who used an iCloud subscription from September 16, 2015 through October 2018. They alleged that Apple breached its iCloud contract when it stored their data on third party servers run by companies like Microsoft and Amazon.
Judge Koh certified the damages class but limited the class period to include only those users who signed up for iCloud between September 16, 2015 and January 31, 2016, because the plaintiffs presented common proof of damages for that period. However, the court denied certification for the period February 1, 2016 to October 31, 2018, because Apple stored data of some class members on its own servers and could not identify which of its users’ data it had stored on third-party servers. Furthermore, the court ruled that Williams was an inadequate class representative because she was the sister-in-law of class counsel, which left Stewart as the sole class representative.
The court also denied injunctive relief class certification because the plaintiffs neither cited cases nor offered legal analysis to explain why that class should be certified.
Data Privacy
District Court Upholds Claims Google Secretly Tracked Users
By Hannah Gehringer, Georgetown University Law Center
The U.S. District Court for the Northern District of California recently sustained claims that Google continued to secretly track smartphone users’ online activity across third-party apps even after users turned off a setting that controls “Web & App Activity” tracking. Rodriguez v. Google LLC, No. 20-cv-04688-RS (N.D. Cal. May 21, 2021). The putative class-action plaintiffs alleged that they did not consent to Google tracking their data across third-party apps that used the company’s software development kit, Firebase. They alleged that, even though they had agreed to have their data tracked on these apps, they assumed that Google’s “Web & App Activity” setting superseded any app-specific tracking. Judge Richard Seeborg found this was a plausible assumption for the plaintiffs to make, considering Google did not define key terms in its “Web & App Activity” policy. The court criticized Google’s “legitimately confusing” policies and acknowledged that “[t]he average internet user is not a full-stack engineer; he or she should not be treated as one when Google explains which digital data goes into which digital buckets.”
The court did, however, dismiss the plaintiffs’ claims that Google violated the federal Wiretap Act, Section 632 of the California Invasion of Privacy Act, and California’s Unfair Competition Law, finding that Google obtained consent from the third-party app developers to track users’ data. The court also dismissed the claim that Google’s Firebase kit contains secret lines of code that track users’ data and are detectable only to Google, finding that this claim was an allegation of fraud that did not meet the heightened standard of pleading of Federal Rule of Civil Procedure Rule 9(b).
White House Urges Private Sector to Take Action Against Ransomware Threats
By Jessica Tyrrell, Drexel University Thomas R. Kline School of Law
On June 2, 2021, the White House released a memorandum urging corporate executives and business leaders to take steps to prevent ransomware attacks. The memorandum cited cybersecurity as one of President Biden’s “top priorit[ies]” and encouraged both the private and public sectors to adopt this same urgency.
The White House listed the following steps to decrease the risk of ransomware attacks:
1) Implement the five best practices from the President’s Executive Order, Improving the Nation’s Cybersecurity, which suggested multifactor authentication, endpoint detection and response, encryption, and “a skilled, empowered security team” to “significantly reduce the risk of a successful cyber-attack.”
2) Backup data, system images, and configurations, and regularly test them while keeping the backups offline.
3) Update and patch systems promptly by using a “risk-based assessment strategy to drive your patch management program.”
4) Test your incident response plan, and if you do not have one, build one.
5) Check your security team’s work by using third-party testers.
6) Segment your networks to avoid attacks that focus on disrupting operations, the most popular type of attack.
The memorandum noted that “[r]ansomware attacks have disrupted organizations around the world” and no corporation is safe from these attacks, regardless of location or size. While the United States has reinvigorated its commitment to cybersecurity through President Biden’s administration,“[t]he private sector has a distinct and key responsibility” to help prevent future ransomware threats, and the federal government “stands ready” to help the private sector fulfill this responsibility.
Eleventh Circuit Upholds Equifax Settlement over 2017 Data Privacy Breach
By Kevin Rudolph, Emory University School of Law
The U.S. Court of Appeals for the Eleventh Circuit recently upheld a settlement agreement approved by the U.S. District Court for the Northern District of Georgia between Equifax and consumers affected by the 2017 data privacy breach. Shiyang Huang v. Spector et al., No. 20-10249 (11th Cir. 2021).
The settlement came to the Appeals Court by way of protest from 388, out of the roughly 147 million, class-members, who believed that the class should receive more compensation. In rejecting that argument, the Appeals Court cited the vast support this settlement received, which included the majority of class-members, Equifax, and nearly all state attorneys general.
As part of the settlement, Equifax will pay $380.5 million to benefit class members, pay attorneys’ fees, and cover administrative costs from the lawsuit. Additionally, Equifax will provide compensation for the time consumers spent responding to and preventing associated issues stemming from the data breach (up to 20 hours). Last, Equifax will provide class members six years of credit monitoring and identity services, and seven years of identity restoration services. The settlement reflects an 18-month mediation, entered into after the federal trial court ruled on the parties’ preliminary motions, and has been embraced by the vast majority of those involved.
New Canadian Ethical Guidance for Judges Fosters Approval for the Use of Technology, Recommends Caution re Social Media
By Lisa R. Lifshitz, Torkin Manes LLP
On June 9, 2021, the Canadian Judicial Council (CJC) published its updated Ethical Principles for Judges (“Principles”), a set of ethical guidelines for federally appointed Canadian judges, that covers issues of independence, integrity and respect, diligence and competence, equality and impartiality.
Intended to assist judges with the ethical and professional questions they may confront on the bench and building on its original 1998 publication, these revised Principles explore new and emerging issues relevant to the modern judiciary: case management and settlement conferences, social media, interacting with self-represented litigants, professional development and the post-judicial role.
Significantly, Comment 3.C.5 (under Professional Development), expressly calls for judges to “develop and maintain proficiency with technology relevant to the nature and performance of their judicial duties,” in connection with their obligations to perform their duties with “diligence and competence”.
The Principles recognize the dual-nature of using social media and provide extensive guidance on this practice, chiefly advocating that judges should exercise caution in their use of social media. As judges must avoid conduct which could reasonably cause others to question their impartiality, the Principles note that attempts to influence judges may come from many sources, including social media. Judges should be cautious in their communications on social media relating to matters that could come before the court. Social media activities should be undertaken in ways that avoid compromising public confidence in the judiciary. Judges should be aware of how their activities on social media may reflect on themselves and upon the judiciary and should be attentive to the potential implications for their ability to perform their judicial role.
The Principles also note that communication by social media is more public and more permanent than many other forms of communication, enabling messages to be re-transmitted beyond the originators’ control and without their consent. Thus, comments or images intended for a limited audience can be shared with a vast audience, creating an adverse reaction and creating greater opportunities for inappropriate communications to judges from others.
Judges who do use social media should be exceptionally vigilant to guard against behaviour that would lead to claims lack of impartiality and reasonable apprehensions of bias arising from these activities. This means exercising considerable caution in social media communications, including expressions of support or disapproval. Any judge using social media must also learn how to use security and privacy settings appropriate to their use of social media. Judges also have to avoid using social media and technology to inappropriately acquire or receive out-of-court information related to the parties, witnesses or issues under consideration in matters before them. Fairness issues may need to be considered by the judge should this happen.
While the Principles certainly acknowledge that judges are human beings with private lives who are entitled to enjoy, as much as possible, the rights and freedoms generally available to all, judges are reminded through such useful guidance as the Principles that some restrictions may be required, and that they should strive to strike a balance between the expectations of judicial office and their personal lives, including in their use of newer technologies such as social media.