Miller v. Southwest Airlines Co., 926 F.3d 898 (7th Cir. 2019) -- The U.S. Court of Appeals for the 7th Circuit recently heard appeals from a district court’s dismissal and remand to state court of two putative class action lawsuits against Southwest Airlines and United Airlines, respectively, alleging violations of the Illinois Biometric Information Privacy Act (“BIPA”). In both cases, the plaintiff employees contended that the air carriers: (i) implemented timekeeping systems that require employees to clock in/out with their fingerprints without their consent; (ii) failed to disclose protocols for retention of the employees’ biometric information; and, (iii) improperly used third-party vendors to implement the timekeeping systems. The air carriers argued though that the plaintiffs’ unions consented to the timekeeping systems through their collective bargaining agreements’ management-rights clauses, and any required notices were provided to the unions; as a result, the trial courts lacked subject-matter jurisdiction to hear the disputes pursuant to the Railway Labor Act.
The 7th Circuit noted that the plaintiffs’ unions are the “authorized agents” for the employees under federal law and BIPA, and a state cannot remove a topic (such as timekeeping) from a union’s purview and require direct bargaining between individual workers and management. Accordingly, the appellate court agreed with Southwest and United that any dispute about the timekeeping system and whether the unions had consented thereto on the employees’ collective behalf, had to be brought before an adjustment board under the Railway Labor Act and given the plaintiffs’ collective bargaining agreements with the air carriers.
The 7th Circuit separately addressed the scope of BIPA in dicta, finding that the law applies to private entities that collect biometric data in Illinois, and does not purport to exclude nonresident employees who work and provide biometric data in Illinois.
Patel v. Facebook, Inc., No. 18-15982, 2019 WL 3727424 (9th Cir. Aug. 8, 2019) -- The U.S. Court of Appeals for the 9th Circuit reviewed a district court’s order grant of class certification in an action by Facebook users against Facebook for violation of section 15 of BIPA. Here, the plaintiff users alleged that Facebook’s use of facial-recognition technology (which scans and stores biometric data) to photos uploaded to the plaintiffs’ personal pages without their consent and without establishing a compliant retention schedule, constituted a violation of their substantive privacy rights. Facebook argued that the plaintiffs’ complaint should be dismissed, because the users’ claim described a procedural violation of BIPA rather than a concrete injury sufficient to confer Article III standing. The district court denied Facebook’s motion to dismiss, and certified a class of Facebook users in Illinois for whom Facebook created and stored biometric data.
On appeal, Facebook challenged both the plaintiffs’ standing, and the district court’s exercise of its discretion in certifying the class. First, the 9th Circuit explained that an individual’s biometric privacy rights has a close relationship to a harm historically recognized by courts as establishing grounds for a suit, and, under Rosenbach v. Six Flags Entertainment Corp., No. 123186, 2019 WL 323902 (Ill. S. Ct. Jan. 25, 2019), an individual was not required to sustain a compensable injury beyond the violation of his/her biometric privacy rights in order to seek recourse under the Act. The appellate court, therefore, concluded that the plaintiffs alleged “a concrete and particularized harm, sufficient to confer Article III standing.”
Second, the 9th Circuit rejected Facebook’s contentions that, under the Illinois extraterritoriality doctrine, each class member had to provide individualized proof that the events in that member’s case occurred ‘primarily and substantially within’ Illinois, and/or a class action was superior to individual actions. The court reasoned that, although BIPA does not indicate whether Facebook’s collection, use, and storage of facial biometric data without consent, or failure to implement a compliant retention policy, is deemed to occur where the user whose privacy rights are impacted resides, where Facebook scans and stores such data, or in some other place or combination of places, it is reasonable to infer that the Act would apply to individuals located in Illinois even if some of the relevant activities occur outside the state. The court further concluded that neither the language of BIPA nor its legislative history reflected any intent by the Illinois legislature to place a cap on damages under the Act such that the potential for enormous liability could or would justify the denial of class certification.
BIPA, much like other Data Privacy laws, is complex, thus minimizing your company’s exposure and risk of liability under BIPA requires expert counsel advice. If you need recommended actions for your company or are interested in learning more, please contact Adrian K. Felix, litigation attorney at 305-350-7234 or firstname.lastname@example.org.
Kelly Ruane Melchiondo, Partner in Bilzin Sumberg's Construction Law Group and member of the firm's Data Security & Privacy Team, leads a discussion around the construction industry's increasing investment in information technology in both a pre and post COVID-19 world, taking a proactive ...