The Secure Times

An online forum of the ABA Section of Antitrust Law's Privacy and Information Security Committee


Leave a comment

Google Avoids Class Certification in Gmail Litigation

On March 18, 2014, Judge Koh in the Northern District of California denied Plaintiffs’ Motion for Class Certification in the In re: Google Inc. Gmail Litigation matter, Case No. 13-MD-02430-LHK. The case involved allegations of unlawful wiretapping in Google’s operation of its Gmail email service. Plaintiffs alleged that, without obtaining proper consent, Google unlawfully read the content of emails, extracted concepts from the emails, and used metadata from emails to create secret user profiles.

Among other things, obtaining class certification requires a plaintiff to demonstrate that class issues will predominate over individual issues. In this case, Judge Koh’s opinion focused almost exclusively on the issue of predominance. The Court noted that the predominance inquiry “tests whether proposed classes are sufficiently cohesive to warrant adjudication by representation.” Opinion (“Op.”) at 23 (citations omitted). The Court further emphasized that the predominance inquiry “is a holistic one, in which the Court considers whether overall, considering the issues to be litigated, common issues will predominate.” Op. at 24.

The Court in the Gmail litigation noted how the existence of consent is a common defense to all of Plaintiffs’ claims. Consent can either be express, or it can be implied “based on whether the surrounding circumstances demonstrate that the party whose communications were intercepted new of such interceptions.” Op. at 26. The decision explained how common issues would not predominate with respect to a determination of whether any particular class member consented to Google’s alleged conduct.

The Court briefly addressed whether the issue of express consent could be practically litigated on a class-wide basis, but the opinion focused largely on the issue of implied consent. The Court noted that implied consent “is an intensely factual question that requires consideration of the circumstances surrounding the interception to divine whether the party whose communication was intercepted was on notice that the communication would be intercepted.” Op. at 30. Google contended that implied consent would require individual inquiries into what each person knew. Google pointed to a plethora of information surrounding the scanning of Gmail emails including:  (1) Google’s Terms of Service; (2) Google’s multiple Privacy Policies; (3) Google’s product-specific Privacy Policies; (4) Google’s Help pages; (5) Google’s webpages on targeted advertising; (6) disclosures in the Gmail interface; (7) media reporting of Gmail’s launch and how Google “scans” email messages; (8) media reports regarding Google’s advertising system; and (9) media reports of litigation concerning Gmail email scanning. The Court thus agreed with Google that there was a “panoply of sources from which email users could have learned of Google’s interceptions other than Google’s TOS and Privacy Policies.” Op. at 33. With all these different means by which a user could have learned of the scanning practices (and provided implied consent to the practice) the issue of consent would overwhelmingly require individualized inquiries and thus precluded class certification.

This opinion demonstrates a key defense to class action claims where implied consent is at issue. Any class action defendant’s assessment of risk should include an early calculation of the likelihood of class certification, and that calculation should inform litigation strategy throughout the case. Google consistently litigated the matter to highlight class certification difficulties surrounding consent, and ultimately obtained a significant victory in defeating class certification.


Leave a comment

FTC Steps Down from Google Data Privacy Investigation, U.K. Back On Board

Oct. 27, 2010. The Federal Trade Commission today posted a letter to Google’s counsel announcing that it is ending its inquiry into Google’s collection of information sent over unsecured wireless networks. The inquiry began after Google revealed in May 2010 that its Street View cars had been collecting more than just WiFi location information such as SSID information and MAC addresses. Instead, Google had also been capturing “payload” data sent over unsecured wireless networks. The May announcement came after the data protection authority in Hamburg, Germany, requested an audit of the Street View data.
 
Google’s May revelation generated a flurry of media attention (e.g. from the Wall Street Journal and New York Times), and regulatory investigations in the United States, Germany, Canada, Australia, the U.K., South Korea, and elsewhere. Several class-action lawsuits also resulted. 
 
Last week, on October 22, 2010 Google announced on its U.S. website that it has taken steps to improve its privacy practices, including appointing a new director of privacy to oversee both the engineering and product management groups, enhancing its privacy training, and implementing new internal privacy compliance practices.  This announcement, together with Google’s promise to delete the payload data as soon as possible, and assurance that it will not use the data in any product or service, appears to have appeased the FTC. The FTC’s letter did not contain any determination about whether Google’s actions did or did not breach any data privacy laws, nor did it require any remedial action or fines. Australia, in contrast, had concluded in June that Google violated Australia’s privacy laws, and required Google to publicly apologize, to conduct a Privacy Impact Assessment, and regularly consult with the Australian office about data collection. 
 
Google also acknowledged that – contrary to its earlier postings – “in some instances entire emails and URLs were captured, as well as passwords.” While Google’s October 22 posting satisfied the FTC, this revelation caused the U.K. to announce that is re-opening its investigation into Google’s privacy practices.  The U.K.  had closed its investigation in July after reviewing sample payload data, concluding that personal data, emails and passwords were not collected.