By Danielle Kays and James Nasiri

Seyfarth Synopsis: On October 17, 2022, the U.S. District Court for the Western District of Washington granted Microsoft’s motion for summary judgment on the plaintiffs’ unique class action claims in a case entitled Vance v. Microsoft Corp. The plaintiffs, and Illinois residents, uploaded several pictures of themselves to popular photo-sharing site Flickr, which then became part of a “Diversity in Faces” digital dataset that was subsequently downloaded by two individuals associated with Microsoft. The plaintiffs claimed that Microsoft downloaded the dataset without their consent under the procedures set forth under the Illinois Biometric Information Privacy Act (“BIPA”) and therefore violated the BIPA as to individuals in the photos. Microsoft countered that the plaintiffs’ BIPA claims lacked the requisite connection to Illinois, and the Court agreed. By dismissing the plaintiffs’ claims, the Court issued an important BIPA win for companies, and also set forth favorable precedent for out-of-state businesses hit with BIPA lawsuits.

Background on Vance v. Microsoft

The Vance matter has a relatively complicated history, spanning back almost 20 years and involving a number of different companies and key players. The core of this dispute is the Diversity in Faces (“DiF”) Dataset, which is a set of approximately one million human facial images designed to encapsulate the diversity of the human race. Early versions of facial recognition software apparently struggled to accurately identify “individuals who were not male and did not have light colored skin tones.” In response to this issue, International Business Machines Corp. (“IBM”) compiled and created the DiF Dataset in order “to advance the study of fairness and accuracy in facial recognition technology.”

Separately, the plaintiffs in this case — Steven Vance and Tim Janecyk — were Illinois residents and active members of Flickr, a photo-sharing website later purchased by Yahoo!. Starting in 2008, the plaintiffs began uploading dozens of photos of themselves to Flickr. Then, in 2014, Yahoo! publicly released a dataset containing millions of public pictures, many of which were subsequently used in IBM’s DiF Dataset. Therefore, the plaintiffs’ photos originally uploaded to Flickr ended up becoming part of the DiF Dataset. 

IBM made its DiF Dataset public in 2019, and shortly after, two individuals associated with Microsoft downloaded the Dataset. The first individual, a consultant hired by Microsoft to assist with evaluating facial recognition technology, downloaded the DiF Dataset while in Washington state. The second individual at issue was a student intern for Microsoft who downloaded the DiF Dataset while in New York, in order to assist with her research on facial recognition systems.

The plaintiffs brought the present class action lawsuit alleging that, even though Microsoft’s two agents downloaded the Dataset outside of Illinois, Microsoft’s data management process involved saved data being “chunked (i.e., divided into non-overlapping packets of data bits),” encrypted, and stored in a data center in Chicago, Illinois. Consequently, the plaintiffs alleged that Microsoft violated the BIPA by: 1) collecting and obtaining their biometric data without satisfying the requisite process and obtaining written releases; and 2) unlawfully profiting from their biometric data. The plaintiff also asserted a claim of unjust enrichment relative to the Microsoft consultant using the DiF Dataset to evaluate facial recognition products that Microsoft was considering buying.

District Court Grants Microsoft’s Motion for Summary Judgment

Microsoft filed its motion for summary judgment in May 2022, arguing that the plaintiffs could not lawfully move forward with their BIPA or unjust enrichment claims. Specifically, the company contended that the BIPA cannot apply to conduct extraterritorial of Illinois, and thus, applying the BIPA to Microsoft’s conduct would violate the Commerce Clause of the U.S. Constitution. Microsoft also argued that, even if the plaintiffs satisfied their jurisdictional hurdle, they cannot satisfy all necessary elements of their BIPA claim or their unjust enrichment claim.

On October 17, 2022, the Court granted Microsoft’s motion on both of the plaintiffs’ claims. With respect to the out-of-state application of the BIPA, the Court first noted that, because the Act does not contain an extraterritorial provision, the conduct at issue must have “occurred primarily and substantially in Illinois.” To that end, the plaintiffs stated that  because they are Illinois residents, their injuries occurred in Illinois. They also emphasized that Microsoft may have encrypted and stored “chunked” copies of the DiF dataset on the company’s servers in Illinois. Microsoft responded by pointing out that the BIPA only regulates an entity’s collection of data, rather than its encryption and storage of such data after the original acquisition.

Ultimately, the Court agreed with Microsoft by finding that all relevant conduct took place in Washington and New York. Specifically, the Court reasoned that the Company could not be held liable under the BIPA where other entities (i.e., Flickr, Yahoo!, and IBM) actually collected the biometric data at issue. The Court therefore held that “even if Microsoft’s systems ‘chunked,’ encrypted, and stored the DiF Dataset on a server in Illinois, any connection between Microsoft’s conduct and Illinois is too attenuated and de minimis for a reasonable juror to find that the circumstances underlying Microsoft’s alleged BIPA violation ‘occurred primarily and substantially in Illinois.’”

In terms of the unjust enrichment claim, the plaintiffs alleged that Microsoft received a monetary benefit by downloading the DiF Dataset, without providing adequate compensation to the plaintiffs. Namely, they pointed to the conduct of Microsoft’s consultant, who downloaded the Dataset to evaluate facial recognition software that the Company was considering for purchase. The Court firmly rejected the plaintiffs’ arguments here, holding that the plaintiffs failed to show that Microsoft actually used — and benefitted from — one consultant’s download of the DiF Dataset. Accordingly, the Court granted Microsoft’s motion without reaching the merits of the plaintiffs’ BIPA claim.

Implications for Employers

The Washington federal court’s decision in Vance creates favorable BIPA case law for companies as it relates to the Act’s out-of-state applicability. The Vance decision sets forth some protection for businesses outside of Illinois that collect or store biometric data. Importantly, the Court establishes that an out-of-state business that merely stores part of its encrypted biometric data on an Illinois-based server cannot be held liable under Section 15(b) of the BIPA. For more information about the Illinois Biometric Information Privacy Act and how this decision may affect your business, contact the authors Danielle Kays and James Nasiri, your Seyfarth attorney, or Seyfarth’s Workplace Privacy & Biometrics Practice Group.