Saying the plaintiffs bringing the action must show how they were actually harmed, a Chicago federal judge has closed the window on a class action lawsuit accusing Google of violating an Illinois privacy law by automatically creating and storing face scans of people in photos uploaded to its Google Photos service.
“… All Plaintiffs are left with is their testimony that they felt their privacy rights were violated, but ‘feel[ing] aggrieved,’ without more, does not establish a concrete injury,” wrote U.S. District Judge Edmond Chang.
Chang filed his ruling on Dec. 29, siding with the Mountain View, Calif.-based tech titan, granting Google’s motion for summary judgment in the legal action.
The class action was first filed in March 2016, by attorneys from the firms of Lite DePalma Greenberg LLC, of Chicago; Carey Rodriguez O’Keefe Milian Gonya LLP, of Miami, Fla.; and Ahdoot & Wolfson PC, of West Hollywood, Calif., on behalf of a class of plaintiffs led by named plaintiffs, Illinois residents Lindabeth Rivera and Joseph Weiss.
The lawsuit accused Google of the Illinois Biometric Information Privacy Act when it allegedly created and stored face scans of Rivera and Weiss, without their consent, from photos uploaded by others to Google’s cloud-based photo-sharing service.
The accusations center on allegations Google’s face scans violated the law by creating templates of people’s faces using facial geometry, a so-called biometric identifier.
Under the Illinois BIPA law, which was enacted in 2008, private entities are barred from obtaining and possessing people’s biometric identifiers without their consent. Other biometric identifiers can include a person’s fingerprints, DNA or retina scans.
According to the class action complaint, Google Photos has “created, collected and stored” millions of “face templates or face prints – highly detailed geometric maps of the face – from millions of Illinois residents, many thousands of whom are not even enrolled in the Google Photos service,” to organize and group photos based on the people pictured.
Both Rivera and Weiss asserted they don’t have Google Photos accounts, and the photographs of them were uploaded by others. Yet, they say, Google still scanned their “face prints” and used the information to identify them in photos posted to Google Photos.
In response to the suit, Google asserted the lawsuit should be decided in its favor, essentially because the plaintiffs could not demonstrate the facial geometry scans had actually harmed them in any real, or “concrete” way. They argued such a finding is required under the U.S. Supreme Court’s 2016 Spokeo v Robins decision.
In Spokeo, the high court ruled allegations of privacy rights violations must be linked to a “concrete injury,” not just a technical violation of the law.
In his decision, Judge Chang said he did not believe the plaintiffs had demonstrated a concrete injury from Google’s scans of their faces. He noted the biometric information gleaned from the photos was not shared with anyone else, “commercially exploited,” nor was there any “evidence of a substantial risk that the face templates will result in identity theft.”
“It is true that if an unintended disclosure happens, then there are few ways to change biometric information, and federal courts should follow the legislature’s lead in considering that immutability in deciding what is a ‘substantial’ risk,” Judge Chang wrote. “But even taking that permanency into account does not justify an across-the-board conclusion that all cases involving any private entity that collects or retains individuals’ biometric data present a sufficient risk of disclosure that concrete injury has been satisfied in every case.”
Further, using the BIPA law’s so-called “legislative findings,” or the statements included in the law by the lawmakers to explain their rationale, the judge found the risk of identity theft is the only real claim of concrete injury a plaintiff can make in a case involving their facial image
“Most people expose their faces to the general public every day, so one’s face is even more widely public than non-biometric information like a Social Security number,” the judge wrote. “Indeed, we expose our faces to the public such that no additional intrusion into our privacy is required to obtain a likeness of it, unlike the physical placement of a finger on a scanner or other object, or the exposure of a sub-surface part of the body like a retina.
“There is nothing in the (BIPA’s) legislative findings that would explain why the injury suffered by Plaintiffs here – the unconsented creation of face templates – is concrete enough…”
Google is represented in the case by attorneys with the firm of Perkins Coie LLP, of San Francisco, Seattle and Chicago.
The judge ordered the case dismissed.
The ruling comes as the latest outcome amid a number of litigation battles pending in courts in Illinois and elsewhere over the interpretation of the BIPA law.
In coming days, the Illinois Supreme Court is poised to render its opinion on the subject, as the state’s high court considers a dispute over whether a woman can sue theme park operator Six Flags over a scan of her teen son’s fingerprint for the purposes of verifying his season pass to the Great America theme park in suburban Gurnee.
In that case, justices appeared skeptical of Six Flags’ arguments the mother must prove such concrete harm to bring her lawsuit. Justices appeared to question whether waiting for such concrete harm before a lawsuit could be filed was not the intent of lawmakers, as justices wondered aloud whether such harm would be “irreparable” and whether such a standard would leave businesses free to violate the law and take the risk of getting sued later.