Judge encourages Facebook to settle privacy case

SAN FRANCISCO -- Facebook Inc. should consider settling a putative privacy class action regarding facial recognition technology, a U.S. judge said Thursday.

The case involves claims that Facebook's use of technology to identify users in photos uploaded to its servers violates the Illinois Biometric Information Privacy Act. The act, signed into law in 2008, precludes collection of biometric information from Illinois citizens without obtaining their prior consent.

U.S. District Judge James Donato had tough questions for both sides but signaled to Facebook that it was unlikely to avoid trial. Donato didn't issue an order on the plaintiffs' motion for class certification or the defense's motion for summary judgment but ordered both sides to meet with a mediator.

The judge told Facebook he wanted one of its employees to be at the mediation and that the client representative should have full power to settle the case, meaning the social media company shouldn't send a low-level employee to observe the proceedings.

It's been a difficult week for the social media giant, after media reports circulated that the company gives third-party companies access to user data. Many of the reports have focused on Cambridge Analytica, a British political consulting firm that allegedly used Facebook data to help President Donald Trump's campaign, among others.

Facebook should consider the totality of the privacy scandals it is facing at the moment when considering whether to continue litigating, Donato said.

"Isn't it the time right for sitting down?" he asked.

Earlier in the hearing the two legal teams debated whether Illinois law requires a claim of "actual harm" to bring a privacy case. The conventional wisdom of the privacy bar until recently had been that it was very difficult to bring privacy cases unless they included allegations the plaintiffs were affected in a real world manner by having their privacy rights violated.

Now plaintiffs' lawyers contend a recent ruling by the 9th U.S. Circuit Court of Appeals in Robins v. Spokeo Inc., a case previously remanded by the Supreme Court, has opened the door for litigation where plaintiffs only allege their privacy rights were violated, with no claim of actual harm.

Lauren R. Goldman, a partner with Mayer Brown LLP who represents Facebook, said nothing has changed under Illinois law.

The debate largely centered on the use of the word "aggrieved" in the Illinois privacy law, which states in part that it provides a cause of action to any "person aggrieved by a violation of this act."

Goldman cited a ruling from the Illinois 2nd District Appellate Court, Rosenbach v. Six Flags Entertainment Corp.

"Aggrieved means you need downstream harm," she said. "Every time someone comes into Illinois court they need to prove concrete harm."

The Rosenbach case involved Six Flags fingerprinting a minor without getting his parent's consent, while he was purchasing a season pass to the theme park.

"The facts of it are so different from the fingerprint case that it doesn't really apply here," said Alexander G. Tievsky, an associate with Edelson PC who represents the plaintiffs.

"I'm having trouble seeing how it's particularly applicable here," Donato said.

The two sides also argued over the interpretation of statements made by a Facebook employee under deposition. The employee told plaintiffs' attorneys that Facebook automatically puts every single photo in its system through the facial recognition scanning technology.

Michael E. Rayfield, a Mayer Brown associate, said the employee wasn't qualified to testify on the specific inner workings of the facial recognition technology.

"He was not saying facial recognition was performed on all photos uploaded to the service," Rayfield said. "He was giving testimony about how the technology works generally."