Court Overturns a Bad Jury Verdict Against Scraping–Ryanair v Booking (Guest Blog Post)
by guest blogger Kieran McCarthy
This summer, I wrote that the jury trial between Ryanair and Booking Holdings ended in the strangest way possible. The jury returned a verdict that Booking Holdings had caused exactly $5,000 in legally cognizable “loss” to Ryanair under the CFAA—the statutory minimum to establish a CFAA claim.
Of course, there’s no way that the actual damages caused by one company to another under the CFAA would match the statutory loss threshold to the cent. What really happened was that the judge gave a jury instruction that confused the hell out of the jury, and so the jury returned a meaningless and indefensible verdict, one that was certain to be appealed.
And so it comes as no surprise that there were some post-trial fireworks in this case. On January 22, Booking.com’s renewed motion for judgment as a matter of law (“JMOL”) was granted. That indefensible jury verdict was overturned.
The JMOL had two primary conclusions:
First, that the CFAA has extraterritorial application, and therefore it was appropriate for this court to apply the CFAA here. This is an incredibly controversial holding. By the time trial rolled around, this case involved only an Irish plaintiff (Ryanair) and a Dutch defendant (Booking.com B.V.).
Now, one might reasonably think that an American court has no business adjudicating a business dispute between two European companies, when that case might result in an extraterritorial injunction that directly conflicts with European laws in their home countries. But this court says, not so. The court’s reasoning was that because the definition of “protected computer” includes computers located outside of the United States, that this is a clear, affirmative indication of the CFAA’s extraterritorial application, even though the statute itself does not say that it has extraterritorial application. And, of course, the statute itself was drafted long before the Internet was in ubiquitous use, so the drafters could never have contemplated this situation. That holding has enormous potential ramifications for companies around the world, but it didn’t end up being dispositive to the parties in this dispute.
Second, and more importantly for the parties in this dispute, the court found that Ryanair did not meet its burden of proving at least $5,000 of “loss” attributable to Booking.com (or, in the alternative, obtaining $5,000 in value from alleged fraud). The judge determined that certain costs, such as customer service agent expenses, did not qualify as a loss, and determined that only $2,457.72 from Ryanair’s antibot technology “Shield” were attributable as losses under the CFAA. Because Ryanair did not meet the $5,000 CFAA loss threshold after the judge’s re-evaluation of the facts in the case, the judge threw out the adverse jury verdict under the CFAA.
And so, four and a half years after the initial complaint was filed, the case ended with no finding of liability for either party.
In the end, two parties paid many millions in legal fees to determine whether one party had caused another $5,000 in “loss” under the CFAA. They engaged in this absurd legal dance because Ryanair wanted injunctive relief. It wanted a worldwide, enforceable court order to get Booking and its affiliates to stop reselling Ryanair flights. I do not think that’s what the drafters of the CFAA had in mind.
I blame this result on this court’s definition of technological harm. Here’s what happened:
After being provided the CFAA definition of “loss,” the jury was instructed that “the cost of responding to an offense may be considered a loss even if no actual technological harm has occurred, as long as the response is directed at technological harm, such as preventing an impending unauthorized access or investigating the method by which an offender accessed the computer, rather than business or other harms, such as investigating how the offender used the access for commercial gain.” Dkt. No. 453 at 5. The jury was further instructed that they “should not offset any losses by any profits Ryanair may have received as a result of Booking.com’s actions,” and that “[l]osses do not include any costs that are not borne by Ryanair.” Id.
JMOL at 16.
This is equal parts nonsensical and confusing.
According to the Supreme Court in Van Buren, the definition of loss under the CFAA “focus[es] on technological harms—such as the corruption of files—of the type unauthorized users cause to computer systems and data.” Van Buren v. United States, 593 U.S. 374, 392 (2021). But according to this court, a party can establish technological harm “even if no actual technological harm has occurred,” as long as they investigate non-harm in a technological way.
This standard is confusing, easy to manipulate, and seems to contradict the direct language of the Supreme Court and the statute itself. It also is at odds with any sort of common-sense understanding of what constitutes technological harm. And because it allows plaintiffs to bootstrap a definition of technological harm in the absence of actual harm, it incentivizes companies to pursue business grievances through the CFAA. And apparently now companies can do this regardless of whether they have any connection to the United States, assuming they operate online and some of their business is transacted here.
If this is what passes as technological harm, then more CFAA absurdity is certain to come in the near future.
Case Citation: Ryanair DAC v. Booking.com BV, 1:20-cv-01191-WCB (D. Del. Jan. 22, 2025).