‘365 for Business’ Users’ Privacy Lawsuit Dismissed–Russo v. Microsoft
Users of “Microsoft 365 For Business” allege oversharing by Microsoft, which translates into claims under (1) the Wiretap Act and the Stored Communications Act; (2) Washington’s Consumer Protection Act; (3) the Washington one-party consent phone statute; and (4) common law.
The court meanders through the allegations in the complaint, noting that “the precise nature of plaintiffs’ claims lack clarity.” The allegations, which span a wide range of products and contexts, don’t appear to focus on any specific disclosures by Microsoft. Instead, the allegations recount Microsoft’s numerous (robust) privacy-related representations made to customers. With respect to the alleged unauthorized disclosures by Microsoft, the complaint also relies on Microsoft’s own allegedly inconsistent statements regarding the extent of disclosure to third parties. For example, the complaint quotes from the all-encompassing definition of “customer data” as used by Microsoft, but then contrasts this with statements made by Microsoft to developers (where Microsoft touts the value of customer data):
94. Microsoft boasts that Security Graph API is built off the “uniquely broad and deep” insights Microsoft obtained for itself by scanning “400 billion” of its customers’ emails and “data from 700 million Azure user accounts.”
95. Microsoft also harvests business customer data to develop and sell to others a marketing product called Microsoft Audience Network, which Microsoft admits derives enormous value from processing customer data. In Microsoft’s own words:
What sets Microsoft Audience Ads apart is their rich user understanding that powers high performance. The Microsoft Graph consists of robust data sets, including search and web activity, LinkedIn professional profiles, demographics and more. The data is continually updated every second based on user activities. By mapping audience data on such an enormous scale, the Graph helps us spot trends and uncover insights, both of which allow you to effectively reach your customers.
96. Microsoft also uses business customer data to create other applications it sells to other customers, including Windows Defender Application Control, Azure Advanced Threat Protection, and Advanced Threat Protection.
The complaint does not address the plaintiffs’ specific experiences.
Standing: The court dismisses the complaint for lack of standing. With a quick nod to the Supreme Court’s Spokeo ruling, the court says that plaintiffs do not allege sufficient facts to demonstrate they have been injured by Microsoft’s conduct. In the court’s view, the factual allegations “are . . . too sparse and conclusory”. Interestingly, the court does not delve into Spokeo or mention TransUnion, the most recent Supreme Court case on Article III standing.
For good measure, the court walks through the specific claims and finds them all wanting.
Wiretap Act: The court covers a lot of ground in its discussion of the Wiretap Act claim:
- Email scanning can state a claim under the Wiretap Act
- Facebook Connect (and contact list sharing) cannot form the basis of a claim
- Scanning of content would support a claim, but the precise nature of scanning is unclear (and the court says is “best left for summary judgment”)
- Microsoft asserts as a defense that scanning is excluded because it is done in the ordinary course of business; the court likes that for two products (Cortana and Advanced Threat Protection) which the court says plaintiffs implicitly consented to by purchasing, but does not like this argument with respect to two other products (Graph and Security Graph APIs).
SCA: The court says it “already found that plaintiffs sufficiently allege . . . Microsoft intercepted the contents of communications for Graph and Security Graph APIs.” These allegations may state a claim under the Stored Communications Act, but the claims as to other features are dismissed with prejudice.
Claim under Washington’s CPA: The court says first that plaintiffs “overpayment theory” (that they would not have paid as much in price had they known of Microsoft’s lax privacy practices”) states a cognizable injury. However, the court says that the allegations does not satisfy Rule 9’s higher pleading standard for fraud-like claims.
Washington Privacy Act: Plaintiffs also asserted claims under Washington’s one-party consent statute. The court reiterates that because plaintiffs have not adequately alleged that their own communications were intercepted, they lack standing. However, the court dismisses the other defenses raised by Microsoft: (1) the statute covers conduct by companies as well as “persons” and (2) that statute covers communications that originate outside the state of Washington “as long as the interception occurs in Washington.”
Common Law Privacy Claim: Plaintiffs also brought a claim for common law intrusion upon seclusion. The court says that a business has no rights that this tort covers. There must be some allegation of personal intrusion, and there are none in the operative pleading.
Leave to Amend: While the court dismisses the lawsuit, it grants leave to amend. Plaintiffs’ deadline to amend is not yet up.
This lawsuit made my head hurt and just left me asking a bunch of questions.
Venue in Northern District of California feels like an odd choice. It appears that plaintiffs filed in this jurisdiction, but do either of the two parties prefer to be there? To me, the Western District of Washington is a somewhat friendlier forum for plaintiffs. While privacy plaintiffs have obtained victories (often significant ones) in the Northern District of California, there are also a long line of cases where judges have beat up on class action privacy complaints.
The complaint suffers because of its lack of specificity, particularly as to these particular plaintiffs. What are the plaintiffs’ options in these situations and what are plaintiffs’ best sources for factual allegations? Would it have been helpful to find a whistleblower/insider? Would technical due diligence have helped? How about a consumer request under one of the recently-enacted privacy statutes (of either California or Washington)? While one sympathizes with the plight of privacy plaintiffs, the court’s ruling seems correct that the scant allegations shouldn’t entitle plaintiffs to discovery. (Note: I thought Ed Bott’s initial article on this lawsuit was on point in many ways: “Class action joke: Three Microsoft customers walk into a court…” I highly recommend it. Among his conclusions are that the complaint is based on a misreading of Microsoft technical documents.)
The court dismisses on the basis of standing, but then spends a bunch of time focusing on the merits and in particular the claims under the Wiretap Act. In resolving the claims under the Wiretap Act, the court seems deep in the [factual] weeds. The court’s basis for dismissing certain claims with prejudice is unclear.
The plaintiffs had alleged claims under both the unfair and deceptive prongs of Washington’s CPA. For some reason, the court just focuses on the deceptiveness prong, applying Rule 9’s strict pleading requirement to dismiss the claims. Also, the court says in in its discussion of this claim that (1) plaintiff’s over-payment theory states a cognizable injury under the CPA and (2) “plaintiffs plead enough factual content to make it plausible.” This conclusion seems sufficient to confer standing of some sort, but the court never explains why this is not sufficient to confer Article III standing. ¯\_(ツ)_/¯ I’m not sure what to make of the court’s resolution of the CPA claim.