Ryanair v. Booking CFAA Trial Ends with Strangest Possible Outcome (Guest Blog Post)
Ryanair recently “prevailed” in its CFAA claim in its litigation against Booking.com. I use scare quotes around “prevailed” because, according to the jury verdict, the actual damages suffered by Ryanair were $5,000. $5,000 just so happens to be the exact minimum statutory threshold for losses to state a claim under the CFAA. As in, if the jury concluded Ryanair had suffered $4,999.99 worth of losses, Booking.com would have “prevailed.”
That’s an awfully strange conclusion.
Given the complexities regarding losses under the CFAA and the challenges in quantifying technological harms, the odds of a plaintiff suffering exactly the minimum legal threshold in technological losses to state a claim is infinitesimal. It’s the legal equivalent of a 747 landing on a penny. Maybe this was just the jury’s way of telling the judge and the parties, “This case is dumb. I want to go home.” But it strikes me as a totally implausible conclusion to a legal dispute like this one.
Since this conclusion was determined at trial, both sides almost certainly spent millions of dollars in legal fees to reach this conclusion. Spending millions of dollars in legal fees to recover $5,000 in actual damages is an ROI that only South Park Bank Savings and Loan would be proud of. But Ryanair seems happy about the result regardless, because it allows them to declare victory in their long-standing wars with the online travel industry.
This has been a hard case to follow online, because many of the key rulings have been filed under seal. As a result, it is entirely possible that I am missing some key details here. But my impression of this case is that it is a colossal waste of judicial and legal resources, and the judge should have never let it get this far. Not only that, but this case makes it more likely that other plaintiffs and defendants will suffer lengthy, protracted litigation to reach similarly absurd conclusions.
Goliath v. Goliath
Most web scraping and data-access legal disputes historically feature David vs. Goliath-type fact patterns. A relatively small number of companies (LinkedIn, Meta, Google) control much of the valuable data on the Internet. And there are a near-infinite number of entrepreneurs who have ideas for businesses that could profit from access to that data. That’s the fact pattern of Facebook v. Power Ventures, hiQ Labs v. LinkedIn Corp., and Meta v. Bright Data.
But a few scrapers have become aggregators, and now some of those aggregators have power and leverage themselves. Which means that we are entering into an era where scrapers aren’t always the underdogs anymore. And there is no better example of Goliath v. Goliath in web-scraping litigation than the long-standing legal dispute between Ryanair v. Booking Holdings Inc.
I wrote about this case back in 2022 when the judge made his initial decisions on the motion to dismiss pleadings. The judge has now issued his opinion on the parties’ summary judgment motions, but he did so under seal. To my knowledge, it is still not public record. I discuss the details of that ruling below.
A few days after the summary judgment decision, the parties agreed to stipulate to dismiss all claims against three of the defendants, Booking Holdings, Inc., Agoda, and Priceline. During the trial, the parties agreed to stipulate to dismiss all claims against Kayak Software Corporation. By the conclusion of trial, only Booking.com B.V., the Dutch subsidiary of Booking Holdings, Inc., remained.
[Author’s Note: A prior version of this post stated that the dismissed parties had settled, rather than stipulated to dismissal.]
Tortious Interference with a Business Model
Before getting into the details of the court ruling, I always think it’s good to zoom out when we talk about CFAA cases to remember what’s happening from a legal and strategic perspective. The CFAA is an anti-hacking statute with a criminal component. Booking Holdings is a Nasdaq 100 listed, S&P 500 listed company that had $21 billion in revenue last year, which is about twice as much money as Ryanair made, according to the companies’ public filings.
Booking Holdings is not “hacking” anyone here. This isn’t top-secret information we’re talking about. What they’re trying to do is be an international aggregator for as much of the travel industry as possible. To do that, you need to direct as much traffic and sales through your sites as you can.
Ryanair is Europe’s largest discount airline. Its business model is to sell highly discounted flights at, near, or below cost and then to make additional profits by selling ancillary services such as food, drinks, rental cars, hotels, and insurance on their site and on their flights. But much of this business model is contingent on being able to sell flights directly through Ryanair’s site to control the market for ancillary services, or so their thinking goes.
Obviously, there is a direct conflict here. But it’s a business model-driven conflict. Ryanair doesn’t want anyone other than Ryanair selling their flights. Booking wants to sell and aggregate information related to all travel options on its various platforms.
But this is an important case for a few different reasons. For one, it’s a significant case that deals with many of the issues that have arisen in some of the other cases I’ve blogged about on this site, but it’s in Delaware, not in the Northern District of California. Sometimes, when we blog these technology cases, we act as if the law in California is the law everywhere. It isn’t. Second, it’s a unique fact pattern in that Ryanair is an Irish company with a terms-of-use that is governed by Irish law. As such, Ryanair cannot rely on its ToU to enforce anti-scraping protections. It had to rely on the CFAA to try to stop Booking from reselling its flights.
The question is whether Ryanair can employ the CFAA, an anti-hacking statute, to forcibly prevent Booking from selling and listing its flights on their platforms without permission. And if so, under what circumstances.
Key Points from the District Court of Delaware Summary Judgment Decision
– The court followed 9th Circuit precedent in hiQ Labs that says that accessing public data cannot constitute a CFAA violation. The decision is good for web scrapers.
– The court may or may not have followed current 9th Circuit precedent in saying that accessing information beneath a login could give rise to a CFAA violation, consistent with the 2016 Power Ventures opinion. After recent opinions such as X Corp. v. CCDH, it is unclear to me whether Power Ventures is still good law in the 9th Circuit. According to this court, it is.
– The court granted summary judgment for Booking as to CFAA 1030(a)(2), because Booking had obtained no information other than information input by the end user. This is a good decision for web scrapers.
– This case turned on what constitutes a “loss” under the CFAA. Under the CFAA, the plaintiff must not only show access without authorization but losses that were technological in nature that amount to more than $5,000 in a year. Here, in a decision that was bad for web scrapers, the court found that ‘“any reasonable cost to any victim, including the cost of responding to an offense” includes the cost of an investigation following a CFAA violation, even when the violation has not resulted in actual impairment of the protected computer or loss of data.’ Thus, according to the court, conduct that causes no harm, and therefore didn’t violate the statute, becomes a violation if the plaintiff investigates the harm and spends more than $5,000 in its investigation.
This logic is somewhere between circular and nonsensical. Non-offending conduct does not become offending conduct when it is investigated, particularly when the conclusion of the investigation is that there was no underlying technological harm. The Supreme Court in Van Buren said that,
The term “loss” likewise relates to costs caused by harm to computer data, programs, systems, or information services. §1030(e)(11). The statutory definitions of “damage” and “loss” thus focus on technological harms—such as the corruption of files—of the type unauthorized users cause to computer systems and data. Limiting “damage” and “loss” in this way makes sense in a scheme “aimed at preventing the typical consequences of hacking.”
– The judge declined to grant summary judgment in favor of Booking on CFAA 1030(a)(4), which requires intent to defraud while accessing a computer. The court found that the creation of fake accounts or use of false information during the ticketing process could be construed as a violation. Fake accounts almost never end well for scrapers.
– The court declined to grant summary judgment in favor or Booking on CFAA 1030(a)(5), conspiracy. At trial, Booking prevailed on this element.
– The court declined to grant summary judgment in favor of Ryanair on its tortious interference, defamation, and unfair competition claims. Booking lost of on all of these claims at trial.
Conclusions
There is increasing judicial disagreement over what constitutes technological harm under the CFAA. Van Buren made clear that losses under the CFAA must be technological in nature, and there must be actual harm to computer systems, data, or information to state a claim under the CFAA. But in some cases, such as this one, trivial and manufactured harms may be sufficient to state a claim.
Judges that invoke broad definitions of “technological harm” guarantee absurd legal conclusions and make it more likely that we will see trivial and manufactured legal proceedings under the CFAA. And this case is the best example I have seen of that yet.