In Patel v. Facebook, a three-judge panel of the U.S. Court of Appeals for the 9th Circuit affirmed a decision by the U.S. District Court for the Northern District of California granting class certification to users of Facebook who alleged that Facebook’s collecting and storing of their face scans using facial recognition technology violated Illinois’s Biometric Information Privacy Act (“BIPA”). In doing so, the panel, based in San Francisco, relied on BIPA’s legislative history to conclude that, “it is reasonable to infer that the [Illinois] General Assembly contemplated BIPA’s application to individuals who are located in Illinois, even if some relevant activities occur outside the state.” Patel v. Facebook, slip op. No. 18-15982 (9th Cir. Aug. 8, 2019) (citing BIPA, 740 Ill. Comp. Stat. 14/1, 14/5 (2008)). Although the extraterritoriality doctrine has been used in other legal contexts, the panel’s holding specifically extends it to distributed artificial intelligence systems, specifically facial recognition, where some components of the system engage with individuals in one state while others process user data in another. Following Patel, businesses looking to avoid liability from private right of action lawsuits, like those brought pursuant to BIPA, may no longer find safe harbor by distributing AI system components (e.g., data servers) outside a regulated jurisdiction. And state lawmakers who wish to pass laws to protect citizens from AI technologies should be mindful not only of the wording of their legislation, but also of developing a sufficient legislative history if they do not want their laws’ reach to stop at state borders.
Enacted a decade before the recent swell of anti-facial recognition sentiment, BIPA sought to address the unconsented storage of “biometric identifiers” in Illinois, including a “scan of hand or face geometry.” Id. at 14/10. The Patel class members accused Facebook of making scans of their faces in violation of BIPA, using Tag Suggestions, a feature Facebook launched in 2010 and applied to the Illinois class member’s uploaded images. As explained by the panel, Tag invokes use of facial recognition technology to analyze whether a user’s Facebook friends are in uploaded photos by “scanning” the photos (using a deep learning model for object detection) to see whether it contains faces. If so, the process determines geometric facial landmarks associated with the faces, such as the distance between the eyes, length of the nose, and ear position, among others, to create a unique face map, which is stored. The technology then compares the face map to known faces in a face templates database (i.e., face data that has already been matched to the user’s profiles). If there is a match between the new geometric face data and one of the existing face templates, Tag may suggest tagging the person in the photo with their name. This process apparently occurs at least in part in one of six Facebook data centers located in Oregon, California, Iowa, Texas, Virginia, and North Carolina, even if the users who are uploading images are located in a different state.
The issue before the 9th Circuit concerned the parties’ dispute regarding whether extraterritoriality defeats the “predominance” requirement for class certification. See Fed. R. Civ. P. 23(b)(3) (describing the requirement that “questions of law or fact common to class members predominate over any questions affecting only individual members”). In Illinois, like other states, the Illinois Supreme Court has held that it is a “longstanding rule of construction in Illinois” that “a ‘statute is without extraterritorial effect unless a clear intent in this respect appears from the express provisions of the statute.'” Patel (citing Avery v. State Farm Mut. Auto. Ins. Co., 835 N.E.2d 801, 852 (Ill. 2005) (quoting Dur-Ite Co. v. Indus. Comm’n, 68 N.E.2d 717, 722 (Ill. 1946)). “In the absence of such an intent, an Illinois plaintiff may not maintain a cause of action under a state statute for transactions that took place outside of Illinois. When a case is ‘made up of components that occur in more than one state,’ plaintiffs may maintain an action only if the events that are necessary elements of the transaction occurred ‘primarily and substantially within’ Illinois.” Id. (citations omitted).
“Given the [Illinois] General Assembly’s finding that ‘[m]ajor national corporations have selected the City of Chicago and other locations in this State as pilot testing sites for new applications of biometric-facilitated financial transactions,’ 740 Ill. Comp. Stat. 14/5, it is reasonable to infer that the General Assembly contemplated BIPA’s application to individuals who are located in Illinois, even if some relevant activities occur outside the state.”
Here, the panel found that BIPA’s language does not clarify whether a private entity’s collection, use, and storage of face templates without first obtaining a release, or a private entity’s failure to implement a compliant retention policy, is deemed to occur (1) where the person whose privacy rights are impacted uses Facebook, (2) where Facebook scans photographs and stores the face templates, or (3) in some other place or combination of places. Accordingly, the panel turned to BIPA’s legislative history for guidance before concluding that, “[g]iven the [Illinois] General Assembly’s finding that ‘[m]ajor national corporations have selected the City of Chicago and other locations in this State as pilot testing sites for new applications of biometric-facilitated financial transactions,’ 740 Ill. Comp. Stat. 14/5, it is reasonable to infer that the General Assembly contemplated BIPA’s application to individuals who are located in Illinois, even if some relevant activities occur outside the state.”
The extraterritoriality doctrine has a long and entrenched history in federal anti-terrorism claims, state consumer protection claims, federal racketeering claims, and patent infringement allegations, among other areas of law. But Patel appears to be the first instance where the doctrine has been applied directly in the case of a state data privacy law claim involving an AI technology. The panel’s holding matters to businesses that deploy AI system in a distributed manner whereby components of the system are located across state borders, such as where a customer-facing edge computing device or interactive app or website is made operational in one state while data from that device or interface is processed in a different state. Given the potential significant liability facing companies in BIPA private right of action lawsuits, at least some of those businesses were likely rooting for a Facebook victory on the extraterritoriality question, if only to preserve an argument for defeating class certification. Following the Patel decision, however, those companies may need to look elsewhere for defenses against BIPA lawsuit claims (or, simply avoid liability in the first instance by complying with BIPA’s provisions).
For state lawmakers, Patel does not appear to raise the bar for court’s trying to decipher legislative intent concerning a state law’s reach. Indeed, all it took for the panel to conclude that BIPA reaches beyond Illinois’ border was an observation that, “[m]ajor national corporations have selected…[Illinois] as pilot testing sites for new applications of biometric-facilitated financial transactions.” While other Circuits might not reach the same conclusion under similar circumstances, it says something when a panel of judges based in San Francisco finds against a local Silicon Valley tech company when applying another state’s privacy law. At least for now, concerns over facial recognition, data privacy, and to some degree artificial intelligence appear to outweigh interests in limiting the extraterritoriality doctrine.