Who Owns Our Personal Data?

A class action suit was filed on Thursday against Netflix in the US District Court for the Northern District of California. The class is “All Netflix subscribers that rented a Netflix movie and also rated a movie on the Netflix website during the period of October 1998 through December 2005, residing in the United States.”

According to the class action complaint, “On October 2, 2006, Netflix perpetrated the largest voluntary privacy breach to date, disclosing sensitive and personal indentifying consumer information. The information was not compromised by malicious intruders. Rather, it was given away to the world freely, and with fanfare, as part of a contest intended to benefit its trusted custodian, Netflix.” The lawsuit is brought as a class action by and on behalf of similarly situated Netflix subscribers whose privacy was violated by Netflix as organizer of the “Netflix Prize” contest.

Nettflix launched a contest in the Fall of 2006 offering cash prizes to contestants who could provide collaborative filtering algorithms that would predict viewers' movie ratings with a greater accuracy than Cinematch, which is Netflix’s proprietary recommendation software.

According to the complaint "Netflix subscribers’ movie rental choices constitute personal information that subscribers reasonably expect will be treated as presumptively confidential and that their relationships with Netflix are relationships of confidentiality. Netflix has been entrusted with the confidential, sensitive, and personal information of millions of consumers.”

What is personal information? According to Netflix privacy policy: “Personal information means information that can be used to identify and contact you . . . as well as other information when such information is combined with your personal information.”

This point is interesting, as many pieces of information can become personal information, if there is a way to combine them with information that can be used to identify a person, most of the time a name or an address, but also in some cases a title (CEO of Microsoft, Secretary of the PTA of PS 2349 Pleasantville, IL). It is so easy nowadays to link databases that virtually every information may become, at any given time, a personal information.

One of the argument of the complaint is that “ Netflix was attempting to play a semantics game—“personal” information meaning pertaining to or concerning a particular person; however personal information is not limited to a Netflix subscriber’s name. Netflix subscribers reasonably believe that no record would be released showing that they watched a dogmatic, controversial, or sexually explicit show, regardless of whether their actual name is known.”

The notion of personal information goes way beyond the mere name of an individual. Netflix indeed disclosed the personal information of its subscribers “to over 51,000 individuals.”

A very interesting point in the complaint is the claim that Netflix has been unjustly enriched by this scheme, firstly because it has “benefited from its unlawful acts through the receipt of payments for Internet service from Plaintiffs" and secondly because it “continues to benefit from [its] unlawful acts through the receipt of payments in connection with its proprietary search engine, which continues to index websites associated with the subscriber data. (…) Plaintiffs are entitled to the establishment of a constructive trust consisting of the benefit to Netflix of such payments from which Plaintiffs and members of the Classes may make claims on a pro-rata basis for restitution."

The first part of the unjust enrichment argument, the receipt of payments for Internet service from Plaintiffs is not as strong as the second part of the argument, the receipt of payments in connection with the search engine. The way I understand both arguments is that Netflix benefited from the users' fees, and rightfully so, until the moment it disclosed unlawfully their personal information. After that, these fees were somehow the product of its unlawful acts. But Netflix continued to provide their rental services, and was entitled to collect fees for that service.
The second argument is much stronger. Netflix benefited unjustly from the value represented by its users' data. Most consumers still fail to realize that their personal data are very valuable, so much that it has a market value. Their shopping habits are sold by retailers to marketers.

In Dwyer v. American Express Co., 273 Ill. App. 3d 742, (Ill. App. Ct. 1st Dist. 1995), the court held that Amex did not commercially appropriate its cardholder’s personal spending habits. In that case, the plaintiffs also claimed that these actions constituted a deceptive practice claim under the Illinois Consumer Fraud Act. The plaintiff had to prove that these practices constituted a misrepresentation or a concealment of material fact, that it was the defendant’s intent that the plaintiff relies on this misrepresentation or concealment, and that the deception had occurred in the course of trade or commerce. Amex had not informed the cardholders that their spending habits would be analyzed and their names sold to merchants, and this is a deceptive practice under the Illinois Consumer Fraud Statute. However, the court held that the plaintiffs had failed to allege that they suffered any damages, except maybe for “a surfeit of unwanted mail.”

In the Netflix case, it could be easier to prove damages, because Jane Doe, one of the plaintiffs, "believes that, were her sexual orientation public knowledge, it would negatively affect her ability to pursue her livelihood and support her family and would hinder her and her children’s’ ability to live peaceful lives within Plaintiff Doe’s community.”