Ian Ballon | A preview of the year to come in internet law

BCLT Expert Series podcast logo

The litigation risks around data and privacy management continue to grow. Evolving class-action strategies, statutory damages, and new state laws create even more risks. Ian Ballon identifies a few of the biggest issues that we should be looking for in the next 12 months.

Episode Transcript


Ian Ballon, Wayne Stacy


Wayne Stacy  00:00

Welcome, everyone to the Berkeley Center for Law and Technology’s Expert Series Podcast. I’m your host, Wayne Stacy, the Executive Director of BCLT. And today we’re here to talk about what types of legal issues we should be thinking about when it comes to the internet. And today, we have Ian Ballon, from Greenberg, with, as many of you may know, Ian, he is one of the world’s leading experts when it comes to internet law. It probably that’s not an overstatement, he may be the world’s leading expert. He’s not the leading expert, at least in the top three or four. But what we know about Ian is that he’s got incredibly broad practice. He’s the Global Intellectual Property and Technology Practice Group lead at Greenberg, which is an enormous group. But what he brings to us is this breadth of knowledge about what we should be thinking about across internet law as a whole. So no matter what particular area you’re in, Ian should have a little bit of input that you need to know today. So Ian with that, I wanted to say thank you for joining us.


Ian Ballon  01:06

Well, thank you. Thank you for that very generous introduction. You’re very– You’re too kind.


Wayne Stacy  01:13

Well, tell your friends because other people that litigated against me for years have never said that about me so well, well, and we get I wanted to kind of showcase this Brett today and run through a grab bag of questions that people should be should be thinking about. So some of these don’t necessarily relate to the question before. But let’s just just run through a few things. So one of the issues that I’ve been looking at is the case act and voluntary copyright arbitration arbitration. So, you know, tell us what you think about the impact on that, should we be looking at it, studying it worrying about it?


Ian Ballon  01:52

I think it’s really important for companies to to prepare for it because it is very much an under the radar issue. Everyone talks about how case act arbitration is voluntary. And so I think a lot of companies really aren’t paying much attention. Because if it’s voluntary, you can think about it when you need to. But it’s only voluntary, if you don’t opt out. So this is I think, one of the places where companies are going to run into trouble, which is if you are duly served with a case at complaint, you have 60 days to opt out, otherwise it’s going to be binding. And I think it is important for companies to determine whether they want to be involved in case ACC proceedings or don’t. There are three types of claims that can be brought one is infringement. One is non infringement, essentially, like declaratory relief, and one is for sanctions for misrepresentation in connection with a notification or counter notification under Section 512 F of the DMCA. So I think we will see a lot of complaints, particularly from individual copyright owners, as we know, the largest number of copyright cases filed in the federal system these days are brought by individual photographers, many of whom are referred to as copyright trolls. And for for, for many the opportunity to have a proceeding where they don’t need counsel, and where you can recover up to $30,000 in damages, and up to $5,000 in attorneys fees, if you do have an attorney, you know, will seem appealing. And similarly, you know, for a number of companies there are you know, there are going to be instances where they really aren’t going to want to have that kind of proceeding. And opting out, you know, may result in in the dispute going away, because the complainant may not choose to file a federal court suit. But the other place where I think companies really need to pay attention is for Internet intermediaries for service providers, because first of all service providers themselves and users can bring 512 F proceeding. So I think there’s going to be a lot more claims for sanctions for material misrepresentations in connection with notifications and counter notifications under the DMCA. And I think it will also be a situation where copyright owners may want to use the case act as a relatively inexpensive way to get material offline in instances where a user submits a counter notification, because under the counter notification procedures, if a user submits a counter notification, the material will go back online unless the copyright owner file suit. And this may provide a cheaper mechanism for a copyright owner to simply file a case ag complaint to keep the material offline and then get a more inexpensive adjudication.


Wayne Stacy  04:51

So Ian, how will we see this progress over over the first 12 months to get enough data to actually make decisions? What should be we be looking for?


Ian Ballon  05:01

Well, I think I think you need to look at the rules and consider what type of cases for your law department, would you ever want to, you know, to bring and and I gave some examples, you know, a copyright owner might prefer to bring a case Act claim. You know, rather than filing a lawsuit, if it’s just a dispute with an individual, you know, over a particular piece of content in response to counter notification, for most companies, they they, you know, may not want to be in case act proceedings at all, the corporate office has until June of 2022. To implement this arbitration, they’ve indicated that it will go live by June at the latest. So it could come online sooner. But I do think companies need to think about it, it’s very important, whoever is monitoring notices that are sent to resident agents for processes for service a process to be very attentive to these claims, because a lot of times companies get letters and other things sent to resident agents. And they don’t process them the way they would a complaint in the lawsuit, which is time sensitive. And here you have 60 days to opt out. So on day 61, you’re going to be bound by this proceeding. And you may not want that to be the case.


Wayne Stacy  06:24

Well, as we move forward to a couple of different issues, class actions seem to be in the news a lot, especially CCPA class actions. But kind of just more broadly, when you look at all cybersecurity and privacy class action litigation, what’s going on with those these days?


Ian Ballon  06:44

Sure, you know, I defend a lot of data privacy, ad tech, and cybersecurity breach class action suits. And there are there are a lot of developments in both areas. In the cybersecurity breach area. You know, one of them is the Supreme Court’s decision in TransUnion v Ramirez, which again tightens the standards for standing in federal court lawsuits. And actually, in that case, the Supreme Court narrowed the construction of clapper which was an earlier standing case, there’s presently a fairly pronounced circuit split on the issue of standing and cybersecurity breach cases where there isn’t an out of pocket monetary loss. And some circuits will allow standing just based on, you know, time and inconvenience and other circuits will not and have a stricter standard, which I think is closer to to what the the current more conservative US Supreme Court would, would adopt. So TransUnion, again, continues to push the needle, you know, in that direction, making it you know, more difficult for plaintiffs to bring claims in federal court. And that’s generally helpful for companies because plaintiff’s counsel often don’t want to bring lawsuits where there’s really no monetary harm in state court, their endgame is trying to survive a motion to dismiss in some fashion. So they can try to get a settlement on a nationwide basis and a state court action. If it’s a cybersecurity breach case, and if there’s no claim for statutory damages, you know, they’re less interesting to bring for for claims that are based on statutory damages, Plaintiffs lawyers may be just as happy to be in state courts such as, for example, the cybersecurity breach putative class action suit under the CCPA or as of January 120 23, and of the CPRA. And, for example, also in the privacy area, under the Illinois biometric Information Privacy Act. In fact, in federal court in Illinois now, we see the the anomalous situation of defendants remove removing cases to federal court, and and the plaintiffs are the ones arguing there’s no Article Three standing, and the defendants are the ones arguing that there is standing so at least in in the Illinois biometric information Act cases where there is the potential for large statutory damage awards, and we’re playing this very much want to be in state court, we see. You know, we see that that back and forth a tussle in the ad tech area. There have been a large number of lawsuits filed in the past year, involving replay software, the various different technologies that will replay actions on a website, essentially optimization software to help companies figure out where content shouldn’t be more prominent if people are repeatedly keep clicking multiple links to get to particular content, it probably should be more easily accessed or highlighting dead links or other errors on the website. But some innovative plaintiff’s counsel concluded that this that these kinds of programs, violated wiretap laws under California, Florida and some other state laws. And so there have been a large number of those brought in California, and in Florida. And now the courts are scaling those back, I’ve successfully resolved a number of them. And I have one that I transferred from California to Delaware. And we’re waiting for a ruling on it. But to a large extent, that’s very typical of what we’ve seen in the data privacy area, over the last 12 years, where there’ll be a new issue a new piece of technology, a new type of software, where the class action lawyers or their investigators will see some angle that they can try to exploit under state or federal law, there will be a bunch of cases filed that a bunch of copycat cases, and then courts will scale things back. So that’s been, you know, a big a big development. Also in the cybersecurity area, one thing that I’ve I’ve noticed is that there are fewer MDL actions. You know, 10 years ago, maybe, maybe even six years ago, it was more common if there was a cybersecurity breach, that many lawsuits would be filed, and then they would be consolidated. You know, when I represented one of the phone manufacturers in the carrier IQ class action litigation, there were 70 separate lawsuits that were filed around the country, before they were consolidated, in front of one judge in in the Northern District of California. And today, you don’t see as many cases filed, and MDL certification may not always be the right, the right approach. I had a case in 2021, where we, my client was sued in seven different lawsuits in California and Texas. And I successfully opposed MDL certification, and, you know, convinced the multi district litigation panel not to consolidate these seven cases in San Diego, and then we were successful one by one in getting the California cases moved to Texas. And that is one of the interesting aspects of CCPA litigation, frankly, is there have been a lot of cases filed, not all of them are in California, they they do need to be brought by California residents, you can’t be a resident of another state to bring a claim under the CCPA. But those cases can be litigated anywhere. And there are a number of ways to chip away at those kinds of claims. Some of the elements of the statute are very fact intensive, and can only be resolved at trial. And honestly, I think this has been very helpful. I found this a very helpful tool in convincing plaintiffs to either not bring or drop or settle on, you know, lower dollar numbers than one might expect CCPA claims, because even though a plaintiff potentially can recover up to $700 per alleged violation, there are a lot of hoops that a plaintiff needs to jump through, including showing that that that the breach was a result of a violation of the duty to implement and maintain reasonable security procedures and practices and for plaintiff to show that that’s a hard thing to do on summary judgment, they really would have to go all the way to trial. But there are actually many hoops. In my treatise, I list six basic elements of the CCPA claim. There are some cases that have dismissed CCPA claims. I’ve defended a number of CCPA claims that really aren’t CCPA claims. The plaintiffs want them to be CCPA claims because they then get press coverage. But there actually are a lot of elements of the statute. And plaintiffs also make mistakes. You have to submit. You have to you have to give a defendant a an opportunity to cure with a 30 day advance notice to get damages. Plaintiffs gum that up frankly, sometimes defendants gum that up, I took over a case where a lawyer concluded that it wasn’t worth responding. And so they just never responded to that 30 Day letter. I think that’s a tactical mistake, because there’s almost always something you can say and then it it off, it almost always will become a fact issue in the litigation. But, you know, as you mentioned at the outset, there’s a lot going on the data privacy and cybersecurity breach here. Cybersecurity breach. Defense is becoming a little bit more commoditized. These days, a lot of the insurance companies are pushing things down. Data privacy cases are still, you know, very unique, very, very complicated. And of course, there also are very complex privilege issues in cybersecurity breach cases, when there’s a breach, you know, locking that any investigation down and making sure it’s privileged is quite complicated because there’s a split in the circuits on work product protection. And there are, there’s some unfavorable attorney client rules there. I have some some angles to keep things confidential, but it is something that’s very hotly litigated in, in literally almost every cybersecurity breach that I’ve had in the last year ever since a 2020. ruling out of the Eastern District of Virginia, compelling production of a forensic report, since that time in every single cybersecurity breach case, the class action lawyers litigate privilege issues, litigate privilege logs, it’s it’s de rigueur these days.


Wayne Stacy  16:11

Well, and it seems maybe adding to this level of complexity and what people need to know is new states coming online with with new rules, and always a little tweak from the state right before them. Nobody’s exactly going to do what anybody else did. What’s the old saying? You put four lawyers in a room, you get five opinions? Tell me, you tell us about Virginia, Colorado and what you expect out of that?


Ian Ballon  16:38

Yeah, no, that’s very insightful. That is the problem is you have too many smart lawyers, and state legislators. And so they always look at the law passed by the last legislature and just, you know, change a few words here or there. And you saw that, I mean, you see that really, in the security breach notification laws where there’s just every year, there’s another new minor variation, it, it really is terrible for those of us who have to update treatises, updating the security breach notification state laws is always the most tedious and torturous each year, year in and year out. But you reference two very important laws, which actually are not cookie cutter, the laws are there, the Colorado and Virginia laws. Virginia, looked at the CPRA, which takes effect in California, January 2023, and is essentially an updated version of the CCPA. And also looked at the GDPR. And came up with something, you know, similar but a little bit different. And so this is what Virginia did. And then Colorado to a large extent, followed on on Virginia and follow the Virginia model with a few tweaks here or there. But what those laws do is they adopt the European concepts of data processors and data controllers, which is again going to be more comfortable for people, you know, who operate in that environment, it’s a different approach, then what you have under the CPRA. And so they have their laws that take effect. And at the margin, you know, particularly for those involved in internet advertising, you know, each of these new laws raise, you know, new complexities. The good thing that I will say about the Virginia and the Colorado laws, there is no private right of action enforcement is solely by the Attorney General. And, you know, it may sound strange for a litigator to say it’s a good thing. We don’t have more litigation. But I, you know, I always try to think of my clients best interest. And so I’m talking from a public policy perspective. I think it is better to have only regulatory enforcement. And the enforcement will be by the Attorney General of each state in California, we now have the cppa, which is the FTC like regulatory body that under the CPRA will be not just engaged in rulemaking, but also engaged in enforcement action. So you’ve got a government agency independent agency with an independent budget that is going to enforce the CP ra the way the FTC enforces capa or gramm leach Bliley, and so you’re more likely to have a lot more regulation, a lot more litigation. Neither Virginia nor Colorado, have set up a separate agency. There will be regulations under Virginia. But again, there’s no agency. All of this, of course really cries out for a federal law that would preempt state laws and and not allow a private cause of action. Whether we will get such a law remains to be seen. You know, I lived in Washington DC for six years, which was long enough to convince me that I should never predict What what Congress can or will do? It seems to be having a difficult time getting almost anything passed. But we’re 2022 is an election year. And privacy is one of those free issues that make almost any incumbent look good running for reelection saying they did something to protect privacy. So maybe, but the open issues are, you know, will it preempt state law? Or will it just be another layer of regulation? And will it? Will it preempt any private cause of action? Or will it just give class action litigators even more to work with? And, oh, you know, all of those are to be determined.


Wayne Stacy  20:41

So, you know, I’m willing to go out on a scary limb here and say that nothing’s gonna change before summer.


Ian Ballon  20:47

I think I think that that, that is quite reasonable, although, you know, the conventional wisdom used to be that anything that’s going to get done and needs to get done by June before an election year now, I think it’s September. But you know, who knows?


Wayne Stacy  21:06

Well, I’m going to take all that and put it in a, into a single sector to talk about and it’s a broad term AI, machine learning, however you want to want to view it. But all of these laws on data management directly impact the ability to build products to develop new products. I mean, we saw ClearView take a beating in Illinois. What do you what do you think people should be considering and watching either policy wise or law wise? If they’re looking at AI and machine learning tools going forward?


Ian Ballon  21:39

Yeah. Well, I mean, that’s a great question. You know, one thing that is a little bit under the radar is the Federal Trade Commission is likely to engage in rulemaking in 2020, to actually as early as February 2022, there was a little notice, notice, that was published towards the end of the year and 2021, indicating an intention to begin rulemaking, and the rulemaking is likely to focus more on the privacy side, then, then then data ownership, and probably more specifically, on issues of discrimination. You know, the fact that that an algorithm is only as good as the test data used to train it. And there have been some fairly famous cases where, for example, in terms of predicting credit worthiness, where where algorithms reinforced racial stereotypes, because the data reflected, you know, great Greenlining in loans and things of that nature. And so the fact that for decades, people who were not white were discriminated against particularly African Americans. The data reflected that, and then the AI was trained to, to to aggravate that. And obviously those you know, people who work as AI developers are well aware of these problems. But it sounds like the FTC is going to be issuing some rulemaking around that in the ownership area. You know, who owns the data? And can it be freely used? In addition to the privacy issues? There are really the smorgasbord of remedies available for for people who own the data for database owners, that companies that want to legitimately access and use data for, for training purposes have to consider and it really it really is a smorgasbord. It’s a copyright act, Lanham Act, common law, trespass, unfair competition, anti circumvention provisions of the DMCA, the you know, there are many, many different kinds of cases that can can be applied. I’ve, I’ve litigated scraping cases, going back to the 90s. And, you know, I always tell clients, you really have to look at the facts very, very carefully. Because, you know, with the smorgasbord of remedies, for example, under the anti circumvention provisions of the DMCA if someone accesses publicly available information that is freely available, maybe not even copyrighted. If they do it the wrong way. There’s a circuit split in some circuits, it still could be an anti circumvention violation. You know, copyright obviously protects an entire database, but if only individual facts are copied, we know under ffice, back to not protectable. But there can be proper protection for a company So, you know, companies need to look at it in terms of, you know, what are the high dollar risks, that’s probably the Copyright Act because of statutory damages, the anti circumvention provisions and the copyright management information provisions of the Digital Millennium Copyright Act. You know, and then there are the claims that are most likely to succeed, breach of contract. You know, if there’s any Terms of Use violation, for example, major ference with contract many of those other kinds of claims, but it’s, you know, it really is, you know, as a complicated thing for companies to think through if they’re either trying to protect their data, or trying to access data, so that they can, you know, better train their, their algorithms. And, of course, in the privacy area, the European Union’s already, you know, already trying to actively regulate through the GDPR, what can be done with information. So, these are issues not just to consider the United States, but internationally. And, you know, I’ve seen in a lot of instances when companies are dealing with with use of data that it does often involve companies in multiple countries.


Wayne Stacy  26:14

So even if I can take you to litigator hat off for a minute and turn you into a corporate lawyer, on these issues of data portability, if we’re looking at acquiring partnering with doing joint ventures with companies that are AI, ml, based companies, big datasets, how do you know that your your partner or your acquisition target, did things correctly? What kind of diligence items should you be thinking about? So you don’t end up in an Ian’s office hiring a litigator? And?


Ian Ballon  26:52

You know, that’s actually a great question. And I have advised some clients in connection with acquisitions, because they, you know, the range of issues is so broad that it really does, it is helpful to have sort of the practical view of how these things actually play out in litigation. Because, you know, it can be tempting to look at something and say, Well, this is what copyright law provides. So there’s no issue. But you know, Wayne is, you know, as a litigator, I mean, you know, there’s no issue, but you still may need to spend two years before you win on summary judgment, on the no issue. And so the question is, you know, is that is that money you want to hold back? You know, and, you know, things, things of that nature? But, yeah, you really have to, if you’re doing due diligence, you really have to go sort of robotically in the chapter in my treatise on database protection, screen scraping and data portability for AI, I have a checklist of issues, you know, to look at, and, and if any of those are issues relate to the particular company under consideration, you do need to drill down, and sometimes you just don’t know, I mean, the reality is, and as a litigator, this is something I’ve always observed, you know, litigation, you know, is, you know, away from, from from litigating in discovery, you know, you can look at almost anything you want, unless, say, you know, unless the other side can get a protective order to, you know, to block it, but you have very broad discovery. And you don’t have that when you’re doing due diligence, you know, you have reps and warranties, you can only look under the hood. To some extent, one of the things that I’ve always been struck by when I’m talking to companies that are looking at acquisitions is, you know, you just don’t know what employees have said, in email and slack in text and voicemail and other things that come out in litigation, that may be quite different from what they’re telling you in the context of a transaction. So this is definitely not an area to skip over in for due diligence.


Wayne Stacy  28:53

All it sounds like Todd has its own own program to dig into to this little bit deeper in the future. Well, Ian, I want to thank you for joining us today. Obviously, we can only only identify the topics can’t get too deeply into that many. But this is a great list for people to start with. So thank you.


Ian Ballon  29:15

Oh, it’s my pleasure. And you know, if any of your listeners are interested, they should feel free to reach out to me by email or other means, and I’m happy to send them some free excerpts from my treatise on any of the topics we discussed today. 


Wayne Stacy  29:29

Perfect. Well, thank you, Ian.