OneTrust_Square Banner_300x250_DD_ROS_01_19

VIEWPOINT: New Wave of Class Action Privacy Litigation Loses Some of Its Momentum

Lucy L. Thomson, Esquire, CIPP/G

In a ruling that has the potential effect of nullifying a Web site's privacy policy and rewriting the e-discovery rules for litigation, a federal court has ordered Web site owners to capture in audit logs and produce information about users who had searched for or downloaded certain software.

The case involves a lawsuit alleging copyright infringement filed by the motion picture studios Columbia Pictures Industries against the owners of Torrentspy, a Web site that made file- sharing software available to users to download copies of movies and other materials. The complaint alleges that the Web site enables, encourages and profits from "massive online piracy of plaintiffs' copyrighted works through the operation of their Internet Web site." The Web site makes "dot-torrent" files available to users, software that facilitates downloading of files through peer-to-peer file-sharing.

In a discovery dispute, a federal magistrate judge has issued a decision that may significantly alter the ability of Web sites to protect the privacy of its users. The Torrentspy privacy policy published on its Web site explicitly stated that the site "will not collect any personal information about you [the user] except when you [the user] specifically and knowingly provide such information." While the site reserved the right at any time to modify or update the policy, the policy stated that it would the changes so that users are always aware of what information the site collects, how the information is used, and under what circumstances the information is disclosed."

The data went through and was stored temporarily in the Random Access Memory (RAM) of defendants' Web server for approximately six hours. Logging information about Web site users was contrary to the Web site's privacy policy and not part of its business operations. The logging functionality of the Web server used to operate the Web site had not been enabled. Defendants testified at a hearing that logging is "not necessary to, or part of defendants' business operations."

The decision presents a number of difficult issues that privacy professionals must now consider when drafting an organization's privacy policy. It should be noted that the court rejected the defendant's arguments about the privacy of users based on the Web site's privacy policy, the First Amendment, and multiple federal statutes. As the court's reasoning illustrates, it is critically important to be explicit about what the privacy policy covers, particularly the technical aspects of the operation of the Web site. Excerpts from the court's findings set forth below with respect to privacy are illustrative:

  • "Defendants cannot insulate themselves from complying with their legal obligations to preserve and produce relevant information within their possession, custody or control and responsive to proper discovery requests, by reliance on a privacy policy -the terms of which are entirely within defendant's control."
  • The magistrate judge observed that it is not clear that defendants' current privacy policy actually prohibits the retention and production of the Server Log Data. Defendants have presented no evidence as to whether or how the term "personal information" is defined in the privacy policy. "As an IP address identifies a computer, rather than a specific user of a computer, it is not clear that IP addresses, let alone the other components of the Server Log Data in issue, are encompassed by the term 'personal information' in defendants' privacy policy." Only an Internet Service Provider can link a particular IP address to an individual subscriber.
  • On appeal, the district court emphasized that the privacy interests of defendants' users "are, at best, limited," adding that to the extent the users are engaged in copyright infringement, the First Amendment affords them no protection whatsoever." That court further noted that "because users openly disclosed their IP addresses as part of the BitTorrent file transfer process, the Court is not persuaded … that the retention of the IP addresses of users who obtain dot-torrent files from defendant's website will "chill" their speech."
  • The magistrate judge emphasized that plaintiffs did not request the names or other identifying information about Web site users. As a practical matter, the court issued a protective order to ensure that the information about users is anonymous (users'IP addresses were masked or encrypted); therefore the court concluded that users' privacy and First Amendment rights were not violated.

Similarly, the case presents complex and far-reaching issues for litigators and experts responsible for drafting technical contracts and agreements. At issue in the litigation was a technical interpretation of Rule 34(a) of the Federal Rules of Civil Procedure, which provides for the discovery of documents or electronically stored information - "including writings, drawings, graphs, charts, photographs, sound recordings, images, and other data or data compilations stored in any medium from which information can be obtained." The court addressed several novel and complex issues and questions.

  • Is the data "electronically stored information" within the meaning of Fed .R.Civ.P. 34(a)? In affirming the magistrate's decision, the district court held that with respect to obtaining data from RAM, "Rule 34 requires no greater degree of permanency from a medium than that which makes obtaining data possible."
  • Does this decision require defendants to create data for discovery? Does the court's decision that defendants must capture in audit logs, store and produce information about users who had searched for or downloaded certain software, amount to an order to create new data, particularly in light of the fact that logging information about Web site users was contrary to the Web site's privacy policy and not part of its business operations?
  • Does the decision change the requirements for data retention and disposition? Traditionally, courts have required entities in litigation to preserve potentially relevant information by not deleting or destroying it. In this decision, defendants were affirmatively required to take steps to capture and store transactions they did not previously retain or want for their business operations.
  • Was the data in RAM within the "possession, custody or control" of defendants? Of particular significance to the court was the fact that the Web site owners entered into a contract with a third party to operate their Web server. The court found that because of this contractual relationship, the information in RAM is "within defendants' possession, custody or control by virtue of defendants' ability to manipulate at will how the data in issue is routed."

The Electronic Frontier Foundation (EFF) and the Center for Democracy & Technology filed an amicus brief in the appeal before the federal district court "to overturn a dangerous ruling that would require an Internet search engine to create and store logs of its user activities." EFF pointed out that the decision would undermine the right to read and speak anonymously online.

In a June 25, 2007 press release, EFF staff attorney Corynne McSherry issued a statement. "This unprecedented ruling has implications well beyond the file sharing," McSherry said. "Giving litigants the power to rewrite their opponent's privacy policies poses a risk to all Internet users." (Available at www.eff.org/ legal/cases/torrentspy/EFF_amicus.pdf.)

The EFF brief noted the far-reaching effect this decision could have on the technology operations of organizations: "This decision could reach every function carried out by a digital device. Every keystroke at a computer keyboard, for example, is temporarily held in RAM, even if it is immediately deleted and never saved. Similarly, digital telephone systems make recordings of every conversation, moment by moment, in RAM."

On appeal, the magistrate's decision was affirmed by the United States District Court for the Central District of California. Following these federal court decisions, Torrentspy changed its Web site and posted the following notice to users:

Torrentspy Acts to Protect Privacy

"Sorry, but because you are located in the USA you cannot use the search features of the Torrentspy.com website. Torrentspy's decision to stop accepting US visitors was NOT compelled by any Court but rather an uncertain legal climate in the US regarding user privacy and an apparent tension between US and European Union privacy laws."
(See www.torrentspy.com/US_ Privacy.asp.)

No doubt contrary positions to those decided in the Central District of California will be put forth in future cases in other federal courts. In light of these decisions, businesses should carefully document their business model with respect to the collection and use of data and information, and develop a data management and data retention plan. A longstanding tenet of discovery is that organizations from which discovery is sought are not required to create data that does not otherwise exist. Advance planning and coordination among privacy professionals, IT and document management experts, and legal counsel, are required to avoid adverse rulings while cases such as this one are being litigated. The case is Columbia Pictures Industries v. Bunnell, No. 06-cv-01093 FMC-JCx (C.D. Calif. August 24, 2007).

Lucy Thomson, CIPP/G, is a Senior Principal Engineer, Information Security, and Privacy Advocate at Computer Sciences Corporation (CSC), a global IT company, where she works on teams building information systems for large organizations. She was appointed Consumer Privacy Ombudsman by two federal courts to oversee the sale of sensitive electronic consumer records in bankruptcy cases. A career U.S. Department of Justice attorney from 1977-2001 and a former criminal prosecutor, she has extensive experience as both a litigator in complex federal civil and criminal cases and as an expert in new technology and electronic discovery. She earned an M.S. degree from Rensselaer Polytechnic Institute in 2001, and her J.D. degree from Georgetown University Law Center.


If you want to comment on this post, you need to login.


Board of Directors

See the esteemed group of leaders shaping the future of the IAPP.

Contact Us

Need someone to talk to? We’re here for you.

IAPP Staff

Looking for someone specific? Visit the staff directory.

Learn more about the IAPP»

Daily Dashboard

The day’s top stories from around the world

Privacy Perspectives

Where the real conversations in privacy happen

The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

Privacy Tracker

Alerts and legal analysis of legislative trends

Privacy Tech

Exploring the technology of privacy

Canada Dashboard Digest

A roundup of the top Canadian privacy news

Europe Data Protection Digest

A roundup of the top European data protection news

Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

Latin America Dashboard Digest

A roundup of the top privacy news from Latin America

IAPP Westin Research Center

Original works. Groundbreaking research. Emerging scholars.

Get more News »

IAPP Communities

Meet locally with privacy pros, dive deep into specialized topics or connect over common interests. Find your Community in KnowledgeNet Chapters, Sections and Affinity Groups.

IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

Join the Privacy List

Have ideas? Need advice? Subscribe to the Privacy List. It’s crowdsourcing, with an exceptional crowd.

Find a KnowledgeNet Chapter Near You

Talk privacy and network with local members at IAPP KnowledgeNet Chapter meetings, taking place worldwide.

Find more ways to Connect »

Find a Privacy Training Class

Two-day privacy training classes are held around the world. See the complete schedule now.

The Privacy Core™ Library Has Evolved

Privacy Core™ e-learning essentials just expanded to include seven new units for marketers. Keep your data safe and your staff in the know!

Online Privacy Training

Build your knowledge. The privacy know-how you need is just a click away.

Upcoming Web Conferences

See our list of upcoming web conferences. Just log on, listen in and learn!

Train Your Team

Get your team up to speed on privacy by bringing IAPP training to your organization.

Let’s Get You DPO Ready

There’s no better time to train than right now! We have all the resources you need to meet the challenges of the GDPR.

Learn more »

CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

CIPT Certification

The industry benchmark for IT professionals worldwide to validate their knowledge of privacy requirements

FIP Designation

Recognizing the advanced knowledge and issue-spotting skills a privacy pro must attain in today’s complex world of data privacy.

Certify Your Staff

Find out how you can bring the world’s only globally recognized privacy certification to a group in your organization.


The IAPP’S CIPP/E and CIPM are the ANSI/ISO-accredited, industry-recognized combination for DPO readiness. Learn more today.

Learn more about IAPP certification »

Are You Ready for the GDPR?

Check out the IAPP's EU Data Protection Reform page for all the tools and resources you need.

IAPP-OneTrust PIA Platform

New U.S. Government Agency privacy impact assessments - free to IAPP members!

IAPP Communities

Meet locally with privacy pros, dive deep into specialized topics or connect over common interests. Find your Community in KnowledgeNet Chapters, Sections and Affinity Groups.

Privacy Vendor List

Find a privacy vendor to meet your needs with our filterable list of global service providers.

More Resources »

Europe Data Protection Intensive 2017

The Intensive is sold out! But cancellations do happen—so hurry and get on the wait list in case more seats become available.

Global Privacy Summit 2017

The world’s premier privacy conference returns with the sharpest minds, unparalleled programs and preeminent networking opportunities.

Canada Privacy Symposium 2017

The Symposium returns to Toronto this spring and registration has opened! Take advantage of Early Bird rates and join your fellow privacy pros for another stellar program.

The Privacy Bar Section Forum 2017

The Privacy Bar Section Forum is sold out! But you can still add your name to the wait list, and we'll keep in touch about your status. Good luck!

Asia Privacy Forum 2017

Call for Speakers open! Join the Forum in Singapore for exclusive networking and intensive education on data protection trends and challenges in the Asia Pacific region.

Privacy. Security. Risk. 2017

Call for Speakers open! This year, we're bringing P.S.R. to San Diego. Submit today and be a part of something big! Submission deadline: February 26.

Europe Data Protection Congress 2017

Call for Speakers open! The Congress is your source for European policy debate, multi-level strategic thinking and thought-provoking discussion. Submit a proposal by March 19.

Sponsor an Event

Increase visibility for your organization—check out sponsorship opportunities today.

More Conferences »

Become a Member

Start taking advantage of the many IAPP member benefits today

Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits

Join the IAPP»