BIPA lawsuit against United quashed and new suits filed as harm criteria is clarified
A potential class action suit filed by a former employee of United Airlines under Illinois’ Biometric Information Privacy Act (BIPA) has been thrown out by an Illinois federal judge, who ruled the collective bargaining agreement pre-empts the claims, and that the violation is a simple statutory matter, with no sufficient injury established, Law360 reports.
The suit was brought by former United baggage handler David Johnson, on grounds that his consent was not obtained for storing his fingerprint as part of a time and attendance system, and that United did not explain its storage and disposal procedures. U.S. District Judge Virginia Kendall accepted the airline’s argument that because the dispute involves interpretation of the CBA, the Railway Labor Act requires it to be addressed through arbitration.
“In exercising these CBA rights, United opted for a timekeeping system utilizing fingerprint technology that they implemented over five years ago,” she wrote in the ruling, according to Law360. “Thus, any challenge to the use of fingerprints as a means of managing the efficiency of its business and workforces at its company locations would, at the very least, require interpretation of the CBA to determine whether it falls within its scope, and further the grievance process spelled out within [the CBA].”
The CBA the workers have with the airline as part of the International Association of Machinists and Aerospace Workers sets out a grievance and arbitration process and gives United the right to determine how to manage its workforce, according to the ruling.
Judge Kendall also said that precedence set in two other Northern District of Illinois suits is that disclosure of the information, which has not been established in this case, causes injury under BIPA, while notice and consent violations on their own do not.
Proposed class action BIPA suits have also been filed against Southwest Airlines and Loews Chicago Hotel, Law360 reports, with allegations in both cases of improper handling of fingerprint data for time and attendance systems.
In both cases, the plaintiffs allege that they were not informed how or when their biometric data would be destroyed, or that it would be shared with a third party for processing, Kronos in the case of Southwest and Automatic Data Processing in the case of Loews. An Illinois federal judge ruled in May in a similar suit brought by the law firm representing the plaintiffs in both the Southwest and Loews cases, Stephan Zouras LLP, that the uninformed disclosure of employee’s biometric information for processing purposes creates sufficient injury to establishing standing, and denied a request to throw it out.
The same law firm is also representing employees in suits filed against Holiday Inn in April, and Crate & Barrel in July.
The suits against Southwest and Loews also both allege that the behavior of their employers creates a privacy risk in the event of a data breach, and cites hacks against Aadhaar and the U.S. Office of Personnel Management as evidence that criminals target biometric databases.
What constitutes injury is one of the key points of contention in a currently ongoing lawsuit against Facebook.