High-end headphone and speaker manufacturer Bose has found itself on the receiving end of a class action lawsuit in Illinois over the way in which it collects and processes personal data.
The plaintiff, Kyle Zak, alleges that Bose secretly collected, transmitted and disclosed it customers’ private music and audio selections to third parties, including a data mining company called Segment.io. The data was collected via the free Bose Connect app which connects to Bose headphone products over Bluetooth. Mr Zak states that he paid $350 for his headphones before registering for the app, in order to receive confirmation of ownership and important product updates. He did not, however, appreciate that in doing so he would be allowing Bose to collect, monitor and share his data.
The complaint notes that personal listening habits – both in terms of musical genres and podcast topics – say a lot about an individual’s personality, behaviour, political views and personal identity. Mr Zak, representing “tens of thousands of individuals”, accuses Bose of demonstrating a “wholesale disregard for consumer privacy rights” and claims that they have breached federal and state laws on wiretapping (interception of electronic communications), eavesdropping, deceptive business practices and ‘inclusion upon seclusion’. This, he claims, caused “mental anguish and suffering in the form of anxiety and concern regarding the safety and whereabouts of [users’] media information”.
The total value of the claim is not specified in the complaint, however it will exceed $5 million. The complaint suggests that Bose has been unjustly enriched as a result of its conduct and that “principles of equity and good conscience require Bose to return the purchase price of the Bose Wireless Products [to consumers of the products].”
Position under UK law
If this complaint was made in the UK, it would likely be investigated by the UK’s data protection regulator, the Information Commissioner’s Office (ICO), in the first instance. The ICO has a number of weapons in its arsenal when it comes to investigating breaches of the Data Protection Act 1998 (DPA) and can levy fines of up to £500,000 for the most serious of breaches. To date, the largest fine in the UK has been £400,000, which was issued to TalkTalk following its 2016 hack which we have written about previously. Given that the personal data in the Bose case may have included ‘sensitive personal data’ about users, such as information about their sexual preferences and political views, it is possible that any fine levied by the ICO in this case could be on the upper end of the scale.
In terms of court action, while the UK does not have as complex a matrix of privacy laws as the USA, it is possible to bring a claim for “substantial damage or distress” under the DPA and a claim under the tort of ‘misuse of private information’, where it can be proved that the claimant “had a reasonable expectation of privacy”.
Position under the GDPR
On 25 May 2018, the DPA will be replaced by the European General Data Protection Regulation (GDPR), which will be directly applicable in all EU member states including the UK (at least until the UK leaves the EU). While transparency is a key part of complying with the DPA, it is a central feature of the GDPR which provides:
“Personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’)” (Article 5(1))
“It should be transparent to natural persons that personal data concerning them are collected, used, consulted or otherwise processed and to what extent the personal data are or will be processed. The principle of transparency requires that any information and communication relating to the processing of those personal data be easily accessible and easy to understand, and that clear and plain language be used.” (Recital 39)
If Mr Zak was to bring his claim in the UK or any other EU member state under the GDPR, this would likely be the central part of his claim. Bose may also have a tough time satisfying any court or regulator that they are able to demonstrate accountability under the GDPR through “the implementation of appropriate data protection policies”.
The GDPR also advocates a ‘privacy by design and privacy by default’ approach towards the development of products, which means baking compliance with the GDPR and its obligations into the design and development process.
This is the latest in a string of complaints about the way in which Internet of Things (IoT) devices are being used to leverage Big Data opportunities without giving due consideration to user privacy. It will be interesting to follow the outcome of the Bose lawsuit, though it is possible that the claim may be settled out-of-court. In any event, the reputational harm caused to the Bose brand will likely exceed the amount of any damages or settlement and will certainly require Bose to review its data processing practices.
If you are designing or developing new products or services that involve the collection of personally identifiable information, we can help. We will work with you to assess the privacy risks and implement risk mitigation strategies which aim to reconcile your need to collect and process data for commercial purposes while respecting the privacy of your users and complying with your data protection obligation