This week the Judicial Panel on Multidistrict Litigation (“JPML”) ordered the creation of two massive data privacy multidistrict litigations (“MDLs”), in a move that will have significant impact on the data privacy litigation landscape in 2021.  The litigations, concerning claims brought against Clearview AI and Blackbaud Inc., are now headed to federal courts in Illinois and South Carolina for consolidated proceedings.  In re Blackbaud, Inc., 2020 U.S. Dist. LEXIS 236057 (JPML Dec. 15, 2020); In re Clearview AI Inc., 2020 U.S. Dist. LEXIS 236053 (JPML Dec. 15, 2020).

MDLs are a way of handling multiple civil actions at once, and can be formed when separate actions in different federal district courts share a common question of fact.  28 U.S.C. Section 1407(a).  On a motion filed by either party, those separate actions can be flagged to the JPML.  The JPML then decides whether the litigations should be consolidated and transferred into one federal court for consolidated pretrial proceedings.  [Note: Don’t assume that just because a party requests formation of a MDL it will happen.  The JPML denies the majority of such motions, although data breach MDLs are becoming increasingly common].  MDLs are generally formed to address complex legal matters.  They differ from class actions because while a class action is one lawsuit brought on behalf of a group of plaintiffs; the cases that are part of a MDL remain separate lawsuits that are handled together for efficiency.

CPW readers are already well familiar with the Clearview litigations.  In regards to the various claims that had been brought against Clearview, the JPML found that “[t]hese actions share factual questions arising from allegations that the Clearview defendants improperly collected, captured, obtained, distributed, and profited off of citizens’ biometric data.”  As such, the JPML held that “centralization will eliminate duplicative discovery; prevent inconsistent pretrial rulings, including with respect to class certification; and conserve the resources of the parties, their counsel, and the judiciary.”  Consistent with the JPML’s order, these cases will now proceed in Illinois federal court for consolidated proceedings.

And in regards to Blackbaud, there was an alleged ransomware attack and data security breach of Blackbaud’s systems from about February 2020 through May 2020 that purportedly compromised the personal information of millions of consumers doing business with entities served by Blackbaud’s cloud software and services.  Plaintiffs, whose information was allegedly disclosed in the breach, filed putative class action litigation against Blackbaud.  While their allegations varied, the JPML found all litigations raised certain common factual questions regarding (1) Blackbaud’s data security practices and whether the practices met industry standards; (2) how the unauthorized access occurred; (3) the extent of personal information affected by the breach; (4) when Blackbaud knew or should have known of the breach; (5) the investigation into the breach; and (5) the alleged delay in disclosure of the breach to Blackbaud clients and affected consumers.  As such, the JPML ruled (as with the Clearview cases) that “centralization of the litigations in South Carolina would eliminate duplicative discovery; prevent inconsistent pretrial rulings, including with respect to class certification; and conserve the resources of the parties, their counsel, and the judiciary.”

These MDLs are poised to shape data privacy litigation to come – particularly with respect to Clearview, which is one of the first MDLs formed to address the handling of biometric data.  We’ll keep our eyes on Illinois and South Carolina for you to let you know how things turn out.  Stay tuned!