• by Wendy Davis  @wendyndavis, December 13, 2021

Amazon and Microsoft are urging a federal judge to rule they did not violate an Illinois biometric privacy law by amassing faceprints of Illinois residents.

In motions filed late last week, Amazon and Microsoft say the evidence shows that neither company engaged in the kind of activity in Illinois that would subject them to liability for potentially violating a law in that state.

“The undisputed evidence now confirms that any potentially relevant Amazon activity took place outside Illinois,” Amazon writes in papers filed with U.S. District Court Judge James Robart in Seattle.

Microsoft adds in a separate motion that it didn't download any “alleged biometrics” in Illinois.

The papers come in a lawsuit filed in July of 2020 by Illinois residents Steven Vance and Tim Janecyk. They alleged the tech companies obtained a faceprint database from IBM, which reportedly acquired 100 million pictures from the photo-sharing service Flickr.

Amazon and Microsoft allegedly obtained the database in order to improve their facial-recognition products and technologies, Vance and Janecyk claimed in class-action complaints.

Vance and Janecyk contend the tech giants violated the Illinois Biometric Information Privacy Act, which requires companies to obtain state residents' written consent before collecting or storing certain biometric data -- including scans of facial geometry.

Amazon and Microsoft previously urged Robart to dismiss the lawsuit at an early stage for several reasons, including that the Illinois privacy law only applies to activity that occurs in the state.

In March, Robart rejected that argument, but suggested he might revisit it in the future.

“It is certainly possible that with more factual refinement around this complex issue, the circumstances around Microsoft’s attainment, possession and use of the ... dataset will reveal that the alleged violations did not occur primarily in Illinois,” he wrote at the time.

The two tech companies argue in their new papers that the evidence developed since March shows that any potential violation of the Illinois biometric privacy law occurred outside the state.

“Far from showing any connection to Illinois, the evidence shows that Amazon’s conduct regarding the IBM [database] was several steps removed from Illinois,” Amazon writes.

The company elaborates that researchers in the states of Washington and Georgia, but not Illinois, either downloaded or examined the faceprint database. Those researchers ultimately found the data was “unsuitable for their research purposes,” and the database was never used, Amazon adds.

Microsoft makes a similar argument.

“Microsoft did not download plaintiffs’ alleged biometrics in Illinois, did not use the dataset or any information in it for any purpose anywhere, could not have known plaintiffs’ purported biometrics were in the dataset, and did not have any reason to know the Dataset may contain links to Illinois residents’ photos, much less biometric identifiers,” lawyers for the company write in a separate motion.

Microsoft added that an outside vendor who was researching facial recognition downloaded the images as part of his research, but was unable to use them.

“The linked photos in the dataset were not useful for .... research purposes because they were unconstrained images, i.e., they were not conventional head-on photos used on a driver’s license or passport, and they were of generally low quality,” the company says.

A company intern also downloaded the images, but found them “unsuitable for her research project,” and didn't use them, Microsoft says.

Both Amazon and Microsoft make the legal argument that state laws that effectively regulate out-of-state activity are unconstitutional, because only Congress can regulate interstate commerce.

Amazon writes that applying Illinois' privacy law to out-of-state conduct “would effectively allow Illinois to make policy and legislative decisions” for other states.

The companies add that applying Illinois' privacy law would conflict with policy decisions of other states -- including Washington state, which exempts data generated from photos from its biometric privacy law.

“The court should not allow plaintiffs to import Illinois’ policy decisions into Washington to find a violation where Washington law would deem there was none,” Microsoft writes.