`
`
`
`BAILEY & GLASSER, LLP
`Arthur H. Bryant (State Bar No. 208365)
`abryant@baileyglasser.com
`Todd A. Walburg (State Bar No. 213063)
`twalburg@baileyglasser.com
`1999 Harrison Street, Suite 660
`Oakland, CA 94612
`(304) 345-6555 (main) / (304) 342-1110 (fax)
`
`John W. Barrett (pending pro hac vice admission)
`jbarrett@baileyglasser.com
`209 Capitol Street
`Charleston, WV 25301
`(304) 345-6555 / (304) 342-1110 (fax)
`
`THE GOLAN FIRM PLLC
`Yvette Golan (pending pro hac vice admission)
`y.golan@tgfirm.com
`2000 M St. NW Suite 750-A
`Washington, DC 20036
`(866) 298-4150 / (928) 441-8250 (fax)
`
`Attorneys for Plaintiffs
`
`
`
`UNITED STATES DISTRICT COURT
`NORTHERN DISTRICT OF CALIFORNIA
`
`
`Case No.
`
`COMPLAINT
`
`CLASS ACTION
`
`DEMAND FOR JURY TRIAL
`
`FRANK D. RUSSO, KOONAN LITIGATION
`CONSULTING, LLC, and SUMNER M.
`DAVENPORT & ASSOCIATES, LLC, on
`behalf of a similarly situated class,
`
`Plaintiff,
`
`vs.
`
`MICROSOFT CORPORATION,
`
`Defendant.
`
`
`
`
`
`1 2 3 4 5 6 7 8 9
`
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`
`
`COMPLAINT - 1
`
`
`
`
`Case 3:20-cv-04818 Document 1 Filed 07/17/20 Page 2 of 38
`
`
`
`TABLE OF CONTENTS
`
`SUMMARY OF CLAIMS .............................................................................................................. 4
`
`INTRODUCTION .......................................................................................................................... 4
`
`PARTIES AND PLAINTIFF-SPECIFIC ALLEGATIONS .......................................................... 6
`
`JURISDICTION AND VENUE ................................................................................................... 10
`
`FACTS .......................................................................................................................................... 10
`
`A.
`
`B.
`
`C.
`
`2.
`
`3.
`
`4.
`
`1 2 3 4 5 6 7 8 9
`
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`MICROSOFT TRANSITIONED BUSINESS CUSTOMERS TO ITS
`CLOUD-BASED SERVICES, ASSURING THEM THEIR DATA
`WOULD BE PRIVATE AND SECURE. ............................................................. 10
`MICROSOFT REPRESENTED TO BUSINESS CUSTOMERS IT
`WOULD USE THEIR DATA ONLY TO PROVIDE THE SERVICES
`THEY PURCHASED. .......................................................................................... 12
`MICROSOFT’S REPRESENTATIONS WERE FALSE. ................................... 17
`Microsoft shares its business customers’ data with Facebook
`1.
`and other third parties, without its business customers’ consent. ............. 17
`Microsoft shares its business customers’ data with third-party
`developers, without its business customers’ consent. ............................... 19
`Microsoft shares its business customers’ data with hundreds of
`subcontractors when sharing is not needed to provide the
`services, and without requiring the subcontractors to keep the
`data private and secure. ............................................................................. 20
`Microsoft uses its business customers’ data to develop and sell
`new products and services—and otherwise benefit itself. ........................ 21
`D. MICROSOFT MISREPRESENTS THE SECURITY IT PROVIDES
`FOR BUSINESS CUSTOMERS’ DATA. ........................................................... 22
`E. MICROSOFT’S ACTIONS HAVE INJURED PLAINTIFFS AND
`OTHER BUSINESS CUSTOMERS. ................................................................... 24
`
`CLASS ACTION ALLEGATIONS ............................................................................................. 25
`
`APPLICABLE LAW .................................................................................................................... 27
`
`Count One: Violations of the Wiretap Act 18 U.S.C. §§ 2511(1)(a), (1)(c), and (1)(d)
`On behalf of Plaintiffs and the Class ................................................................................ 27
`
`Count Two: Violations of the Stored Communications Act 18 U.S.C. § 2702
`On behalf of Plaintiffs and the Class ................................................................................ 30
`
`
`
`
`
`COMPLAINT - 2
`
`
`
`
`Case 3:20-cv-04818 Document 1 Filed 07/17/20 Page 3 of 38
`
`
`
`Count Three: Violations of the Washington Consumer Protection Act RCW 19.86,
`et seq. On behalf of Plaintiffs and the Class ..................................................................... 33
`
`Count Four: Violations of Washington Privacy Act R.C.W. §§ 9.73.010, et seq.
`On behalf of Plaintiffs and the Class ................................................................................ 35
`
`Count Five: Violations of Washington Common Law Intrusion Upon Seclusion
`On behalf of Plaintiffs and the Class ................................................................................ 37
`
`
`
`
`
`
`1 2 3 4 5 6 7 8 9
`
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`
`
`COMPLAINT - 3
`
`
`
`
`Case 3:20-cv-04818 Document 1 Filed 07/17/20 Page 4 of 38
`
`
`
`SUMMARY OF CLAIMS
`
`1.
`
`This is a national class action against Microsoft for misrepresenting its privacy
`
`and security practices, violating federal and state law, and illegally sharing and using its
`
`business-class Microsoft Office 365 and Microsoft Exchange customers’ data.1 Contrary to
`
`Microsoft’s representations and without its customers’ consent, Microsoft shares its business
`
`customers’ contacts and related data with Facebook; shares the content of its business customers’
`
`emails, documents, contacts, calendars, and other data with unauthorized third parties for
`
`unauthorized purposes; and uses its business customers’ data to develop new products and
`
`services to sell to others. Those actions violate the Wiretap Act, 18 U.S.C. § 2511; the Stored
`
`Communications Act, 18 U.S.C. § 2702; and the consumer protection and privacy laws of
`
`Washington.
`
`INTRODUCTION
`
`Businesses require privacy and security to protect their data, which includes
`
`2.
`
`sensitive information belonging to them, their employees, their customers or clients, confidential
`
`business plans and financial projections, and trade secrets.
`
`3.
`
`Knowing this, Defendant Microsoft Corporation has made privacy, security,
`
`transparency, and trust the core themes of its marketing efforts for its phenomenally successful
`
`Office 365 (now called Microsoft 365) and Exchange Online services.2 Like a mantra, Microsoft
`
`has repeatedly promised business customers that it will use their content and data exclusively to
`
`provide them with the purchased services; that, solely for those purposes, it will share their data
`
`
`1When used in this Complaint, unless the context suggests otherwise, “businesses,”
`“business customers,” and similar terms include persons and non-governmental entities, including
`non-profit organizations, that subscribe to or purchase business-class versions of Microsoft Office
`365 and Microsoft Exchange, as specified in the class definition at ¶ 116, infra.
`
`
`2 On April 21, 2020, Office 365 became Microsoft 365. All references to Office 365 in this
`Complaint include references to Microsoft 365 as of that date and thereafter.
`
`
`
`COMPLAINT - 4
`
`
`1 2 3 4 5 6 7 8 9
`
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`
`
`Case 3:20-cv-04818 Document 1 Filed 07/17/20 Page 5 of 38
`
`
`
`with its subcontractors and certain others only on a need-to-know basis; and that it will never
`
`share the customer’s data with third parties at all.
`
`4.
`
`In fact, contrary to its representations, Microsoft has regularly shared—and
`
`continues to share—its business customers’ data with Facebook and other third parties. The data
`
`is shared even when neither the customers nor their contacts are Facebook users. And, once
`
`Facebook obtains the data, harmful consequences can follow, as demonstrated by the data-
`
`harvesting debacle orchestrated by Cambridge Analytica targeting the 2016 national election,
`
`using data obtained by Facebook.
`
`5.
`
`Even when sharing has not been necessary to perform the purchased services,
`
`Microsoft has nonetheless shared its business customers’ data with hundreds of subcontractors,
`
`at least some of which have suffered data breaches and are based in countries known for
`
`corporate espionage, such as Russia, China, and Libya.
`
`6.
`
`Microsoft also has routinely used the content of business customers’ emails,
`
`documents, contacts, calendars, location data, audio files, and video files in order to develop new
`
`products and services sold to others; to glean business intelligence; and to otherwise derive
`
`commercial benefit.
`
`7.
`
`And Microsoft has falsely represented that Office 365 complies with System and
`
`Organization Controls standards 1 and 2, nationally recognized standards designed to assure the
`
`security, availability, processing integrity, confidentiality, and privacy of customer data.
`
`8.
`
`Microsoft claims transparency about how it uses data and with whom data is
`
`shared. But the company has not fully and openly disclosed its data use and sharing practices to
`
`its business customers. To the contrary, Microsoft has misled its customers and failed to obtain
`
`1 2 3 4 5 6 7 8 9
`
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`
`
`COMPLAINT - 5
`
`
`
`
`Case 3:20-cv-04818 Document 1 Filed 07/17/20 Page 6 of 38
`
`
`
`their consent before using and sharing their data for its purposes. It continues that course of
`
`conduct to this day.3
`
`9.
`
`Microsoft’s practices violate federal laws governing the acquisition, use, and
`
`sharing of electronic communications; state laws prohibiting deceptive advertising and unfair
`
`acts and practices; and state privacy laws.
`
`10.
`
`Plaintiffs bring this lawsuit to hold Microsoft accountable, expose and stop its
`
`illegal conduct, and obtain compensation for all Office 365 and Exchange Online business
`
`customers in America who paid for services and products that were not as Microsoft claimed.
`
`PARTIES AND PLAINTIFF-SPECIFIC ALLEGATIONS
`
`11.
`
`Plaintiffs Frank D. Russo, Koonan Litigation Consulting, LLC, and Sumner M.
`
`Davenport & Associates, LLC are persons or companies that have subscribed to or purchased
`
`business versions of Microsoft’s services and products, as specified below. They seek to
`
`represent a nationwide class of similarly situated Microsoft business customers.
`
`12.
`
`Defendant Microsoft Corporation is a Washington corporation headquartered in
`
`Redmond.
`
`13.
`
`Plaintiff Frank D. Russo resides in Napa, California. He operates a sole
`
`proprietorship called Russo Mediation & Law, which provides mediation, arbitration, and
`
`alternative dispute resolution services to bring parties from conflict to resolution by establishing
`
`rapport, earning trust, understanding perspectives, and overcoming legal, psychological, and
`
`philosophical differences.
`
`
`3 Unless specifically noted otherwise or made clear by the context, all conduct alleged in
`this Complaint has taken place throughout the Class Period and is still taking place.
`
`
`
`COMPLAINT - 6
`
`
`1 2 3 4 5 6 7 8 9
`
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`
`
`Case 3:20-cv-04818 Document 1 Filed 07/17/20 Page 7 of 38
`
`
`
`14.
`
`Since August 2015, Plaintiff Russo has paid approximately $12.50 per month for
`
`his subscription to Microsoft 365 Business Standard (formerly called “Office 365 Business
`
`Premium”).
`
`15.
`
`16.
`
`Plaintiff Russo is a regular user of Office 365 in the course of his business.
`
`The privacy and security of Plaintiff Russo’s and his clients’ data are important
`
`and material to him.
`
`17.
`
`In deciding to subscribe to Office 365, Plaintiff Russo believed Microsoft would
`
`keep Plaintiff Russo’s data private and secure.
`
`18. Microsoft misrepresented and did not disclose to Plaintiff Russo material facts,
`
`alleged more specifically below, regarding its use and protection of Plaintiff Russo’s data, and,
`
`as a result, Plaintiff Russo was deceived. Had Microsoft not made these misrepresentations and
`
`had it properly disclosed these facts, Plaintiff Russo would not have purchased his subscription,
`
`or alternatively would have paid less for it.
`
`19.
`
`Plaintiff Russo has started exploring what actions he can take, other than filing
`
`this lawsuit, to protect himself from the actions by Microsoft described in this Complaint.
`
`20.
`
`Plaintiff Koonan Litigation Consulting, LLC (“Plaintiff Koonan”) is a California
`
`limited liability corporation headquartered in San Francisco, doing business with another
`
`company as Chopra Koonan Litigation Services.
`
`21.
`
`Plaintiff Koonan provides its clients with advice on how to succeed in all aspects
`
`of litigation, including with case analysis, theme development, focus groups, mock trials, witness
`
`preparation, opening statements, closing arguments, jury selection, and post-trial juror
`
`interviews.
`
`1 2 3 4 5 6 7 8 9
`
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`
`
`COMPLAINT - 7
`
`
`
`
`Case 3:20-cv-04818 Document 1 Filed 07/17/20 Page 8 of 38
`
`
`
`22.
`
`Since February 2016, Plaintiff Koonan has paid approximately $119.88 annually
`
`for its subscription to Microsoft 365 Business Basic (formerly called “Office 365 Business
`
`Essentials”).
`
`23.
`
`24.
`
`Plaintiff Koonan is a regular user of Office 365 in the course of its business.
`
`The privacy and security of Plaintiff Koonan’s and its clients’ data are important
`
`and material to it.
`
`25.
`
`In deciding to subscribe to Office 365, Plaintiff Koonan believed Microsoft would
`
`keep Plaintiff Koonan’s data private and secure.
`
`26. Microsoft misrepresented and did not disclose to Plaintiff Koonan material facts,
`
`alleged more specifically below, regarding its use and protection of Plaintiff Koonan’s data, and,
`
`as a result, Plaintiff Koonan was deceived. Had Microsoft not made these misrepresentations and
`
`had it properly disclosed these facts, Plaintiff Koonan would not have purchased its subscription,
`
`or alternatively would have paid less for it.
`
`27.
`
`Plaintiff Koonan has started exploring what action it can take, other than filing
`
`this lawsuit, to protect itself from the actions by Microsoft described in this Complaint.
`
`28.
`
`Plaintiff Sumner M. Davenport & Associates, LLC (“Plaintiff Davenport”), is a
`
`Wyoming limited liability corporation. Plaintiff Davenport’s primary place of business is in
`
`Woodland Hills, CA. Sumner Davenport is a California resident and has been throughout the
`
`class period. Plaintiff Davenport is a marketing company that works with small businesses, and
`
`charitable organizations on web accessibility, communication strategies, digital and print
`
`marketing, reputation management, and research. Plaintiff Davenport serves clients throughout
`
`Southern California.
`
`29.
`
`Since 2016, Plaintiff Davenport has subscribed to Microsoft 365 Business
`
`Standard (formerly called “Office 365 Business Premium”).
`
`1 2 3 4 5 6 7 8 9
`
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`
`
`COMPLAINT - 8
`
`
`
`
`Case 3:20-cv-04818 Document 1 Filed 07/17/20 Page 9 of 38
`
`
`
`30.
`
`From approximately April 2016 through April 2018, Plaintiff Davenport paid
`
`$12.50 per month for its Microsoft 365 Business Standard account.
`
`31.
`
`From approximately April 2018 through the present, Plaintiff Davenport paid an
`
`annual subscription fee of $150 for the Microsoft 365 Business Standard account.
`
`32.
`
`33.
`
`Plaintiff Davenport purchased its subscription to Office 365 online.
`
`Before purchasing Office 365, Plaintiff Davenport’s principal, Sumner
`
`Davenport, conducted online research to identify the best solution for its document management,
`
`backup, and other business needs.
`
`34.
`
`35.
`
`Plaintiff Davenport is a regular user of Office 365 in the course of its business.
`
`The privacy and security of Plaintiff Davenport’s and its clients’ data are
`
`important and material to Plaintiff Davenport.
`
`36.
`
`In deciding to subscribe to Office 365, Plaintiff Davenport believed Microsoft
`
`would keep Plaintiff Davenport’s data private and secure.
`
`37. Microsoft misrepresented and did not disclose to Plaintiff Davenport material
`
`facts, alleged more specifically below, regarding its use and protection of Plaintiff Davenport’s
`
`data, and, as a result, Plaintiff Davenport was deceived. Had Microsoft not made these
`
`misrepresentations and had it properly disclosed these facts, Plaintiff Davenport would not have
`
`purchased its subscription, or alternatively would have paid less for it.
`
`38.
`
`Since learning about Microsoft’s improper sharing and use of business customer
`
`data, Plaintiff Davenport has ceased recommending that its clients purchase Office 365.
`
`39.
`
`Plaintiff Davenport is investigating replacing its Microsoft subscription with a
`
`different solution, a transition that would require significant time and money.
`
`
`
`
`
`
`
`COMPLAINT - 9
`
`
`1 2 3 4 5 6 7 8 9
`
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`
`
`Case 3:20-cv-04818 Document 1 Filed 07/17/20 Page 10 of 38
`
`
`
`JURISDICTION AND VENUE
`
`40.
`
`The Court has subject matter jurisdiction under the Class Action Fairness Act,
`
`codified at 28 U.S.C. § 1332(d)(2). The matter in controversy exceeds the sum or value of
`
`$5,000,000, exclusive of interest and costs, and is a class action in which any member of the
`
`class is a citizen of a State different from the Defendant.
`
`41.
`
`Further, this matter also arises under the Wiretap Act, 18 U.S.C. § 2511, and the
`
`Stored Communications Act, 18 U.S.C. § 2702. The dispute is thus premised on a federal
`
`question, for which jurisdiction resides in this Court under 28 U.S.C. § 1331.
`
`42.
`
`Insofar as Plaintiffs assert claims arising under state law, supplemental
`
`jurisdiction lies in this Court under 28 U.S.C. § 1367(a), as those claims are so related to
`
`Plaintiffs’ federal claims that they form part of the same case or controversy.
`
`43.
`
`In addition, Plaintiffs’ claims arose and were caused by Microsoft’s actions in
`
`California. Microsoft’s misrepresentations to Plaintiffs and other actions took place in California,
`
`were aimed at Plaintiffs in California, and injured Plaintiffs in California. Microsoft knew its
`
`actions could reasonably and fairly subject it to suit and specific jurisdiction in California.
`
`44. Microsoft’s acts and omissions giving rise to Plaintiffs’ claims were directed at
`
`Plaintiffs Russo and Koonan at their respective headquarters in Napa and San Francisco, in the
`
`Northern District of California. This District is therefore a proper venue for this action, as
`
`prescribed by 28 U.S.C. § 1391.
`
`FACTS
`
`A. MICROSOFT TRANSITIONED BUSINESS CUSTOMERS TO ITS
`CLOUD-BASED SERVICES, ASSURING THEM THEIR DATA WOULD
`BE PRIVATE AND SECURE.
`
`As the largest software company in the world, Microsoft led the transition to
`
`45.
`
`cloud computing.
`
`
`
`COMPLAINT - 10
`
`
`1 2 3 4 5 6 7 8 9
`
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`
`
`Case 3:20-cv-04818 Document 1 Filed 07/17/20 Page 11 of 38
`
`
`
`46.
`
`Building on the enormous success of its Office suite of software products
`
`(including Word, Outlook, Excel, and PowerPoint), Microsoft developed Office 365 as a cloud-
`
`based “software-as-a-service” version of those popular offerings, for which customers would pay
`
`a monthly subscription fee.
`
`47.
`
`“Trust” has been—and is—the centerpiece of Microsoft’s advertising campaigns
`
`for its cloud-based business services and products. In its website “Trust Center,” Microsoft
`
`promises it abides by the most “stringent privacy standards” and provides FAQs, videos, top-10
`
`lists, and whitepapers declaring fidelity to customers’ privacy demands.
`
`48. Microsoft has focused on “trust” because it recognizes that “[o]ur business can
`
`succeed only if our customers trust us to protect their privacy and use their data in the ways that
`
`they permit us.” As Microsoft Corporate Vice President and Deputy General Counsel Rich Sauer
`
`put it, Microsoft’s corporate mission “depends on our ability to win and retain our users’ trust.”
`
`And internal Microsoft documents recognize that business customers will not use Microsoft’s
`
`online services and products if they lack strong privacy protections. Microsoft touts security,
`
`privacy, compliance, and transparency as the “foundational principles” of its “Trusted Cloud”:
`
`
`
`49. Microsoft’s marketing focus on privacy and security is also calculated to increase
`
`
`
`its bottom line. In internal documents, Microsoft identified privacy as a “competitive
`
`differentiator,” noting that “[l]oyalty goes up with choice and control.”
`
`
`
`COMPLAINT - 11
`
`
`1 2 3 4 5 6 7 8 9
`
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`
`
`Case 3:20-cv-04818 Document 1 Filed 07/17/20 Page 12 of 38
`
`
`
`50. Microsoft knew that its customers were concerned about the security of storing
`
`information outside of their own networks or in a cloud infrastructure. As Microsoft put it,
`
`“[C]ustomers of all kinds have the same basic concerns about moving to the cloud. They want to
`
`retain control of their data, and they want that data to be kept secure and private[.]”
`
`51.
`
`A business’s data is among the most valuable assets it owns. Business data
`
`typically includes sensitive information, such as confidential financial details, secret business
`
`ideas, plans for new products or services, trade secrets, and other proprietary business insights
`
`and intelligence.
`
`52.
`
`Business data can also include personal information about the businesses’
`
`customers and employees, including banking information, social security numbers, and other
`
`legally protected personally identifying information.
`
`53.
`
`Businesses must protect their data, and they will pay more for that protection.
`
`B. MICROSOFT REPRESENTED TO BUSINESS CUSTOMERS IT WOULD
`USE THEIR DATA ONLY TO PROVIDE THE SERVICES THEY
`PURCHASED.
`
`54.
`
`In its agreements and marketing materials directed to its business customers,
`
`
`
`Microsoft consistently represented that it would use their data only to provide them with the
`
`specific services they purchased.
`
`55. Microsoft’s agreements with its business customers define “customer data” as “all
`
`data, including all text, sound, software, image or video files that are provided to Microsoft by,
`
`or on behalf of, Customer” through the use of Office 365 or Exchange Online.
`
`56.
`
`“Customer data” includes the customer’s “content,” i.e., what Microsoft
`
`customers create, communicate, and store on or through Microsoft’s services, such as the words
`
`in an email exchanged between friends or business colleagues, and the photographs and
`
`documents stored on Office 365 or Exchange Online.
`
`
`
`COMPLAINT - 12
`
`
`1 2 3 4 5 6 7 8 9
`
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`
`
`Case 3:20-cv-04818 Document 1 Filed 07/17/20 Page 13 of 38
`
`
`
`57.
`
`Customer data also includes Exchange Online emails and attachments, Power BI
`
`(business intelligence) reports, SharePoint Online site content, and instant message (“IM”)
`
`conversations.
`
`58.
`
`Throughout its Trust Center, and in its related marketing materials, whitepapers,
`
`technical instructions, and other representations and documents, Microsoft has consistently
`
`represented to its business customers that their data will not be used for any purpose other than
`
`providing the specific services the customer has purchased. For example:
`
`a.
`
`b.
`
`c.
`
`On a marketing page of its website, Microsoft promises, “We use
`your data for just what you pay us for: to maintain and provide
`Office 365[.] We make it our policy to not use your data for other
`purposes.”
`
`Similarly, in a whitepaper, Microsoft says that it “uses customer
`data only for providing cloud services… We also don’t scan our
`customers’ email or documents for building analytics, data mining,
`advertising, or improving services without our customers’
`permission.”
`
`And in webpages designed to provide more technical information,
`Microsoft promises: “We use customer data only to provide the
`services; therefore, Microsoft strictly prohibits access to customer
`data for any other purpose.”
`
`59. Microsoft has also repeatedly guaranteed its business customers that they—and
`
`they alone—have control of their data. The Trust Center screenshot below is typical of the tone,
`
`tenor, and content of Microsoft’s efforts and promises in this regard:
`
`1 2 3 4 5 6 7 8 9
`
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`
`
`COMPLAINT - 13
`
`
`
`
`Case 3:20-cv-04818 Document 1 Filed 07/17/20 Page 14 of 38
`
`
`
`
`60.
`
`This representation has remained consistent throughout the class period. For
`
`example, prior versions of Microsoft’s webpages similarly promised:
`
`
`
`
`
`COMPLAINT - 14
`
`
`
`
`1 2 3 4 5 6 7 8 9
`
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`
`
`Case 3:20-cv-04818 Document 1 Filed 07/17/20 Page 15 of 38
`
`
`
`61.
`
`These guarantees have been repeated to Microsoft’s business customers in myriad
`
`materials. For example:
`
`a.
`
`b.
`
`“As a customer of Office 365, you own and control your data. We
`do not use your data for anything other than providing you with the
`service that you have subscribed for…. You own your data and
`retain all rights, title, and interest in the data you store with Office
`365.”
`
`“Our cloud services allow you to control who has access to your
`data, and how it’s shared . . . . And you can take your data with you
`when you leave.”
`
`62.
`
`To that end, Microsoft has promised its customers that they can easily learn who
`
`has access to their data, and that they can terminate that access if they wish. For example:
`
`a.
`
`b.
`
`c.
`
`d.
`
`“We are transparent about our privacy practices and offer
`meaningful privacy choices.”
`
`“We will be transparent about data collection and use so you can
`make informed decisions. . . . Also, you can take your data with you
`if you end your subscription.”
`
`“With Office 365, it’s your data. You own it. You control it And it
`is yours to take with you if you decide to leave the service . . . . You
`know where your data resides and who has access.”
`
`“We provide you with clear explanations about . . . who can access
`[your data] and under what circumstances.”
`
`63. Microsoft has also regularly represented that it “will not transfer to any third party
`
`(not even for storage purposes) data that you provide to Microsoft through the use of our
`
`business cloud services that are covered under the Microsoft Online Services Terms.”
`
`64. Microsoft has made—and continues to make—these and similar representations
`
`in many other marketing materials, too numerous and voluminous to list.
`
`65. Microsoft has also made—and continues to make—these representations in its
`
`Online Service Terms, which apply to all business customers. In the Online Service Terms, and
`
`more specifically its 2020 Data Protection Agreement (“DPA”), Microsoft promised all business
`
`1 2 3 4 5 6 7 8 9
`
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`
`
`COMPLAINT - 15
`
`
`
`
`Case 3:20-cv-04818 Document 1 Filed 07/17/20 Page 16 of 38
`
`
`
`customers in the putative class that it would use their data “only (a) to provide Customer the
`
`Online Services in accordance with Customer’s documented instructions, and (b) for Microsoft’s
`
`legitimate business operations, each as detailed and limited below.” The DPA clarifies that the
`
`customer, not Microsoft, “retains all right, title and interest in and to Customer Data,” and
`
`narrowly defines the provision of online service as “[d]elivering functional capabilities” of the
`
`product purchased, troubleshooting problems, and improving the product through updates to
`
`improve “user productivity, reliability, efficacy, and security.”
`
`66.
`
`And the DPA specifies that Microsoft will not use business customer data for a
`
`broad range of activities unrelated to providing the purchased product, including “(a) user
`
`profiling, (b) advertising or similar commercial purposes, or (c) market research aimed at
`
`creating new functionalities, services, or products or any other purpose, unless such use or
`
`processing is in accordance with Customer’s documented instructions.”
`
`67.
`
`Though Microsoft amends the Online Service Terms from time to time, they have
`
`not materially changed vis-à-vis the putative class members and their claims during the class
`
`period.
`
`68.
`
`For example, in the 2015 Online Service Terms, Microsoft promised its business
`
`customers:
`
`Customer Data will be used only to provide Customer the Online Services
`including purposes compatible with providing those services. Microsoft
`will not use Customer Data or derive information from it for any
`advertising or similar commercial purposes. . . . Microsoft will not disclose
`Customer Data or Support Data outside of Microsoft or its controlled
`subsidiaries and affiliates except (1) as Customer directs, (2) as described
`in the [Online Service Terms], or (3) as required by law.
`
`69. Microsoft further “agrees and warrants . . . to process the personal data only on
`
`behalf of” the Microsoft business customer.
`
`1 2 3 4 5 6 7 8 9
`
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`
`
`COMPLAINT - 16
`
`
`
`
`Case 3:20-cv-04818 Document 1 Filed 07/17/20 Page 17 of 38
`
`
`
`70. Microsoft commits, moreover, that it “shall not subcontract any of its processing
`
`operations performed on behalf of” the Microsoft business customer without the customer’s prior
`
`written consent.
`
`71. Microsoft’s subscription and licensing agreements with class members reinforce
`
`these representations. For example, Microsoft’s Business and Services Agreement says it will
`
`use business customer data “only for purposes of the parties’ business relationship. [Microsoft
`
`will not] disclose [customer data] to third parties, except to its employees, Affiliates, contractors,
`
`advisors, and consultants (‘Representatives’) and then only on a need-to-know basis[.]”
`
`72.
`
`Similarly, Microsoft’s Open Value Agreement states that it will use business
`
`customer data “only for purposes of the parties’ business relationship under this Agreement.
`
`[Microsoft will not] disclose that information to third parties, except to its employees, Affiliates,
`
`resellers, contractors, advisors, and consultants (collectively, ‘Representatives’) and then only on
`
`a need-to-know basis[.]”
`
`73.
`
`Reaffirming that message, Microsoft’s Cloud Agreement and Open License
`
`Agreement say that the customer consents only “to the processing of personal information by
`
`Microsoft and its agents to facilitate the subject matter of this agreement.”
`
`C. MICROSOFT’S REPRESENTATIONS WERE FALSE.
`
`
`Microsoft shares its business customers’ data with Facebook and other third
`parties, without its business customers’ consent.
`
`Facebook is the world’s largest social media network, with over two billion active
`
`1.
`
`74.
`
`users. Its business model relies on using and sharing its users’ data.
`
`75.
`
`Although Facebook is not necessary to provide Office 365 or Exchange Online
`
`services to Microsoft’s business customers, Microsoft routinely and automatically shares its
`
`business customers’ contacts with Facebook—without those customers’ consent— whether or
`
`not the customers or their contacts are Facebook users.
`
`
`
`COMPLAINT - 17
`
`
`1 2 3 4 5 6 7 8 9
`
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`
`
`Case 3:20-cv-04818 Document 1 Filed 07/17/20 Page 18 of 38
`
`
`
`76.
`
`Even if a customer discovers and disables this Facebook-sharing “feature” after
`
`activating Office 365 or Exchange Online services, the damage has already been done. At that
`
`point, the business customer’s contacts have been shared with Facebook. As Microsoft explains
`
`in an obscure technical instruction, “[o]nce contacts are transferred to Facebook, they cannot be
`
`deleted from Facebook’s systems except by Facebook.”
`
`77.
`
`Because Microsoft shares its business customers’ contact data with Facebook, its
`
`customers’ data is accessible not just by Facebook, but also by whomever Facebook shares the
`
`data with, and whomever those entities decide to share the data with, ad infinitum.
`
`78.
`
`For example, after Facebook gave limited data access to University of Cambridge
`
`psychology lecturer Aleksandr Kogan, data of 87 million persons were exploited by Cambridge
`
`Analytica, a data mining firm that focuses on opposition research and intelligence gathering for
`
`political campaigns.
`
`79.
`
` With Facebook’s data, Cambridge Analytica was able to create a political
`
`microtarge