CFAA Applies Extraterritorially and Can Reach Claim of Violation by Expedia's Use of "Data Scraping" Program on Ryanair's Website in Ireland

Ryanair DAC v. Expedia, Inc., US District Court for the Western District of Washington, August 6, 2018

Plaintiff Ryanair operates a low-cost airline in Europe and maintains schedule and seat availability information on its website, housed in Ireland. Defendant Expedia operated a software program that "scraped" information off Ryanair's website for inclusion by Expedia in responses to inquiries from visitors to its site seeking flight information. The terms of use of Ryanair's website prohibited such activities, and Ryanair sued Expedia in Washington State claiming violations of the CFAA.

The Court first determined that the CFAA should apply extraterritorially, given the statute defines "protected computer" specifically to include one located outside the US. As relevant here, it then rejected Expedia's argument that US law should not apply because the Ryanair website's terms of use provided that visitors submit to the "sole and exclusive" jurisdiction of Irish courts and Irish laws. The Court found the provision would only apply if Ryanair had sued for breach of the terms, and additionally concluded that the choice-of-law language applied only to "authorized" users.

"Domestic" Violation of CFAA Established by Gaining Illegal Access to Nearly 2,000 US Computers

United States v. Gasperini, US Court of Appeals for the Second Circuit, July 2, 2018

Defendant Gasperini, an Italian citizen and resident, appealed his conviction for violating various criminal statutes, including the CFAA. The jury found that Gasperini had engaged in a scheme in which thousands of computers, many in the US, fraudulently "clicked" on advertisements on websites he controlled to generate payments from those advertisers. Among other things, Gasperini argued that the CFAA could not apply where the defrauded company was located outside the US.

The Court of Appeals disagreed, noting that different provisions of the CFAA might have different extraterritorial effects but that the issue need not be decided because the conduct in this case should be considered US "domestic." In reaching that conclusion the Court of Appeals stated it was required first to determine the "focus" of the CFAA, and then whether "conduct relevant to" that focus occurred in the US. In the case at bar, the "focus" of the CFAA was found to be "gaining access to computers and obtaining information from them." The relevant conduct, in turn, included Gasperini having accessed, without authorization, nearly 2000 computers in the US, including 200 in the district where he was charged. Because that conduct was substantial enough to constitute a domestic violation, the fact that other conduct occurred outside the US was irrelevant.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.