Users settle class action lawsuit over Google COVID-19 contact tracing app data exposure with injunctive-only agreement

Plaintiffs alleging that Google LLC failed to protect their information despite promises to the contrary and Apple’s COVID-19 contact-tracing app have resolved the dispute with Google, according to the motion for preliminary approval filed late in last week. The settlement comes with changes that will purportedly help ensure that Google delivers on its data privacy promises when it comes to its Emergency Notification System application.

As previously reported, individuals have filed a lawsuit alleging that Google misrepresented that users’ identities and their COVID-19 status would remain anonymous and would not be collected by Google or shared with other users. As of March 2021, more than 28 million users reportedly registered with the system, thereby disclosing medical and other identifying information to defendants.

According to plaintiffs’ “detailed forensic analysis”, Google has failed to keep its end of the bargain. “Google fundamentally erred in the design and implementation of its EN system by leaving users’ private health information unprotected on the ‘system logs’ of Android devices to which Google and third-party app developers had a regular access,” the filing explains.

Additionally, while it became aware of the flaw in its contact-tracing app in February 2021, it “has yet to inform the general public or satisfactorily fix security vulnerabilities to prevent issues from to advance”.

The motion for preliminary approval notes that the parties reached an agreement while Google’s motion to dismiss, filed last August, was pending. In it, Google argued that the plaintiffs lacked the constitutional capacity not to allege the required harm.

Now, plaintiffs are touting that the settlement quickly resolves the dispute and fixes identified flaws. Under the terms of the settlement, Google must make several commitments, although the filing notes that it has already taken several steps to address security vulnerabilities in its EN.

The injunction is to confirm that no EN user data is available on internal systems and to include an explanation of enhanced security and privacy protections that address the concerns raised in the action. The attorney also claims he will seek attorney fees not to exceed $2 million.

Plaintiffs are represented by Lieff Cabraser Heimann & Bernstein and Google by Willkie Farr & Gallagher LLP.