CFAA Applies Extraterritorially and Can Reach Claim of Violation by Expedia's Use of "Data Scraping" Program on Ryanair's Website in Ireland
Ryanair DAC v. Expedia, Inc., US District Court for the Western District of Washington, August 6, 2018
"Domestic" Violation of CFAA Established by Gaining Illegal Access to Nearly 2,000 US Computers
United States v. Gasperini, US Court of Appeals for the Second Circuit, July 2, 2018
Defendant Gasperini, an Italian citizen and resident, appealed his conviction for violating various criminal statutes, including the CFAA. The jury found that Gasperini had engaged in a scheme in which thousands of computers, many in the US, fraudulently "clicked" on advertisements on websites he controlled to generate payments from those advertisers. Among other things, Gasperini argued that the CFAA could not apply where the defrauded company was located outside the US.
The Court of Appeals disagreed, noting that different provisions of the CFAA might have different extraterritorial effects but that the issue need not be decided because the conduct in this case should be considered US "domestic." In reaching that conclusion the Court of Appeals stated it was required first to determine the "focus" of the CFAA, and then whether "conduct relevant to" that focus occurred in the US. In the case at bar, the "focus" of the CFAA was found to be "gaining access to computers and obtaining information from them." The relevant conduct, in turn, included Gasperini having accessed, without authorization, nearly 2000 computers in the US, including 200 in the district where he was charged. Because that conduct was substantial enough to constitute a domestic violation, the fact that other conduct occurred outside the US was irrelevant.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.