Federal Judge Allows Negligence Claim for Unauthorized Use of Personal Data by App Developer

Hernandez v. Path, Inc. By Kathleen McGuinness – Edited by Charlie Stiernberg Hernandez v. Path, Inc., No. 12-CV-01515 YGR (N.D. Cal. Oct. 17, 2012) Slip opinion In a class-action privacy lawsuit over a photo sharing app's alleged unauthorized access of user data, the District Court for the Northern District of California held that the plaintiff has Article III standing, but dismissed six of the ten claims. The court held that neither a slight loss of phone battery life nor hypothetical future risks to the security of user data were sufficient harms to establish standing, but ruled that the expense of paying an expert to remove the unwanted software could be sufficient. It also allowed a negligence claim to go forward, noting that California courts have not foreclosed the possibility of liability for third-party app developers who negligently collect user data. MediaPost provides a short overview of the case. Internetcases discusses the holding for each claim in more detail. The Technology & Marketing Law Blog criticizes the decision, expressing concern about the implications of allowing the negligence claim. The suit alleges that Path, Inc. accessed, uploaded, and stored data from users' Contact Address Books without authorization when they downloaded Path's photo sharing smartphone app. The plaintiff alleged three harms to establish Article III standing: the loss of several seconds of battery life and bandwidth on the phone, the potential security risk to his data stored on Path's unsecured servers, and the cost of removing the software. Because the plaintiff alleged that removing the software would require hours of expert work costing as much as $12,500, the court held that the plaintiff had sufficiently alleged that he had suffered an actual injury for Article III standing. However, the loss of a few seconds of battery life was held to be insufficient and the hypothetical future risk to unsecured data was held to be too speculative to confer standing. Because the data was not a communication intercepted in transit, claim 1 under the Federal Wiretap Act 18 U.S.C. § 2511 and claim 4 under California’s Invasion of Privacy Law Cal. Penal Code §§ 630 et  4. seq. were dismissed. The court also dismissed claim 2 under the Stored Communications Act 18 U.S.C. § 2701, holding that the definitions of “electronic communication service” and “electronic storage” in the act refer only to temporarily stored data owned by telephone and email service providers. The court dismissed three state law tort claims: public disclosure of private facts (claim 6), because the user data was never publicly disclosed; conversion (claim 8), because the plaintiff was never deprived of his data; and trespass to chattels (claim 9), which would have required damage to the phone or an impairment of its functioning under California law. However, the court allowed claim 10 alleging unjust enrichment, noting that a split exists between California courts on its existence as a cause of action. Because of limited briefing, the court did not dismiss claim 3 alleging that Path's actions violated the California Computer Crime Law (Cal. Penal Code § 502). It likewise allowed claim 5 under California's Unfair Competition Law, holding that the plaintiff had adequately alleged unlawful and unfair business practices. The court granted the plaintiff leave to amend all its dismissed claims. The Technology & Marketing Law Blog identifies two potentially significant holdings in the case. First, the court held that the California Computer Crime Law might apply to unauthorized capture of data even by deliberately installed programs. Some California district court cases have limited the application of Section 502 to unauthorized access that circumvents technical barriers, which would not include unauthorized data use by deliberately installed apps. See Facebook, Inc. v. Power Ventures, Inc., C 08-05780 JW, 2010 WL 3291750 (N.D. Cal. July 20, 2010); see also In re iPhone Application Litig., 11-MD-02250-LHK, 2011 WL 4403963 (N.D. Cal. Sept. 20, 2011). Other courts, including the Northern District of California, have left open the possibility that Section 502 may apply more broadly. See Weingand v. Harland Fin. Solutions, Inc., C–11–3109 EMC, 2012 WL 2327660, at *4–6 (N.D.Cal. June 19, 2012). Second, the court allowed a claim of negligence to go forward, holding that third-party smartphone app developers may have a duty not to take users' personal data without authorization. Though the Northern District of California recently held in In re iPhone Application Litigation that phone manufacturers have no duty to protect users from unauthorized data use by third-party apps, the court here declined to rule out such a duty for the third-party app developers themselves.