Skip to Content

Free Expression, Privacy & Data

Mobile Apps: Liability, Responsibility and Jurisdiction

/ G.S. Hans

The widespread adoption of smartphones and tablets raises important issues about how to best protect consumer privacy. Today, CDT is releasing a paper that continues our analysis of the mobile ecosystem, examining the privacy and other liability issues raised when mobile platforms act as intermediaries, hosting third party apps that access user data.

Our paper analyzes the current state of the law in the United States, the European Union, and Canada. We begin by describing how both the makers of mobile operating systems and independent developers can create and publish apps that give users a range of choices to enhance the built-in functions of their devices.  We note that, in many ways, this feature of mobile devices mirrors capabilities of desktop programs and web services, where it is clear that hardware makers and operating systems are not liable for the conduct of third party apps.

Turning to the laws that might apply to the mobile ecosystem in the US, we analyze basic principles of contract and liability law, as well as the special role of Section 230 of the Communications Decency Act (which protects against civil liability intermediaries that act in good faith) and Section 512 of the Digital Millennium Copyright Act (which provides a safe harbor for intermediaries from copyright infringement claims, provided that the intermediary complies with notice-and-takedown procedures). We conclude that, under US law, it is quite clear that platform operators are not liable for the conduct of independent third party apps.

In Europe, however, the legal regime is less clear, as intermediaries there are subject simultaneously to the E-Commerce Directive, domestic law, and the Data Protection Directive. Under the E-Commerce Directive, platform operators may be covered under the safe harbor provision for intermediaries, but those rules have been subject to inconclusive and sometimes conflicting national and EU level interpretations. Moreover, the EU is in the midst of updating its data protection rules.

In Canada, we note that the Privacy Commissioner has suggested that social networking platforms should take responsibility for moderating the actions of third party developers.

Policies protecting intermediaries from liability for content created by third parties have helped to expand the space for expression and innovation online. However, there remains considerable debate outside of the U.S. over the application of liability principles to intermediaries in general, and there is little clarity as to how various legal regimes will react to mobile platforms. These questions are likely to further evolve as mobile devices, and their accompanying platforms, gain popularity.  CDT will continue to work for strong protection of intermediaries as the best means to protect user rights and foster innovation.

Related Reading

Samir Jain Testimony for House Committee. White document on black background.

CDT VP of Policy Samir Jain Testimony Before U.S. House Energy & Commerce Committee on “Legislative Solutions to Protect Kids Online and Ensure Americans’ Data Privacy Rights”
The CDT logo. A light and dark grey "cdt" alongside "Center for Democracy & Technology" on a white background.

Deprecating third-party cookies: a small step towards a more private web
CDT brief, entitled "Unintended Consequences: Consumer Privacy Legislation and Schools." White and blue document on a grey background

Brief – Unintended Consequences: Consumer Privacy Legislation and Schools