Opinion
21-17036
12-01-2022
NOT FOR PUBLICATION
Argued and Submitted November 14, 2022 San Jose, California
Appeal from the United States District Court for the Northern District of California D.C. No. 3:21-cv-02470-EMC Edward M. Chen, District Judge, Presiding
Before: GRABER, TALLMAN, and FRIEDLAND, Circuit Judges.
MEMORANDUM [*]
Plaintiffs bought "hardware wallets" in which to store cryptocurrency assets. They allege that a data breach exposed personal information that they had provided in connection with their purchases. Plaintiffs, on behalf of a putative class, sued Ledger SAS, the French company that manufactured and sold the wallets; Shopify Inc., the Canadian company that provided e-commerce services for Ledger's online store; and Shopify (USA) Inc., a subsidiary of Shopify Inc. based in Delaware. The district court dismissed the action for lack of personal jurisdiction over Defendants, denied Plaintiffs' request for jurisdictional discovery, and denied Plaintiffs' request for leave to amend. Plaintiffs timely appeal. We review de novo the dismissal for lack of personal jurisdiction, Picot v. Weston, 780 F.3d 1206, 1211 (9th Cir. 2015); for abuse of discretion the denial of jurisdictional discovery, LNS Enters. LLC v. Cont'l Motors, Inc., 22 F.4th 852, 858 (9th Cir. 2022); and for abuse of discretion the denial of leave to amend, Curry v. Yelp Inc., 875 F.3d 1219, 1228 (9th Cir. 2017). We affirm in part and reverse and remand in part.
1. The district court had specific personal jurisdiction over Ledger. The "purposeful availment" framework applies because Plaintiffs' claims are for negligence. Holland Am. Line Inc. v. Wartsila N. Am., Inc., 485 F.3d 450, 460 (9th Cir. 2007). Ledger has sold about 70,000 wallets directly to Californians, generating millions of dollars in revenue; its website is designed to collect the applicable California sales tax for buyers whose IP addresses are in California; and it ships the wallets directly to California addresses. Taken together, those facts suffice to establish purposeful availment because Ledger's contacts with the forum cannot be characterized as "random, isolated, or fortuitous." See Keeton v. Hustler Mag., Inc., 465 U.S. 770, 774 (1984) (holding that the defendant's regular monthly sales of thousands of magazines to New Hampshire residents created the necessary minimum contacts to support personal jurisdiction).
In addition, Plaintiffs' claims "arise out of" those sales. Ford Motor Co. v. Mont. Eighth Jud. Dist. Ct., 141 S.Ct. 1017, 1025 (2021) (quoting Bristol-Myers Squibb Co. v. Superior Ct., 137 S.Ct. 1773, 1780 (2017)). Buyers are required to disclose personal information in order to buy the wallets, Ledger retains those data for e-commerce and marketing purposes, the wallets are advertised as part of a larger security "ecosystem," and Plaintiffs allege that they would not have bought wallets had they known of Ledger's poor data security practices. See Learjet, Inc. v. Oneok, Inc. (In re W. States Wholesale Nat. Gas Antitrust Litig.), 715 F.3d 716, 742 (9th Cir. 2013) ("[A] lawsuit arises out of a defendant's contacts with the forum state if a direct nexus exists between those contacts and the cause of action." (quoting Fireman's Fund Ins. Co. v. Nat'l Bank of Coops., 103 F.3d 888, 894 (9th Cir. 1996))).
2. As noted, Plaintiffs' claims arise out of their purchase of Ledger wallets. To buy a wallet, a purchaser must agree to the Sales Terms and Conditions, which acknowledge that Ledger may collect personal data and which refer in turn to the Privacy Policy for details regarding Ledger's use of those data. In addition, users must agree to the Ledger Live Terms of Use when they begin to use the Ledger Live software. All three documents contain extremely broad forum selection clauses providing that covered disputes will be subject to the exclusive jurisdiction of the French courts. The forum-selection clause in the Ledger Live Terms of Use, for example, covers "[a]ny dispute, controversy, difference or claim arising out of or relating to" the agreement. The broad scope of that clause encompasses this lawsuit. See Yei A. Sun v. Advanced China Healthcare, Inc., 901 F.3d 1081, 1086-87 (9th Cir. 2018) (concluding that a forum-selection clause encompassing disputes "arising out of or related to" the agreement covered the suit because the dispute had a logical or causal connection to the agreement).
All three documents also contain choice-of-law provisions that apply French law.
Plaintiffs do not argue that their claims stand in a different causal relationship to the Ledger Live Terms of Use than to the Privacy Policy or Sales Terms and Conditions.
These forum-selection clauses are enforceable except with respect to Plaintiffs who are "California resident plaintiffs bringing class action claims under California consumer law." Doe 1 v. AOL LLC, 552 F.3d 1077, 1084 (9th Cir. 2009) (per curiam) (holding that a forum-selection clause was unenforceable because it violated California public policy against waiver of consumer rights under California's Consumer Legal Remedies Act). Accordingly, we reverse the dismissal of Plaintiffs' California consumer law claims but otherwise affirm the dismissal of Plaintiffs' claims against Ledger.
3. With respect to the Shopify Defendants, the district court correctly ruled that the present record does not support personal jurisdiction, but abused its discretion by disallowing any jurisdictional discovery and an opportunity to amend the complaint following jurisdictional discovery. Shopify USA employs more than 200 people who work remotely from California. One of those employees has the title of "Data Protection Officer" (DPO). It is reasonable to infer that this employee may have played a role related to the data breach because he appears to have overseen the relevant privacy policies and Shopify's response. The DPO's LinkedIn profile displays his title as "Vice President, Legal; Data Protection Officer." His job duties include "[s]trategically advis[ing the] executive team, senior leaders, and Board of Directors," as well as "[s]erv[ing] as [the] company's Data Protection Officer, advising senior management, Board of Directors, and key teams within the company on issues relating to privacy, data protection, data usage, and cybersecurity." These responsibilities plausibly relate to how Shopify would prevent and respond to a data breach. Because more facts are needed to determine whether those activities support the exercise of jurisdiction, we reverse the district court's denial of jurisdictional discovery with respect to the DPO's role and responsibilities and his relationship to Shopify, Inc., which processed and stored the data. See Laub v. U.S. Dep't of Interior, 342 F.3d 1080, 1093 (9th Cir. 2003) (holding that the refusal to grant jurisdictional discovery was prejudicial where there was a reasonable probability that the outcome of the motion would be different).
However, the district court permissibly denied as speculative discovery on other matters. See Boschetto v. Hansing, 539 F.3d 1011, 1020 (9th Cir. 2008) (upholding denial of request for jurisdictional discovery that was "based on little more than a hunch"). Following jurisdictional discovery, amendment of Plaintiffs' claims against the Shopify defendants would not necessarily be futile and so should be allowed. See Polich v. Burlington N., Inc., 942 F.2d 1467, 1472 (9th Cir. 1991) ("Dismissal without leave to amend is improper unless it is clear, upon de novo review, that the complaint could not be saved by any amendment.").
AFFIRMED IN PART; REVERSED AND REMANDED IN PART. Each party shall bear its own costs on appeal.
[*] This disposition is not appropriate for publication and is not precedent except as provided by Ninth Circuit Rule 36-3.