Matt Dinerstein v. Google, LLC
73 F.4th 502
7th Cir.2023Background
- UChicago Medical Center (the University) transferred anonymized patient records (2010–June 30, 2016) to Google under a December 2016 Data Use Agreement that removed direct identifiers but preserved dates; the agreement prohibited Google from identifying individuals.
- Matt Dinerstein was an inpatient in June 2015; he received a Notice of Privacy Practices and signed an Admission/Authorization acknowledging potential research uses and that he would not receive compensation.
- Dinerstein sued Google and the University on behalf of a class, alleging breach of an express contract, unjust enrichment, violation of the Illinois Consumer Fraud Act, tortious interference, and intrusion upon seclusion / a novel medical-confidentiality tort, seeking damages and injunctive relief.
- The district court dismissed the complaint for failure to state a claim and dismissed the consumer-fraud claim for lack of standing; it doubted recognition of a novel medical-confidentiality tort under Illinois law.
- The Seventh Circuit affirmed but modified the dismissal to be for lack of Article III standing, holding Dinerstein failed to plausibly allege a concrete, particularized, and actual or imminent injury traceable to defendants.
Issues
| Issue | Plaintiff's Argument (Dinerstein) | Defendant's Argument (Google / University) | Held |
|---|---|---|---|
| Standing for privacy claim (novel medical-confidentiality / intrusion) | Transfer of anonymized records invaded privacy; records were insufficiently de‑identified and Google could reidentify him using geolocation/demographic data | Records were de‑identified under the Data Use Agreement; Google agreed not to identify individuals and has not used records to identify plaintiff | No standing — alleged past disclosure of anonymized records and speculative risk of future reidentification are not a concrete, particularized, or imminent injury |
| Standing based on breach of express contract | University promised confidentiality (Notice/Authorization); breach of that promise is itself a concrete injury | A bare contractual breach without concrete harm is only an injury at law, not an Article III injury in fact | No standing — breach alone, without a concrete harm, does not satisfy Article III (TransUnion/Spokeo/Thole principles) |
| Pecuniary theories (overpayment / entitlement to royalties/disgorgement) | Overpaid for medical care that was supposedly bundled with confidentiality; University unjustly benefited (perpetual license) | Plaintiff cannot show he lost money or retained a property interest in records; Illinois law and precedent (Silha) reject standing based solely on defendant's gain | No standing — plaintiff alleged no actual loss; cannot base injury solely on defendant’s gain or speculate a discrete confidentiality fee |
| Standing for injunctive relief based on risk of reidentification | Ongoing risk that Google will reidentify patients using dates plus app geolocation/demographic data supports injunction | Risk is speculative: Google contractually agreed not to identify, has not attempted reidentification, and allegations do not make future identification certainly impending | No standing for injunction — asserted future harm is too speculative and not certainly impending (Clapper/TransUnion reasoning) |
Key Cases Cited
- Spokeo, Inc. v. Robins, 578 U.S. 330 (2016) (concrete-injury requirement: an injury in law is not necessarily an injury in fact)
- TransUnion LLC v. Ramirez, 141 S. Ct. 2190 (2021) (distinguishes concrete injuries that support damages from speculative risks; historical/common-law analogue test)
- Lujan v. Defenders of Wildlife, 504 U.S. 555 (1992) (Article III standing elements: injury in fact, traceability, redressability)
- Clapper v. Amnesty Int’l USA, 568 U.S. 398 (2013) (future‑harm allegations must not be highly speculative; imminence requirement)
- Thole v. U.S. Bank N.A., 140 S. Ct. 1615 (2020) (no Article III standing where plaintiffs alleged breach of fiduciary duties/contract but no concrete monetary harm)
- Remijas v. Neiman Marcus Group, LLC, 794 F.3d 688 (7th Cir. 2015) (data‑breach plaintiffs plausibly alleged substantial risk of future identity/financial harm from exposed credit‑card data)
- Lewert v. P.F. Chang’s China Bistro, Inc., 819 F.3d 963 (7th Cir. 2016) (similar to Remijas on substantial risk from exposed payment data)
- Silha v. ACT, Inc., 807 F.3d 169 (7th Cir. 2015) (plaintiff cannot base injury solely on defendant’s gain; need to allege plaintiff’s loss)
- J.P. Morgan Chase Bank, N.A. v. McDonald, 760 F.3d 646 (7th Cir. 2014) (contract enforcement can involve concrete interests when independent financial harm is alleged)
- Steel Co. v. Citizens for a Better Environment, 523 U.S. 83 (1998) (federal courts must satisfy Article III jurisdictional limits before resolving merits)