Did the US Supreme Court Just Gut Privacy Law Enforcement?
Within the typical June end-of-term flurry of released decisions from the U.S. Supreme Court, one ruling that may have a significant effect on future privacy cases has flown under the radar of tech press.
The case, Transunion v. Ramirez, was itself not a privacy ruling, but the majority opinion limits the ability of citizens to maintain lawsuits based on rights created by statute, and as nearly all general privacy rights in the US are created by statute, it could severely reduce people’s ability to successfully sue to enforce privacy rights. Privacy litigation is particularly susceptible to attack under this decision, as the Transunion majority based its opinion on the perceived insufficiency of concrete harm suffered by plaintiffs, and concrete (non-speculative or future) harm has been often difficult to establish in privacy litigation.
Post decision, the most important factors for affecting privacy cases will be whether Congress is able to enact a broad federal privacy right, how state laws and state courts may be influenced by the Transunion precedent. Failure to provide proof of concrete harm in data breach cases has sunk the claims of many plaintiffs over the past 15 years, and the Supreme Court has made this uphill climb more difficult at precisely the moment when statutory privacy claims are gaining traction.
California’s omnibus privacy laws provide both a private cause of action and statutory damages for plaintiff’s affected (harmed?) by a private company’s unreasonable exposure of personal data. BIPA, the influential biometric privacy act in Illinois allows residents to sue for statutory damages if their biometric readings are used without permission. Prior to the Transunion decision, courts had not consistently indicated that a showing of concrete damage would be required to collect the statutory damage for the violation of these statutory rights. State courts in California do not follow the federal standing rules, so cases filed under CCPA/CPRA may not be affected by the case. Other privacy cases will.
The relevant decision in Transunion involves standing to sue in federal court. The court found that to have Constitutional standing to sue in federal court, a plaintiff must show, among other things, that the plaintiff suffered concrete injury in fact, and central to assessing concreteness is whether the asserted harm has a close relationship to a harm traditionally recognized as providing a basis for a lawsuit in American courts. The court makes a separation between a plaintiff’s statutory cause of action to sue a defendant over the defendant’s violation of federal law, and a plaintiff’s suffering concrete harm because of the defendant’s violation of federal law. It claims that under the Constitution, an injury in law is not automatically an injury in fact. A risk of future harm may allow an injunction to prevent the future harm, but does not magically qualify the plaintiff to receive damages.
According to the majority, “The Court has rejected the proposition that ‘a plaintiff automatically satisfies the injury-in-fact requirement whenever a statute grants a person a statutory right and purports to authorize that person to sue to vindicate that right.’ … An injury in law is not an injury in fact.” The majority specifically rejected the proposition that “a plaintiff automatically satisfies the injury-in-fact requirement whenever a statute grants a person a statutory right and purports to authorize that person to sue to vindicate that right.” It found that a plaintiff in such cases must establish that it suffered a concrete injury “even in the context of a statutory violation.” This would mean that some of the “injuries” that privacy plaintiffs have claimed to establish standing, like increased anxiety over a data exposure or the possibility that their data may be abused by criminals in the future, are less likely to resonate in some future cases.
Is the Transunion decision a major break in federal law that affects how legislatures effective provide new rights? According to the Supreme Court minority, yes. Justice Thomas, with concurrence by three other justices, wrote, “Never before has this Court declared that legal injury is inherently insufficient to support standing. And never before has this Court declared that legislatures are constitutionally precluded from creating legal rights enforceable in federal court if those rights deviate too far from their common law roots. . . In the name of protecting the separation of powers, this Court has relieved the legislature of its power to create and define rights.”
This decision will not automatically affect all privacy litigation. It only applies to cases in federal courts. But federal constitutional standing doctrine has a significant, though not controlling, influence on state courts as well. A majority of state courts currently apply the Constitutional standing rules, so data breach or statutory privacy cases in these states will likely be affected by this new Supreme Court standing decision.
Many privacy lawyers have been anticipating a broad federal privacy protection rule for nearly two decades. Unfortunately for the fans of the federal privacy option, the Democrats prefer such a law be a floor of basic rights to build more restrictive state rights upon, while the Republicans prefer such a law be a ceiling that limits the ability of states to create more personally protective deviations. As long as these differences in opinion dominate the debate and neither side has the ability to impose its will on the other, we are unlikely to see a broad federal privacy mandate. But if we do, effectively enforcing rights under the mandate will be made more difficult by the Transunion decision.
But as more states pass privacy laws which include private rights of action, enacting those rights could be complicated by this new Constitutional reading. Prior to the ruling many lawyers believe that if the legislature provided a personal right, and a defendant could be shown to violate that right, then money damages and (importantly) attorney’s fees would automatically follow. Now, even in the world of privacy, where establishing concrete damages from a data exposure has always been difficult, there is more pressure to either show significant damage, or drop out of the lawsuit.
Like any Supreme Court decision, the effects of the Transunion changes to the ability to successfully maintain lawsuits will cascade through the courts and legislatures over the next decade. It may be several years before we know how it affects privacy cases. But it has the potential to clamp down on both the recent increase in private filings to enforce privacy rights, and to the optimism that plaintiffs’ lawyers are showing by building their practices in this space. They may not have a leg to stand on.