Privacy Takes a Hit In the High Court
One of the earliest “privacy” laws in the United States is, surprisingly, the Fair Credit Reporting Act. Back during the Nixon Administration, Congress passed a law that gave people the right to see what was on their credit report, to contest inaccuracies on their reports and to ensure that the information on their credit report was accurate. The law also restricted what data credit reporting agencies could collect, to whom the data could be disseminated and how that data could be used.
In scope, context, and purpose, the FCRA was the model for all “privacy” laws that came later. It established, in federal law, the basic privacy principles related to data collection, data use, data transfer, data accuracy and data security. This was the model for the EU Data Privacy Directive, the GDPR, the California Consumer Privacy Act and all subsequent data privacy laws. So any interpretation of the FCRA can have a significant impact on privacy law overall—even if most people don’t think of the FCRA as a “privacy” law.
On June 25, 2021, the U.S. Supreme Court, in a case called TransUnion v. Ramirez, significantly, and possibly fatally, weakened the FCRA and, potentially, all subsequent privacy laws. Among other things, the FCRA requires information contained in credit reports to be “accurate.” The law required TransUnion to “follow reasonable procedures to assure maximum possible accuracy” of credit files. 15 U. S. C. §1681e(b).
This is significant because inaccuracies in credit reports can lead to denial of credit, higher interest rates, improper risk calculations and other negative consequences. Meanwhile, Congress has added additional things to the FCPA—using the credit reporting requirements to enforce things like Anti Money Laundering (AML), Know Your Customer (KYC) and export and sanctions enforcement under the Department of Treasury’s Office of Foreign Asset Control (OFAC). So, inaccurate information on a credit report could lead to denial of a job, being unable to open a bank account, transfer funds or worse.
When Sergio Ramirez went to buy a Nissan Maxima in Dublin, California, he learned the hard way what inaccurate information could lead to. His TransUnion credit report erroneously listed him as a Specially Designated National (SDN), and on the OFAC restricted list. In the words of the car dealer, he was “a terrorist.” Of course, he wasn’t. In fact, Ramirez learned that TransUnion had accidentally included an OFAC warning on the credit reports of more than 8,185 people, and had disseminated these erroneous credit reports to the creditors of about 1,853 of them. So, TransUnion breached its obligations of “accuracy” for more than 8,000 people, but had only transmitted the inaccurate data for fewer than 2,000. Ramirez attempted to sue in a class action on behalf of all 8,000 people who had the terrorist tag erroneously placed in their file.
Standing
In order to sue under the rule of “standing,” you have to have suffered a concrete injury as a result of the wrongful act of another. Now, there’s a difference between standing and damages. You have standing to sue if you suffered a “concrete injury,” even if the damages you suffered were slight. There’s a difference between being able to sue and being able to prove a specific amount of damages. If someone swings at you and misses, you have standing to sue for “assault” (battery requires contact), but you aren’t going to recover much.
There was no dispute that TransUnion had committed an act that was, at least, a violation of the statute. There was no dispute that the 1,853 people (including Ramirez) whose “terrorist” tag had at least been seen (and who possibly were denied credit or worse as a result) had suffered a concrete injury. But what about the 6,332 people whose TransUnion credit reports indicated that they were terrorists, but where those reports had not been shared with anyone outside TransUnion? Did they suffer a “concrete injury?” The Supreme Court said “no.”
The court listed examples of some of the “harms” which would give someone “standing” to sue. It noted: certain harms readily qualify as concrete injuries under Article III. The most obvious are traditional tangible harms, such as physical harms and monetary harms. If a defendant has caused physical or monetary injury to the plaintiff, the plaintiff has suffered a concrete injury in fact under Article III.
Various intangible harms can also be concrete. Chief among them are injuries with a close relationship to harms traditionally recognized as providing a basis for lawsuits in American courts. Those include, for example, reputational harms, disclosure of private information and intrusion upon seclusion. And those traditional harms may also include harms specified by the Constitution itself. In the opinion of the court, even though the FCRA established both a duty of accuracy and gave a right to sue for a violation of that duty, the court had no ability to provide a remedy since those people whose credit reports were inaccurate suffered no cognizable injury, and therefore had no recourse in the federal court.
The court likened the problem to that of defamation. In defamation cases, something defamatory (harmful, hurtful and generally false) has to be “published” or communicated to others to establish the tort. If I just think you are a crook, but don’t say you are a crook, it’s not defamation. And if I only say it to you, it’s also not defamation (it’s not published to a third party.) No harm. No foul. Problem is, in a defamation case, without a publication, there’s no defamation. The tort does not occur. In an inaccurate credit reporting case, the duty to keep accurate data applies irrespective of publication.
In addition, if you can’t show damages, you still get into court. If you can’t show standing, you’re left at the courthouse steps.
Potential Harm
One issue is the potential that one of the 6,000+ TransUnion-designated “terrorists” might suffer some injury in the future due to the fact that, at least for some period of time, they were labeled terrorists. And the terrorist label was “published” internally—at least to people within TransUnion—and that could cause injury to these falsely accused terrorists.
But the court was not convinced.
Potential future harm is not, in the opinion of the court, enough to get into court. One area of “potential harm” is a material risk of future harm. In Ramirez, the court has recognized that you could go to court (standing) and sue if you could show that there was a material risk of future harm—but only to get an injunction to prevent the future harm, so long as the risk of harm is sufficiently imminent and substantial. Interestingly, the high court does not address what would happen if an injunction were obtained—for example, requiring the credit reporting agency to remove the inaccurate information—and the credit reporting agency simply didn’t comply. The failure to remove the inaccurate information would violate the injunction, just as the failure to remove it violates the FCRA. Would a person whose inaccurate data remained in the system have the right to sue for violation of the injunction (court-ordered requirement) but not the statute (Congressionally mandated requirement)? The court, however, noted that “TransUnion advances a persuasive argument that the mere risk of future harm, without more, cannot qualify as a concrete harm in a suit for damages.” Is there a meaningful distinction between a “risk of future harm” and the violation of injunction intended to prevent future harm and the violation of a statute or regulation intended to prevent future harm? The court seems to suggest that the first two are cognizable injuries, the latter, not so much.
Implications for Privacy
And therein lies the rub. In many (and possibly most) data breach cases, individuals who have been the victim of a data breach may have a hard time demonstrating a concrete injury under this standard. The point of privacy law (and data breach law) is that there is a duty imposed on someone to keep something confidential and secure. That duty is imposed by statute, rule, regulation or some other manner. And there is a breach of that duty; just like in Ramirez, a duty to keep credit information accurate. But what is your “concrete harm” when your personal information is published online, stolen by hackers or sold on the dark web? It depends on the nature of the information and the uses actually made of the data. If what is breached is just your name, address and credit card number, (including CVV and maybe your PIN) courts have been reluctant to find a “concrete harm” to the individual. The issuing bank has to reissue a new credit card to those impacted by the breach—that’s a concrete harm to them, but not to the consumer. The consumer may have to monitor their credit, review their credit card numbers and put the new credit card number into all of their online sites (a total pain), and courts have been split on whether these measures—designed to prevent future harm—are themselves sufficient “concrete injury” to permit the data breach victims to go to court at all.
Typically, these cases are brought as class actions—an allegation that each of the thousands (or millions) of breach victims suffered some small but concrete injury (harm) such that the company responsible for the breach should compensate them for their (sometimes minor) injury or inconvenience. But the Ramirez case suggests that fear of future injury is not an injury at all, and the courthouse doors are closed—not just to one breach victim, but to the entire class. Even if the data is more sensitive—social security numbers, medical records or even nude selfies—the mere fact that the data has been “stolen” or not protected may or may not be sufficient to establish a “concrete injury.” Sure, if your nude selfies are hacked, you have a genuine fear of future harm—that they will be published on some website, or emailed to your boss and you could get an injunction against the hacker to prevent it (good luck with that!). But, under Ramirez, you might not be able to sue the entity responsible for securing your nude selfie because you haven’t yet been harmed by the theft. You might have to wait. Or not. A court could also rule that the theft of personal information is itself a “publication” of the information, and therefore a concrete harm. It likely will depend on the nature of the information. When someone “sees” your credit card number, a court could conclude that no harm occurs until it is used to your disadvantage. When someone sees your nude selfies, the tort of intrusion into seclusion occurs at that point—you may not have to wait. But when someone sees your medical records—showing that your cholesterol is high and that your LDL’s are higher than your SAT scores, have you yet suffered a concrete harm?
The problem is that we don’t value privacy. In both senses. We don’t place an economic value on privacy alone. Invasion of privacy—in the data privacy sense—is not a “concrete injury” in and of itself. The fact that my data has been exposed is not a harm until I can show that it was otherwise used to my disadvantage—and typically to my economic disadvantage. I typically have to show that I was denied a job, denied credit, had to pay more for something, denied a business opportunity or the like to recover damages for a “mere” invasion of privacy (there are, of course, exceptions to this “rule”).
But the Ramirez case goes further. It’s one thing to say that a jury won’t award you damages (or will only award nominal damages) for an invasion of privacy. It’s another to say that you can’t go to court at all—and that’s what Ramirez says. Privacy and data security duties—imposed by rule, by statute or even by simple negligence or tort law—require entities to do certain things. They can be required to monitor networks, encrypt data, provide authentication and access control and a host of other things.
The Ramirez case is consistent with a theme in the application of the law to data security and data privacy—that everything is fun and games until someone loses an eye. Only when there’s an actual breach that exposes data with some cognizable harm is there a right to sue. That’s why almost every privacy and security enforcement action is not as a result of an audit, but as a result of a breach. It’s also a problem for Congress. Congress expressly wanted to impose a duty on credit reporting agencies to keep data secure and maintain its integrity. TransUnion didn’t do that. People who had done nothing wrong were falsely labeled “terrorist.” And that label was put on sensitive databases. And Congress provided a private right to sue if credit reporting agencies didn’t do what they were mandated to do. The Supreme Court adds an additional element to be able to get into court—publication—which is not in the statute.
The court goes further—asserting not that Congress did not give “unharmed” victims of the statutory violation a right to sue, but that, under the Constitution, they could not do so. The court noted, “A regime where Congress could freely authorize unharmed plaintiffs to sue defendants who violate federal law not only would violate Article III but also would infringe on the Executive Branch’s Article II authority.” If these duties—to ensure accuracy and privacy—were contractual rather than regulatory, in other words, if you entered into an agreement with TransUnion that they would not label you a terrorist, and they breached the contract, you certainly could go into court and sue for breach of contract, even if you might have a hard time showing damages from the contract breach.
Privacy is, in some ways, a contract. You (TransUnion) can have or have access to my personal data if you agree to maintain it accurately and confidentially and only use it for the purposes for which you have agreed. Often, these agreements are explicit—set out in stated and enforceable privacy policies. But under Ramirez, a court might also conclude that victims of a breach of contract also can’t sue without proof of a concrete injury. Because of the nature of the case, there’s not a lot that Congress or the Executive Branch can do. The high court has essentially closed the doors to the court itself, and claimed that Congress can’t do anything about it. Congress could find that privacy violations (and data integrity violations) are per se actionable. They could impose specific statutory penalties for violations of the FCRA (or some of its provisions) and assign a “value” to privacy. Or they could do nothing at all. In the end, this points to the need for a more holistic approach to data privacy, security and integrity, as well as clearer rules on when you can and cannot have a remedy for violation. Until then, we can expect more privacy litigants being shut out of courthouses.
