Principles of Privacy and Harm: Concrete Damages in the Information Age
By Leo Krapp
Graduate Student, Yale University
Law Clerk, Viking Tech Law
On the 25th of June, 2021, the US Supreme Court limited the ability of a class of consumer plaintiffs to pursue data privacy-related claims in federal court in TransUnion LLC vs. Ramirez. To have standing to sue, one must show they suffered "concrete harm," even when a credit agency has incorrectly flagged them as a potential terrorist or criminal. The decision has sweeping implications for the separation of powers, class action lawsuits, individual rights, and the relationship between data privacy and the legal definition of risks and damages.
In February of 2011, Sergio Ramirez, his wife, and his father-in-law arrived at a Nissan dealership to purchase a car. Upon running a credit check on Ramirez, the dealership discovered that his credit report, produced by TransUnion, contained the following alert: “***OFAC ADVISOR ALERT - INPUT NAME MATCHES NAME ON THE OFAC DATABASE.” He was informed that he would not be sold the car because his name was on a “terrorist list.”
A little bit of background: In 2002, TransUnion, one of the Big Three credit reporting agencies whose primary business model is selling consumer reports to businesses and entities that request information on the creditworthiness of individual consumers, developed an additional product to sell to their customers, OFAC Name Screen Alert. This service runs an individual’s first and last name against the U.S. Treasury Department’s Office of Foreign Assets Control’s list of terrorists, drug traffickers, and international criminals. Notably, TransUnion used third-party software to cross-check credit applicants with this list, the only criteria being an individual’s first and last name. Unsurprisingly, thousands of Americans were flagged as potential terrorists simply for having the wrong name.
Ramirez then asked for his complete credit report from TransUnion. The first report he received neglected to include the OFAC flagging, and it was only the following day that he was informed that he was considered a potential match to names on the OFAC list. A year later, Ramirez sued TransUnion, requesting statutory and punitive damages for affecting his ability to buy a car, failing to provide him with the information he requested, and causing him damage by revealing private info to third parties without consent. The U.S. District Court for the Northern District of California certified a class action law-suit, and the jury awarded each class member roughly $7,000, totaling more than $60 million in damages. The U.S. Court of Appeals for the Ninth Circuit affirmed this ruling, but reduced the punitive damages to around $4,000.
The Supreme Court reversed this judgment and remanded the case for further proceedings consistent with their opinion, stating that: “Only a plaintiff concretely harmed by a defendant’s violation of the Fair Credit Reporting Act has Article III standing to seek damages against that private defendant in federal court” (TransUnion LLC v. Ramirez., No. 20-297 (June 25th, 2021)).
Issues and Rules
The Fair Credit Reporting Act (FCRA) was passed by Congress to regulate consumer reporting agencies who develop a business model on compiling and disseminating personal information about consumers. 15 U.S.C. § 1681 et seq. Part of this regulation provides a cause for action for consumers to sue and recover damages for violation of their individual privacy rights.
Article III of the Constitution directly affects such an act, confining federal judicial power to the resolution of “Cases” and “Controversies” in which a plaintiff has a “personal stake.” Raines v. Byrd, 521 U.S. 811, 819-820. One of the requirements to have Article III standing is the ability to demonstrate that the plaintiff suffered “concrete injury.” Lujan v. Defenders of Wildlife, 504 U. S. 555, 560– 561 (1992). This subjective category of concreteness is evaluated in the context of whether the harm has a “close relationship” to a harm “traditionally” recognized as having a basis for a lawsuit in America Courts. Spokeo, Inc. v. Robins, 578 U. S. 330, 340–341 (2016).
Using this information, Justice Brett Kavanuagh wrote in the majority opinion of the court that more than 75% of the plaintiffs in the class-action suit could not demonstrate concrete damage beyond the category of a “risk of future injury,” which does not qualify one for Article III standing. In addition, Kavanaugh relied on the precedent set by Spokeo to argue that despite the views of Congress represented by the FCRA that the unregulated dissemination of consumer personal and financial information was a violation of individual privacy rights, it is the role of the judicial to put a check on the ability of the legislative to pass laws that enact injuries into existence despite the absence of legally demonstrable harms.
The reason why it was determined that the majority of plaintiffs did not suffer a concrete harm was based on another key issue to this case: inaccurate credit reporting alone does not confer standing to sue, because the reporting does not damage a plaintiff until it is disseminated to a third-party. Until then, the presence of damaging information in credit reporting databases is not legally challengeable.
This case has broad implications for the future of individual privacy and data rights, as well as for the functioning of the judiciary in general. The first is that consumer plaintiffs will have a much more difficult time getting into federal court without demonstrating concrete injury first. This goes hand in hand with the second implication: a violation of the FCRA, and by extension a number of other pieces of U.S. legislation, including the Fair Debt Collection Practices Act and the Telephone Consumer Protection Act, is no longer enough to demonstrate concrete injury.
A third implication is the weakening of the ability to obtain class certification and to pursue class-action lawsuits for the violation of individual rights. In the time of big data, consumer plaintiffs will have to shoulder the burden of demonstrating concrete injury for each member of the class, strengthening the ability of corporations to fend off suits that are attempting to punish the misuse of data and information that is simultaneously incredibly sensitive and incredibly lucrative.
A Comparative Approach to Recent Privacy Developments in the EU
On the 16th of July, 2020, the Court of Justice of the European Union invalidated the EU-U.S. Privacy Shield Framework which facilitated the transfer of personal data from the EU to the U.S. This framework is the second of its kind to fall in Europe’s highest court. In 2015, the predecessor of the Privacy Shield, the U.S.-E.U. Safe Harbor Agreement was also invalidated.
The 2015 ruling was based on claims made by Austrian PhD student Maximillian Shrems that his Facebook data that was held in Facebook’s Irish subsidiary should not be transferred to Facebook’s U.S. servers following Edward Snowden’s 2013 revelations about the blatant privacy abuses perpetrated by the intelligence agencies of the U.S., specifically, the National Security Agency. This claim was rejected by the Irish Data Protection Commissioner on the grounds that the Safe Harbor agreement maintained adequate levels of protection for personal data. The Safe Harbor agreement consisted of data protection principles that American companies needed to voluntarily subscribe to in order to engage with cross-border data transfers. The CJEU then declared that the Safe Harbor agreement did not uphold an adequate standard of protection, ruling in favor of Schrems.
In striking down the Privacy Shield in 2020, the CJEU has accorded privacy and data protection primacy among EU fundamental rights. The EU’s far-reaching General Data Protection Regulation is the primary way that these rights are defended, and also the primary mechanism by which the international data privacy concerns are regulated. The GDPR limits the transfer of personal data from non-EU states that have not demonstrated adequate defense of data privacy rights.
This 2020 decision backs up the 2015 decision which ruled that the collection of transferred data without providing recourse to pursue legal remedies for these abuses constituted a violation of the fundamental rights of private life. Bolstered by increased evidence against the widespread data and privacy violations perpetrated by U.S. intelligence agencies, the CJEU ruled in 2020 that U.S. governmental intelligence collection “cannot be regarded as limited to what is strictly necessary.” A central part of the EU’s Charter on Fundamental Rights is that restrictions to these rights must be both “necessary” and “proportionate” in a democratic society. In addition, the failure of U.S. law to provide judicial remedies further violates the GDPR.
The TransUnion case seems to support the CJEU’s decision not to trust the U.S. judiciary when it comes to privacy rights. Having only further undermined the ability of U.S. citizens to pursue recourse upon the violation of their privacy rights, the TransUnion case opens the door not only to abuses by corporations in the name of profit and efficiency, but abuses by governmental agencies in the name of security and order. The staunch position maintained by the CJEU and the EU Charter for Fundamental Rights when it comes to privacy rights provides a timely example of how these crucial privacy issues can be handled responsibly and seriously. Their worries about the mishandling of these issues by the American government are not unfounded. An overpowered and unaccountable set of intelligence agencies that see surveillance as necessary to ensure liberty and a judicial system that seeks to narrow the channels to pursue justice when it comes to the violation of individual privacy rights makes for a dangerous combination.
The landscape of privacy law across the globe is rapidly changing, and it is important for anyone with a stake in information and data to keep an eye on these changes. This is a far-reaching category, and TransUnion demonstrates that a mundane encounter can implicate significant issues when it comes to data and privacy rights. While the gap between European and American approaches to these topics seems to be widening, Californian residents should be aware that the California legislative is taking steps to defend consumer privacy rights with the California Consumer Privacy Act of 2020. This act takes considerable steps to clarify acceptable practices when it comes to consumer data and provides serious regulations to protect against privacy abuses.
For Americans as a whole however, it will now be much more difficult to gain standing to sue to protect one’s digital privacy. It will be important to monitor developments at the regional and federal levels when it comes to the relationship between the law and the internet age.