PH Privacy
Supreme Court Limits Article III Standing: Implications for Data Privacy Litigation
July 02, 2021
Aaron Charfoos, Jacqueline Cooney & Patricia Liverpool
On June 25, 2021, the Supreme Court issued a ruling in TransUnion LLC v. Ramirez, limiting Article III standing for class action plaintiffs seeking damages for statutory violations. In a 5-4 decision, the Court determined that the Constitution confers Article III standing only for plaintiffs that have suffered a “concrete harm” as a result of a defendant’s statutory offenses. The Court’s decision is certain to affect future data privacy litigation.
Factual History
A class certified by the lower court alleged that the defendant, a credit reporting agency, failed to use reasonable procedures to ensure the accuracy of the class members’ credit files—an alleged violation of the Fair Credit Reporting Act. The credit reports erroneously identified the plaintiffs as designated by the Office of Foreign Assets Control (“OFAC”) as “specially designated nationals” subject to sanctions. The named plaintiff filed the lawsuit against the defendant after he was unable to purchase a vehicle due to the inaccurate credit report, and he sought to represent a class of 8,124 individuals. Prior to trial, the parties stipulated that only 1,853 members of the class had their inaccurate credit reports provided to third parties.
Legal Reasoning
The Supreme Court reversed the Ninth Circuit’s holding. Writing for the Court, Justice Kavanaugh noted that the injury-in-fact prong of Article III standing requires a showing of concrete harm, or, “real, and not abstract” harm. In Spokeo Inc. v. Robins, the Supreme Court held that one of the paramount questions in assessing concreteness, is whether the asserted harm bears a “close relationship” to a harm traditionally recognized as providing a basis for a lawsuit. Although certain tangible harms have been held concrete, such as monetary or physical harms, intangible harms, like reputational harm, can also be found concrete. In the same decision, the Court also found that a statutory violation is not enough to confer Article III standing, rather, the plaintiff must still demonstrate a concrete injury. In other words, “an injury in law is not an injury in fact.”
Applying the standing principles to TransUnion, the Court found that only the 1,853 class members whose inaccurate credit reports were sent to potential creditors suffered a concrete harm. The plaintiffs had argued that the dissemination of the reports was akin to the reputational harm associated with the tort of defamation.
The Court, however, held that the remaining members of the class did not suffer concrete harm. The credit reports, while inaccurate, were not disseminated to third party businesses. Further, although the plaintiffs contended that the existence of the alerts in the defendant’s internal files exposed them to a risk of future harm, the Court emphasized that the risk of future harm never materialized. As a result, these members did not suffer a concrete harm.
Implications for Data Privacy
The Supreme Court’s decision could have a far-reaching impact on the application of data privacy statues by limiting those individuals who have standing to sue companies for violations of data privacy laws. The holding in this case is significant because mere violations of data privacy laws may not be sufficient to confer standing on potential plaintiffs. Instead, plaintiffs must show that they have suffered a “concrete harm” as a result of the violation. According to the Court’s opinion, only those individuals whose inaccurate credit reports were sent to third party businesses were harmed and thus had standing to sue. Although the defendant had reported inaccurate information for the remaining class members, the Court determined that this violation, with no other showing of harm, did not confer standing.
Nonetheless, it remains to be seen how the lower courts will implement the Supreme Court’s holding for data privacy litigation. Although the Court emphasized that potential litigants must demonstrate more than a statutory violation to be heard in federal court, lower courts may still find that certain violations with minimum actual harm meet the Court’s threshold.
Further, although the risks associated with federal private actions appears to have been lowered, government agencies still retain the right to pursue enforcement against a company for violations of privacy laws. In addition, while the Court’s decision has curtailed standing for plaintiffs in federal courts, litigants may choose to instead file in state courts, where standing principles are less rigid. As a result, businesses must continue to review their privacy programs to ensure they comply with statutory requirements.
Paul Hastings will continue to monitor how the Supreme Court’s decision will impact data privacy litigation and post additional alerts on any notable developments.
Practice Areas
Data Privacy and Cybersecurity
Privacy and Cybersecurity Solutions Group