The vast difference between the views of privacy held in the US and in the EU is illustrated by the divergent paths of two prominent data privacy actions. In the EU, the action was brought by Max Schrems as a complaint before the Irish Data Protection Commissioner, claiming that Facebook’s transfer of user data to servers in the US violates EU privacy law because the US does not adequately protect the data. In a recent victory for Schrems, the EU Court of Justice found that that the Safe Harbor framework could no longer serve as sufficient protection for EU citizens’ personal data, given revelations about NSA spying in the US. The Irish DPA will now continue its investigation. (Schrems has also brought an action in Austria against Facebook where he purports to represent over 25,000 European Facebook users. That action is pending as well. For more information, see http://www.technethics.com…)
In the US, Thomas Robins sued the data broker Spokeo, claiming that the people search engine generated improper information about him on its database in violation of the Fair Credit Reporting Act. While the district court granted Spokeo’s motion to dismiss for lack of standing under Article III of the US Constitution, the Second Circuit Court of Appeals reversed, finding the case could continue. The US Supreme Court granted certiorari on the narrow issue of whether the plaintiffs have standing to sue for a violation of the FCRA when they allege solely statutory injury – in other words, they allege a violation of the Act but no tangible or “concrete” harm. The Court, which heard oral arguments on November 2, 2015, must decide whether Congress’s establishment of a statutory privacy right coupled with the plaintiff’s allegation of violation is enough to constitute an actionable “case or controversy” under the Constitution.
The issue of harm is a difficult one in the privacy law field in general. It would be almost impossible for Robins to prove that the incorrect information on his Spokeo profile led to an employer’s adverse decision, and it would be difficult for Schrems to prove that his information was accessed by US authorities. But in the EU, the allegations of harm are sufficient. In fact, Facebook lost a similar argument in the Schrems case before the High Court of Ireland. There, the defense argued that the plaintiff’s complaint was “essentially hypothetical and speculative in nature” since there was no evidence “to suggest that there was an imminent risk of grave harm to him or that any of his data had been or was likely to be accessed by the NSA.” The court rejected this argument: “Quite obviously, Mr. Schrems cannot say whether his own personal data has ever been accessed or whether it would ever be accessed by the US authorities. But even if this were considered to be unlikely, he is nonetheless certainly entitled to object to a state of affairs where his data are transferred to a jurisdiction which, to all intents and purposes, appears to provide only a limited protection against any interference with that private data by the US security authorities.”
In contrast, US privacy law still struggles with the viability of allegations of intangible or dignitary harm. Just this past week, an administrative law judge dismissed the FTC’s claim against LabMD, finding insufficient the allegations of consumer harm from LabMD’s inadequate protection of personal information. Given the narrow posture of the Supreme Court appeal in Spokeo, the decision will not likely answer whether harm such as emotional distress is actionable. Instead, the Court will decide whether violation of a federal act itself provides standing – a crucial question in the meantime.