Concerning Whether Courts Have Jurisdiction to Review Cases Brought Based on Violations of Federal Statutory Rights
At issue in this case is whether a person may bring a lawsuit when a company violates a federal privacy law. In order to invoke the jurisdiction of federal courts under Article III, a plaintiff must have “standing” to sue. The Petitioner Spokeo, Inc., argued that the case should be dismissed because the Plaintiff did not prove that the publication of inaccurate personal information in violation of the Fair Credit Reporting Act was a concrete “injury” under Article III. The U.S. Court of Appeals for the Ninth Circuit disagreed, and denied Spokeo’s motion to dismiss the case for lack of jurisdiction.
(1) Whether Congress may confer Article III standing upon a plaintiff who suffers no concrete harm, and who therefore could not otherwise invoke the jurisdiction of a federal court, by authorizing a private right of action based on a bare violation of a federal statute.
Spokeo, Inc. operates a commercial website that discloses to the public personally identifiable information, including contact data, marital status, age, occupation, economic health, and wealth. Some of this information is subject to protection under federal privacy laws. Thomas Robins sued Spokeo for willful violations of the Fair Credit Reporting Act (FCRA), 15 U.S.C. § 1681 et seq. Robins charged that Spokeo disclosed inaccurate information about him that harmed his employment prospects and violated his rights under the Fair Credit Reporting Act. Spokeo sought to dismiss the case, claiming that that there was no “injury-in-fact.” But a federal District Court rejected that argument, finding that the allegation of the FCRA violation was sufficient for the case to go forward. The U.S. Court of Appeals for the Ninth Circuit affirmed the lower court decision.
The Ninth Circuit found that Congress’s “creation of a private cause of action to enforce a statutory provision implies that Congress intended the enforceable provision to create a statutory right.” It also said that the violation of a statutory right is usually sufficient injury in to confer standing. The Court explained that when a cause of action does not require proof of actual damages, a plaintiff can suffer a violation of the statutory right without suffering actual damages. The court rejected Spokeo’s appeal.
In its brief, EPIC advised the Supreme Court that this is not the time “to limit the ability of individuals to seek redress for violations of privacy rights set out by Congress.” EPIC argued that plaintiffs can sue in federal court whenever a company misuses their personal information contrary to federal law. The violation of a congressionally created right constitutes the constitutional injury a plaintiff needs to pass through the courthouse door. To require that plaintiffs also prove consequential harm caused by the misuse of personal information would undermine the ability of consumers to prevent misuse of their personal information under FCRA and other privacy and consumer protection laws.
EPIC highlighted the need for robust privacy and consumer protection laws by demonstrating that “Americans consumers today face an epidemic of privacy harms, including data breaches, identity theft, and financial fraud.” In 2015 alone, data breaches have “exposed more than one hundred and forty million records of personally identifiable information.” And according to the most recent Department of Justice report, “identity theft cost American consumers more than twenty-four billion dollars” in 2012. The risk of identity theft and fraud are amplified by data brokers, which collect and store tremendous amounts of sensitive consumer data. Data brokers sell this data, often without verifying its accuracy or completeness, and inaccurate data can have dramatically negative effects on individual consumers.
Because the potential harms are so serious, EPIC urged the Court to maintain the ability of consumers to use privacy and consumer protection laws to hold data collectors accountable for misuse of personal data. Spokeo’s proposed rule “would not only effect a dramatic narrowing of the FCRA, it would undermine the ability of individuals to prevent the misuse of many types of sensitive personal information.” “Were the Court to accept Spokeo’s argument,” EPIC concluded, “the Court would severely limit the deterrent effect of federal privacy laws and contribute to the growing problem of data breach and identity theft in the United States.”
United States Supreme Court, No. 13-1339
- Opinion (May 16, 2016)
- Oral Argument Transcript (Nov. 2, 2015)
- Brief of Respondent Robins (August 31, 2015)
- Briefs in Support of Respondent Robins:
- Center for Democracy and Technology
- Center for Digital Democracy
- Constitutional Accountability Center
- Information Privacy Law Scholars
- Lawyers’ Committee for Civil Rights
- Brief of Massachusetts et al.
- National Resources Defense Council
- Pension Rights Center
- Public Law Professors
- Public Citizen
- Public Justice
- Public Knowledge
- Restitution and Remedies Scholars
- American Association for Justice
- United States
- Brief of Petitioner Spokeo (July 2, 2015)
- Amicus Briefs in Support of Spokeo:
- ACA International
- Alabama et al.
- American Bankers Association et al.
- National Association of Professional Background Screeners et al.
- Chamber of Commerce et al.
- Consumer Data Industry Association
- Coalition for Sensible Public Records Access
- eBay et al.
- New England Legal Foundation
- Pacific Legal Foundation
- Retail Litigation Center, Inc.
- Time Inc. et al.
- Trans Union LLC
- DRI-The Voice of the Defense Bar
- Washington Legal Foundation
- Petition for Writ of Certiorari
- Brief of Respondent in Opposition
- Reply of Petitioner Spokeo
- Amici Briefs in Support of Petition:
- Brief amicus curiae of Pacific Legal Foundation filed.
- Brief amicus curiae of ACA International filed.
- Brief amicus curiae of Trans Union LLC filed.
- Brief amici curiae of Chamber of Commerce of the United States of America, et al. filed.
- Brief amici curiae of eBay Inc., Facebook, Inc., Google Inc., and Yahoo! Inc. filed.
- Brief amicus curiae of Experian Information Solutions, Inc. filed.
- Brief amicus curiae of Consumer Data Industry Association filed.
- Brief amici curiae of National Association of Professional Background Screeners, et al. filed.
- Brief amici curiae of New England Legal Foundation, et al. filed.
- Brief amicus curiae of DRI – The Voice of the Defense Bar filed.
- Brief amicus curiae of United States filed
United States Court of Appeals for the Ninth Circuit, No. 11-56843
United States District Court for the Central District of California, No. 10-5306
- Order Granting Motion to Dismiss, Robins v. Spokeo, No. 10-5306, 2011 WL 597867 (C.D. Cal. Jan. 27, 2011)
- First Amended Complaint, Robins v. Spokeo, No. 10-5306 (C.D. Cal. Feb. 17, 2011)
- Order Granting in Part and Denying in Part Motion to Dismiss, Robins v. Spokeo, 2011 WL 1793334 (C.D. Cal. May 11, 2011)
- Order Correcting Prior Ruling, Robins v. Spokeo, No. 10-5306, (C.D. Cal. Sept. 19, 2011)
- Mark Walsh, Supreme Court weighs the right to sue an Internet data site, ABA Journal (Nov. 1, 2015)
- Karen Levy, Alice Marwick, danah boyd, Privacy Harm in a Networked Society (2014)
- Ryan Calo, Privacy Harm Exceptionalism, 12.2 Colo. Tech. L.J. 361 (2014)
- Danielle Keats Citron & David Gray, Addressing the Harm of Total Surveillance: A Reply to Professor Neil Richards, 126 Harv. L. Rev. F. 262 (2013)
- A. Michael Froomkin, “PETs Must Be on a Leash”: How U.S. Law (and Industry Practice) Often Undermines and Even Forbids Valuable Privacy Enhancing Technology, Ohio State L. J. Symposium on “The SecondWave of Global Privacy Protection” (2013)
- Rebecca MacKinnon, Consent of the Networked: The Worldwide Struggle for Internet Freedom (2012)
- Ryan Calo, The Boundaries of Privacy Harm, Indiana Law Journal, Vol. 86, No. 3 (2011)
- Helen Nissenbaum, Privacy in Context: Technology, Policy, and the Integrity of Social Life (2010)
- M. Ryan Calo, People Can Be So Fake: A New Dimension to Privacy and Technology Scholarship, 114 Penn St. L. Rev. 809 (2010)
- A. Michael Froomkin, Government Data Breaches, 24 Berkeley Tech. L.J. 1019 (2009)
- Danielle Keats Citron, Cyber Civil Rights, 89 B.U. L. Rev. 61 (2009)
- Julie Cohen, Privacy, Visibility, Transparency, & Exposure, 75 U. Chi. L. Rev. 181 (2008)
- Ann Bartow, A Feeling of Unease About Privacy Law, 155 U. PA. L. Rev. 52 (2007)
- Francesca Bignami, Towards a Right to Privacy in Transnational Intelligence Networks, 28 Mich. J. of Int’l L., 3 (2007)
- Gary Marx, Seeing Hazily (But Not Darkly) Through the Lens, 30 Law & Soc. Inquiry 339 (2005)
- Francesca Bignami, Transgovernmental Networks vs. Democracy: The Case of the European Information Privacy Network, 26 Mich. J. Int’l. L. 807 (2005)
- Gary Marx, What’s New About the New Surveillance, 1 Surveillance & Soc’y 9 (2005)
- Colin J. Bennett & Charles D. Raab, The Governance of Privacy: Policy Instruments in Global Perspective 106 (2003)
- Julie Cohen, Privacy, Ideology, and Technology: A Response to Jeffrey Rosen, 89 Geo. L.J. 2029 (2001)
- Jeffrey Rosen, The Purposes of Privacy: A Response, 89 Geo. L.J. 2117 (2001)
- Julie E. Cohen, Examined Lives: Informational Privacy and the Subject as Object, 52 STAN. L. REV. 1373 (2000)
- Michael Froomkin, The Death of Privacy?, 52 Stan. L. Rev. 1461 (2000)
- Anita L. Allen, Coercing Privacy, 40 WM. & Mary L. Rev. 723 (1999)
- Jerry Kang, Info. Privacy in Cyberspace Transactions, 50 Stan. L. Rev. 1193 (1998)
- Antonin Scalia, The Doctrine of Standing as an Essential Element of the Separation of Powers, 17 Suffolk U.L. Rev. 881 (1983)