Concerning Whether Courts Have Jurisdiction to Review Cases Brought Based on Violations of Federal Statutory Rights
At issue in this case is whether a person may bring a lawsuit when a company violates a federal privacy law. In order to invoke the jurisdiction of federal courts under Article III, a plaintiff must have “standing” to sue. The Petitioner Spokeo, Inc., argued that the case should be dismissed because the Plaintiff did not prove that the publication of inaccurate personal information in violation of the Fair Credit Reporting Act was a concrete “injury” under Article III. The U.S. Court of Appeals for the Ninth Circuit disagreed, and denied Spokeo’s motion to dismiss the case for lack of jurisdiction.
(1) Whether Congress may confer Article III standing upon a plaintiff who suffers no concrete harm, and who therefore could not otherwise invoke the jurisdiction of a federal court, by authorizing a private right of action based on a bare violation of a federal statute.
Spokeo, Inc. operates a commercial website that discloses to the public personally identifiable information, including contact data, marital status, age, occupation, economic health, and wealth. Some of this information is subject to protection under federal privacy laws. Thomas Robins sued Spokeo for willful violations of the Fair Credit Reporting Act (FCRA), 15 U.S.C. § 1681 et seq. Robins charged that Spokeo disclosed inaccurate information about him that harmed his employment prospects and violated his rights under the Fair Credit Reporting Act. Spokeo sought to dismiss the case, claiming that that there was no “injury-in-fact.” But a federal District Court rejected that argument, finding that the allegation of the FCRA violation was sufficient for the case to go forward. The U.S. Court of Appeals for the Ninth Circuit affirmed the lower court decision.
The Ninth Circuit found that Congress’s “creation of a private cause of action to enforce a statutory provision implies that Congress intended the enforceable provision to create a statutory right.” It also said that the violation of a statutory right is usually sufficient injury in to confer standing. The Court explained that when a cause of action does not require proof of actual damages, a plaintiff can suffer a violation of the statutory right without suffering actual damages. The court rejected Spokeo’s appeal.
EPIC’s Amicus Brief
In its brief, EPIC advised the Supreme Court that this is not the time “to limit the ability of individuals to seek redress for violations of privacy rights set out by Congress.” EPIC argued that plaintiffs can sue in federal court whenever a company misuses their personal information contrary to federal law. The violation of a congressionally created right constitutes the constitutional injury a plaintiff needs to pass through the courthouse door. To require that plaintiffs also prove consequential harm caused by the misuse of personal information would undermine the ability of consumers to prevent misuse of their personal information under FCRA and other privacy and consumer protection laws.
EPIC highlighted the need for robust privacy and consumer protection laws by demonstrating that “Americans consumers today face an epidemic of privacy harms, including data breaches, identity theft, and financial fraud.” In 2015 alone, data breaches have “exposed more than one hundred and forty million records of personally identifiable information.” And according to the most recent Department of Justice report, “identity theft cost American consumers more than twenty-four billion dollars” in 2012. The risk of identity theft and fraud are amplified by data brokers, which collect and store tremendous amounts of sensitive consumer data. Data brokers sell this data, often without verifying its accuracy or completeness, and inaccurate data can have dramatically negative effects on individual consumers.
Because the potential harms are so serious, EPIC urged the Court to maintain the ability of consumers to use privacy and consumer protection laws to hold data collectors accountable for misuse of personal data. Spokeo’s proposed rule “would not only effect a dramatic narrowing of the FCRA, it would undermine the ability of individuals to prevent the misuse of many types of sensitive personal information.” “Were the Court to accept Spokeo’s argument,” EPIC concluded, “the Court would severely limit the deterrent effect of federal privacy laws and contribute to the growing problem of data breach and identity theft in the United States.”