Data Breach_GettyImages_515745835This morning, the Supreme Court of the United States issued its decision in Robins v. Spokeo, No. 13–1339, 578 U. S. ____ (2016), putting to rest months of speculation as to whether the Court could come to a meaningful decision (that would be anything other than 4-4) in the aftermath of Justice Scalia’s passing in February. In a ruling that (predictably) defense and plaintiffs’ lawyers alike are heralding as a victory, the Court held that the Ninth Circuit erred in finding standing because “the injury-in-fact requirement requires a plaintiff to allege an injury that is both ‘concrete and particularized.’” The Court called out the Ninth Circuit’s analysis for overlooking the concreteness element. With that, the Court vacated the decision below and remanded for the Ninth Circuit to consider both aspects of the injury-in-fact requirement. My focus for purposes of this initial post will be why a privacy class action defense litigator like me should care about what the Court did here, and how it might impact other kinds of privacy class actions. This is just the first in a series of blog posts that BakerHostetler will publish on the implications of Spokeo.

The academic and legal communities have long struggled with the notion of what constitutes a privacy injury giving rise to some right to legal protection – whether via legislation or regulation, or through the courts. Some have argued in favor of more regulation and legal protection in the privacy space even in the absence of a “completed harm.” See, e.g., Paul Ohm, Broken Promises of Privacy: Responding to the Surprising Failure of Anonymization, 57 UCLA Law Review 1701 (2010). Importantly, the Supreme Court’s decision makes clear that, at the end of the day, there can be no Article III standing unless and until there is in fact a concrete and particularized injury in fact:

A “concrete” injury must be “de facto”; that is, it must actually exist. See Black’s Law Dictionary 479 (9th ed. 2009). When we have used the adjective “concrete,” we have meant to convey the usual meaning of the term — “real,” and not “abstract.” Webster’s Third New International Dictionary 472 (1971); Random House Dictionary of the English Language 305 (1967). Concreteness, therefore, is quite different from particularization.

That does not mean, of course, that an intangible injury cannot be concrete. The Supreme Court affirmed its prior jurisprudence to that effect, and this is nothing new. In this respect, the Court noted that history and the judgment of Congress are important in determining what intangible injuries rise to the level of injury-in-fact. “[I]t is instructive to consider whether an alleged intangible harm has a close relationship to a harm that has traditionally been regarded as providing a basis for a lawsuit in English or American courts.” And while Congress “may ‘elevat[e] to the status of legally cognizable injuries concrete, de facto injuries that were previously inadequate in law’” (citing Lujan v. Defenders of Wildlife, 504 U. S. 555, 578 (1992)), the Court made clear that this does not “mean that a plaintiff automatically satisfies the injury-in-fact requirement whenever a statute grants a person a statutory right and purports to authorize that person to sue to vindicate that right. Article III standing requires a concrete injury even in the context of a statutory violation.” Therefore, “a bare procedural violation, divorced from any concrete harm” does notsatisfy the injury-in-fact requirement of Article III.

Ultimately, there is no doubt that certain privacy harms will satisfy the injury-in-fact analysis. Indeed, citing its well-known decision in Clapper v. Amnesty Int’l, the Court noted that “a risk of real harm” can satisfy the requirement of concreteness.

With all of this as background, the Court ultimately concluded that, in Mr. Robins’ case, he cannot satisfy the demands of Article III “by alleging a bare procedural violation” because such a procedural violation “may result in no harm.” The Court even offered an incorrect zip code as an example of a credit reporting inaccuracy that might not cause harm or present any material risk of harm. “It is difficult to imagine how the dissemination of an incorrect zip code, without more, could work any concrete harm.”

In the age of Big Data, and particularly Big Data that is used to protect consumers (e.g., fraud detection) and/or meet the voracious consumer appetite for on-demand content and interactive services (and, quite frankly, the ability to share content in a social fashion), it is critical to remember that generalized amorphous fears that data could theoretically be used in some fashion to harm individual privacy interests do not mean that (a) data will be used in a harmful way or (b) such fears give rise to a sufficiently concrete and particularized injury to support standing in our federal courts.

The rest of the story as to how Spokeo will be interpreted and applied by the lower courts remains to be told.