Last week, Ingrid Wuerth flagged Spokeo, Inc. v. Robins for Lawfare readers as one of the key national security law cases of the Supreme Court’s October 2015 Term. The Court held argument in Spokeo on Monday. The Justices’ comments confirm that Spokeo is a case to watch this term, one with potentially far-reaching implications for privacy law and cyber law.
Spokeo involves the Fair Credit Reporting Act, which allows a consumer to sue a credit reporting agency that (among other technical requirements) fails to take reasonable measures to ensure that the information in the consumer’s report is accurate. Even if the consumer can’t prove “actual damages,” he or she can recover statutory damages of up to $1,000 for “willful” violations.
Spokeo argues that the plaintiff, Thomas Robins, lacks the requisite “injury-in-fact” for Article III standing because he suffered no “concrete harm” when Spokeo included inaccurate information about him in his profile. The Court of Appeals for the Ninth Circuit rejected that argument, holding that the violation of Robins’s statutory rights under FCRA was a sufficient “injury-in-fact,” and that Congress could permissibly elevate “Robins’s personal interests in the handling of his credit information” to the status of legally cognizable rights because those interests “are individualized rather than collective.”
Spokeo and Cyber Law
For Lawfare readers, the most interesting facet of Spokeo is how it might affect Congress’s power to recognize new forms of digital injury and to provide a private remedy for them.
If the Court rules for Spokeo, it would likely (but, as explained below, need not necessarily) hold that the publication of false information about Robins was not a sufficiently “concrete,” “real-world” harm to give him standing under Article III. That would mean that courts have an independent constitutional obligation to determine whether an injury to an individual, personalized interest is “real” enough to confer Article III standing—even if Congress has deemed that interest worthy of being elevated to a legally cognizable right. (Assuming that this is indeed what Congress has done in the FCRA—more on that below.)
That principle, if established, could have significant implications for the future development of cyber law. It’s easy to imagine many types of online conduct that a forward-thinking legislature might deem injurious—even reprehensible—but that, like publishing false information about a consumer, may inflict only intangible dignitary or emotional harm. Temporarily hijacking or defacing a person or organization’s website. Publishing or sharing intimate photos or videos without the consent of the person depicted—a particularly odious but increasingly widespread form of harassment. Posting publicly someone’s private emails or other confidential communications. Using a drone to spy on a neighbor. Hijacking a person’s social media account and using it as “a platform to broadcast racist and homophobic messages.” None of these examples necessarily inflicts what Spokeo’s brief calls “concrete harm”—yet each, to varying degrees, harms the victim’s dignity, reputation, or sense of well-being, often in a deep and personal way.
To be sure, some of these might strike me, or you, or a judge, as inherently more harmful than merely having false information in a credit report. But there’s no neutral, judicially administrable basis for making that judgment, as the Justices’ comments at argument illustrated. Justice Kagan expressed the view that people who had false information about them disseminated online “would feel as though they had some interest that had been invaded.” Meanwhile, Justice Scalia appeared to disagree, distinguishing between “everybody about whom false information has been given” and “somebody about whom false information that harms him has been given.” Reasonable minds can disagree. But the lack of a neutral basis for deciding whether some digital wrong inflicts “real” harm on the victim illustrates why deciding which digital injuries warrant a private remedy is a quintessentially legislative call.
In short, “concrete” versus “intangible” personal injury is not a useful line to draw—most of us would gladly take a kick to the shin over having a hacker delete our family photos or post our Gmail archive online. The relevant question is who decides what digital interests are weighty enough to be elevated to enforceable rights.
As digital life becomes an ever-more-significant element of “real” life, it will (and in our constitutional structure, should) principally fall to legislatures to update the law to protect the building blocks of digital life—data, reputation, and identity—just as traditional tort law protects person and property. One Spokeo amicus brief points out several small ways in which Congress has already done this. For example, in response to a journalist’s snooping into Judge Bork’s video records, Congress passed the Video Privacy Protection Act, prohibiting unauthorized disclosure of rental records and authorizing courts to award damages for such disclosures.
Video rental records look practically quaint compared to the highly personal information Americans routinely entrust to Internet companies. But as one high-profile data breach follows another, it’s not hard to imagine Congress emulating the Video Privacy Protection Act model in the Internet realm. That is, elevating a widely-held expectation that certain information will be kept private into a legally enforceable right. Spokeo is a significant cyber law case because it threatens to obstruct that development, shackling the definition of “injury” in the digital world to harm in the physical world.
A Few Thoughts on the Merits
Of course, that a ruling in Spokeo’s favor would hamper Congress’s ability to remedy digital injuries does not establish that such a ruling would be incorrect. But that policy concern is intimately linked to the merits. Namely, the impulse to limit the types of personal injuries for which Congress can enact a private remedy reflects a deeper misapprehension about the standing doctrine itself.
Standing is, at bottom, a separation-of-powers doctrine; in Justice Alito’s words, it “serves to prevent the judicial process from being used to usurp the powers of the political branches.” As Judge Brett Kavanaugh has explained, standing keeps the judiciary in its lane “by requiring citizens to express their generalized dissatisfaction with government policy through the Constitution’s representative institutions, not the courts.”
In short, “[s]tanding is … properly regarded as a doctrine of judicial self-restraint,” meant to ensure that the political branches, not the courts, set policy. Congress decided that having inaccurate information about oneself published online is an injury worthy of legal redress. (Assuming, again, that that’s what the FCRA in fact says. More on that below.) The Constitution gives courts no license to second-guess that substantive policy choice. It would be especially ironic to find such a license in standing, a doctrine designed to keep the courts off the political branches’ turf.
Two final thoughts:
First, to some in the media, Spokeo is primarily a showdown between beleaguered companies and trial lawyers seeking to cash in on frivolous class actions. As a descriptive matter, that’s probably right. The problem is that standing is the wrong dueling-ground on which to settle that feud. Class-action abuse should be curbed by tightening the standards for class certification, not by distorting standing doctrine and encroaching on Congress’s legislative powers. Alternatively, Congress can (and probably should) revise the FCRA and similar statutes that have spawned abusive class actions.
Second, even if the Court rules for Spokeo, it can and should resolve the case on grounds that would preserve Congress’s authority to decide which intangible (but individualized) harms are worthy of legal protection, and which are not. There are at least two routes by which the Court could do this.
Most straightforwardly, the Court could avoid the constitutional question (perhaps even without recourse to the avoidance canon) by reading the FCRA’s private right of action to require some additional, consequential injury resulting from the statutory violation.
If that stretches the text too far, however, the FCRA’s quirks offer another path by which the Court can avoid sweeping unintended consequences. As Justice Scalia pointed out at argument, “assuming that false information is injury … the statute doesn’t say” that only people as to whom Spokeo published false information can sue. Rather, the statute says “that everybody about whom Spokeo did a report can sue.”
That sweeping, untailored authorization to sue provides an alternative basis for ruling for Spokeo—one that would respect Congress’s authority to decide which intangible individual injuries are “real” enough to warrant a private remedy. Specifically, the Court could hold that even if Congress could elevate the publication of false information in a credit report to a legally cognizable injury, the FCRA does not adequately “relate th[at] injury to the class of persons entitled to bring suit.” Such a ruling could trim back on the excessive aspects of the FCRA’s private-enforcement provisions while respecting the separation of powers.