In Privacy Harms, Danielle Citron and Daniel Solove identify a central tension in the regulation of privacy in the United States. On one hand, federal law relies on litigation to address systemic depravations of privacy that, in the aggregate, compromise democracy, autonomy, and safety. On the other hand, federal litigation focuses on whether a specific litigant has experienced a concrete and particularized injury. Without demonstrating that the complainant has faced cognizable harm, there is no room to air the ways that undeterred, cumulative violations rip at the ties that bind us as a society.
The authors identify at least two ways that this judicial insistence on individualized injuries can facilitate systemic privacy harms.
Most directly, because courts sometimes fail to confer standing on plaintiffs for “mere” statutory violations, companies are sometimes not properly incentivized to comply with the law. The authors highlight the Supreme Court’s recent opinion in TransUnion v. Ramirez. Plaintiffs sued a credit reporting agency under the Fair Credit Reporting Act, alleging it wrongly accused them of being potential terrorists. The Court concluded that the plaintiffs were not harmed, and did not have standing, except in instances where the false information had been distributed to third parties. “No concrete harm, no standing,” the Court reasoned. Missing from this doctrinal picture is Congress’s systemic goal of encouraging credit reporting agencies to take reasonable steps to guard against inaccurate information on credit reports.
Second, courts’ insistence on specific, individualized harm means that even when a plaintiff does have standing, judicial proceedings and remedies are not necessarily tailored to airing and addressing the most urgent privacy harms. To gain access to federal court, some plaintiffs identify trivial financial harms as a pretext for more damaging (but highly generalized) harms. As Citron and Solove explain, “We have seen the emergence of an odd sort of legal fiction, where the law redresses ‘harm’ that is not the real interest interfered with as a means to redress a harm that really is.” By way of example, the authors describe a district court case in which plaintiffs sued Apple, alleging that the company violated its promises by failing to adequately prevent apps from non-consensually collecting plaintiffs’ personal data. According to the court, the plaintiffs had standing because the “unauthorized transmission of data from their iPhones taxed the phones’ resources by draining the battery and using up storage space and bandwidth.” But was battery drainage or used storage space the harm that the plaintiffs were concerned about? And does judicial focus on those trivial harms distract from what is at stake when a company breaks its promises and disseminates private information without permission?
Relatedly, the authors observe a disconnect between available remedies and the germane privacy harms at stake. Remedies generally fall into three categories: compensation (to redress an injury), deterrence (to discourage future injuries), and equity (to facilitate a return to the pre-violation status quo). But sometimes there is a mismatch between how privacy interests are enforced and the underlying goals of enforcement. Congress creates compensation schemes when it wants to deter widespread privacy harms. Compensation for financial harms might not express the value of privacy in ways that equitably promote psychological security and relational trust. The authors invite Congress, courts, and regulators to do a better job of tailoring enforcement schemes to enforcement goals.
To assist with this tailoring, the authors offer a typology of seven privacy harms. First are physical harms. Some violations of privacy interests—like reckless doxing of controversial individuals—can place people at increased of physical injury. Second are economic harms of the sort the Court is poised to recognize. Theft of one’s personal information, for example, places a person at increased risk of identity theft. Third are reputational harms. Fourth, are psychological harms, such as emotional distress and disturbance. Fifth are violations of privacy, which can undermine individual choice and autonomy. Sixth are privacy breaches that can facilitate discrimination. The authors reason, “The misuse of personal data can be particularly costly to women, sexual minorities, and nonwhites given the prevalence of destructive stereotypes and the disproportionate surveillance of women and marginalized communities in their intimate lives.” Seventh are harms to relationships, which “are two-fold: most immediately, the loss of confidentiality and in the longer term, damage to the trust that is essential for the relationship to continue.”
The authors recognize countervailing interests. Redressing and preventing privacy harms must be balanced with the effect of, for example, allowing thousands of people to bring suit for a single violation in a way that might cause a defendant damage that is highly disproportionate to the offense. But striking the right balance requires thinking critically about enforcement goals and about the harms at stake. Citron and Solove have offered an important contribution by providing a cogent critique of the pitfalls of the federal litigation in privacy cases; articulating harms that might assist litigants and courts wrestling with which privacy interests should be cognizable; and calling for lawmakers to ensure that protection of privacy occurs in precise and effective ways.