The courthouse door may have been slammed in your face without ever opening. This is especially true in the realm of your personal information, an ever growing and relevant area referred to as data privacy. This is a vast area, but it affects most people in one of two ways: First, a data breach, which is the theft of your personal information (SSN, bank account information, date of birth, etc., known as personally identifiable information or “PII” ) or protected health information (“PHI”); second, through damaging lies and other untruths about you living online. In either instance, you may have no remedy. It gets worse. According to TransUnion v. Ramirez, 141 S.Ct. 2190 (2021), you may not even be able to “get your day in court.” Note: Click this link for a concise summary.
TransUnion v. Ramirez is a data privacy case that dealt with reputational damage that ultimately had economic impact. Although the history of the case is long and the factual situation complex and varied, the basic facts involve a watch list created by the U.S. Treasury’s Office of Foreign Assets Control (OFAC). The so-called “OFAC watchlist” was meant to identify terrorists, drug traffickers, and other serious criminals. If a consumer’s first and last names matched the first and lasts names of a person on this list, then that person was listed as a “potential match” and put on the OFAC watch list. Imagine if your name was John Smith and a terrorist’s name was John Smith. TransUnion listed these alerts on the credit reports of these individuals without (for the most part) checking their veracity. Then, they neglected to tell people about it.
8,185 people whose names were on the list filed a lawsuit in federal district court in California saying TransUnion 1) failed to ensure accuracy of their credit files, and 2) sent defective notices to the consumers both of which clearly violated the Fair Credit Reporting Act (FCRA). The case eventually went to trial, and the jury was so upset that it awarded punitive damages, driving the verdict to $60 million.
TransUnion appealed the case to the Supreme Court. The Court tossed the jury verdict, and it said only those people, 1,853 in total, who had the credit reports with the inaccurate OFAC watch list sent to third-parties (banks, car dealers, etc.), had suffered any “actual harm.” The Court dismissed the case as to 6,332 people whose credit reports contained misleading alerts, reasoning the “mere presence of an inaccuracy in an internal credit file, if it was not disclosed to third party, caused no concrete harm.” The Court concluded these 6,332 people had no “standing,” which meant they had not been harmed enough to allow the Court to hear the case. Basically, the Court did not think having your name incorrectly placed on a terrorist watchlist without your knowing meant you were even harmed.
The ramifications are wide and are alarming for a few reasons that affect everyone: 1) Congress passed the FCRA to remedy these kinds of situations, and it was clearly violated, yet the Supreme Court explicitly said the Court had the right to overrule Congress and take away its law making ability; essentially, the Court “legislated from the bench” and made no bones about its ability to continue to do that if it did not like the law(s) Congress passed. 2) The Court referred to this violation of a privacy statute, the violation of which constituted a privacy violation (similar to those in data breach cases) as a “mere procedural violation,” which is the language it has used to describe violations of consumer privacy the Court does not deem to be serious. The Court continues to focus on financial harm while discounting reputational harm, anxiety, worry, fear, time spent remedying such a situation, and other what are called “intangible harms,” which are largely unrecognized in American law these days. 3) It shows that you must wait for something terrible to happen to you financially to be considered “harmed,” and the law cannot be used to prevent harm. Even if you are “harmed” your remedies are limited as an individual because you will likely only receive a few hundred dollars at most for such a violation, and it would have to be as a member of a class in a class action lawsuit in federal court.
A class action is where groups of people with similar injuries band together to form a “class,” the idea being picking one plaintiff to represent a class of sometimes hundreds of thousands of people is more judicially efficient than trying thousands of cases that are virtually identical. Despite their judicial efficiency, the Supreme Court’s current conservative majority does not like class actions, and it bends over backwards to dismiss them at the earliest stage possible.
Much ink has been spilled over this case and what it means. The case is quite nuanced as is the commentary, but bottom line: consumers are less protected and have less remedies, and, perhaps most disturbing, the Supreme Court feels no compunction over ignoring Congress and tossing out jury verdicts.
Perhaps a good analogy involves basketball, always a welcome subject in “blue Heaven.” It would be like having UNC crush Duke in the Dean Dome in early March with Spring trying to burst forth too early, and then the referees (the worst “Duke refs” you’ve ever seen) rule the game should never have been played. And then the refs rule Duke the winner even after Duke lost by 40 points or so. And they did it in true ACC fashion, by issuing a press release explaining why it was wrong that UNC won. This just covers the jury part.
As for the Supreme Court thinking it can override Congress whenever the Court wants…that’s more like when Julius Caesar declared himself emperor. Despite Caesar’s demise, Roman never went back to a republic after that.
Regardless of whatever flawed analogy that is given, it is not a desirable situation for the country to be in at this point. You have little protection for your private information, and you likely cannot maintain a lawsuit if you have your data stolen. Even if you “win” by settling or have a jury verdict, which could be overturned, you will probably only receive a few hundred dollars at most. But the plaintiffs’ attorneys will make hundreds of thousands and possibly millions in fees, and the defense attorneys will make hundreds of thousands and possibly millions in fees. Most disturbing of all is corporations do not have to protect your personal data, which they can collect or steal and ultimately sell, because the law will not hold them accountable. The Supreme Court certainly will not.
