In the recent article “Statutory Violations Not Enough to Give Rise to a Cause of Action for Class Actions says U.S. Supreme Court“, we have analyzed the high-profile case TransUnion v. Ramirez and, specifically, the Supreme Court’s reasoning on the standard of proving tort damages in class actions. The full article with a detailed analysis of the case is available via the link above.
In this comment, we would like to elaborate on the privacy implications of TransUnion v. Ramirez and, in particular, analyze the post-TransUnion case law of the Second Circuit from the perspective of privacy laws.
- The Factual Analysis
To briefly summarize the facts of the case1: A credit reporting agency, TransUnion, was sued by Sergio Ramirez who was denied from buying a car because he was on a “terrorist list” according to the consumer report provided by TransUnion.
The issue is that TransUnion’s software aimed to facilitate the compilation of personal and financial information about individual consumers (OFAC Name Screen Alert) generated many false positives because many consumers shared names with those included in the OFAC list.
In this respect, Ramirez filed a class-action lawsuit alleging TransUnion’s alleging that it violated the Fair Credit Reporting Act (FCRA) by failing to follow reasonable procedures to ensure the accuracy of
the credit report information, disclose the inaccurate terrorist list match upon request, and include a notice of their rights under FCRA.
The class-action was filed on behalf of a class of 8,185 people all suffering from TransUnion’s matching practices. However, only 1,853 of the class, including Ramirez, had their false reports containing OFAC alerts provided to the third-party companies.
- Decision and Analysis: A Privacy Law Perspective
The Supreme Court held that members of the class-action lawsuit whose credit files were provided to third-party businesses suffered concrete harm from TransUnion’s actions. However, those whose files were not transferred lacked standing to sue under Article III. In our earlier article, we have discussed important procedural and policy issues and considerations related to this case. In the meantime, this case also has significant privacy implications because the Supreme Court significantly shaped the enforcement landscape for many privacy laws.
Specifically, from the privacy perspective, the Supreme Court restricted private rights of action in privacy actions by introducing a “concrete harm” for Article III standing to seek damages. According to the Supreme Court, “[c]entral to assessing concreteness is whether the asserted harm has a ‘close relationship’ to a harm traditionally recognized as providing a basis for a lawsuit in American courts.” TransUnion LLC v. Ramirez, 141 S. Ct. 2190, 210 L. Ed. 2d 568, 2200 (2021). In other words, a mere statutory violation does not give a plaintiff a cause of action against a defendant.
Taking into account the essence of many privacy violations and the notion of privacy harms2, determining what constitutes concrete harm exactly can be very challenging. In particular, as mentioned in the dissenting opinion of Justice Thomas, “even setting aside everything already mentioned— the Constitution’s text, history, precedent, financial harm, libel, the risk of publication, and actual disclosure to a third party—one need only tap into common sense to know that receiving a letter identifying you as a potential drug trafficker or terrorist is harmful.” TransUnion LLC v. Ramirez, 141 S. Ct. 2190, 210 L. Ed. 2d 568, 2223 (2021).
In this respect, the Supreme Court’s decision is highly criticized by leading privacy scholars as “undermining the effectiveness of many privacy laws” and being “wrong and troubling on many levels.” Id. According to Keats Citron & Daniel J. Solove, “the Court’s test for recognizing concrete injuries is severely flawed. The Court’s application of its test is also marred by an inadequate understanding of privacy harms”. Id.
These conclusions are based on the detailed analysis of the notion of “privacy harm” in the broad sense (including “emotional distress harm” and “data quality harm”). Indeed, it seems reasonable to argue that “a credit report with inaccurate information like denoting someone as a terrorist as in TransUnion poses a significant risk of economic and reputational harm” and “[i]t can be hard for individuals to find out about errors, and when they do, third parties will ignore requests to correct them without the real risk of litigation costs.”. Id.
However, despite the risk of future harm was not recognized as sufficiently concrete to satisfy Article III standing, the Supreme Court recognized that “a person exposed to a risk of future harm may pursue forward-looking, injunctive relief to prevent the harm from occurring, at least so long as the risk of harm is sufficiently imminent and substantial.”. TransUnion LLC v. Ramirez, 141 S. Ct. 2190, 210 L. Ed. 2d 568, 2210 (2021). Specifically, the Supreme Court clarified that when it is impossible to prove a “concrete harm,” there is still an opportunity to enforce statutory rights through the injunctive relief. In practice, this means that those whose credit reports contain inaccurate information could request TransUnion to amend this information, prohibit it from transferring with third parties, or undertake other measures aimed to prevent the harm from occurring.
Thus, from a privacy perspective, it provides guidance for courts and parties on how to assess intangible harms. In the meantime, the TransUnion case imposes significant limitations on the enforcement of privacy violations and, as mentioned in Thome v. Sayer L. Grp., P.C., “questions remain about how to implement TransUnion’s guidance.”. Thome v. Sayer L. Grp., P.C., No. 20-CV-3058-CJW-KEM, 2021 WL 4690829, 7 (N.D. Iowa Oct. 7, 2021).
- Post-TransUnion Case Law
Interestingly, since the decision was delivered on June 25, 2021, courts actively applied and analyzed the TransUnion decision. As for February 2022, there are more than 300 decisions that, in their reasoning, referred to the TransUnion case4.
These cases include both those directly related to privacy violations, including privacy of communications as part of the debt collection litigation under FDCPA6 as well as a wide range of other class actions including antitrust, labor, First Amendment rights and specific state law statutes.
Despite the TransUnion decision only addressed federal court standing under Article III, courts tend to use TransUnion guidance in actions arising under state law.
For instance, it seems insightful to analyze the recent case considered in the Court of Appeals of the Second Circuit – Maddox v. Bank of New York Mellon Trust Company, N.A. Maddox v. Bank of New York Mellon Trust Co., No. 19-1774 (2d Cir. 2021)10. In this case, mortgagors (the “Maddoxes”) brought an action against the mortgagee, alleging that mortgagee’s failure to timely record mortgagors’ satisfaction of mortgage. The district court stated that mortgagors had Article III standing to seek statutory damages from the Bank for its violation of New York’s mortgage-satisfaction-recording statutes (the “statutes”).
0 comments:
Post a Comment