IAPP-GDPR Web Banners-300x250-FINAL

Plaintiffs are increasingly filing privacy lawsuits that allege harm and seek compensation. But to date, courts have grappled with discrepancies between plaintiffs’ “harm” claims and the scope of the law—particularly when the harm can’t be qualified, such as in cases of emotional distress or humiliation, leaving many plaintiffs empty-handed when the judge strikes the gavel.

Experts say the recent Supreme Court ruling in Federal Aviation Administration (FAA) v. Cooper illustrates the difficulty plaintiffs face in collecting damages under the Privacy Act of 1974, which dictates how agencies under the Executive Branch manage confidential records.

In the case, pilot Stan Cooper withheld his HIV status from the FAA in applying for the certificate he needed to comply with FAA medical standards on four separate occasions. When his health deteriorated in 1995, Cooper applied to the Social Security Administration (SSA) for disability--revealing his HIV status. A cross-agency investigation compared FAA and SSA records and found Cooper had lied. Following a guilty plea, Cooper’s pilot certificate was revoked and he was sentenced to two years of probation and a $1,000 fine for intentionally withholding information from a government agency.

In turn, Cooper sued the FAA, its parent, the Department of Transportation and the Social Security Administration for violating the Privacy Act by sharing his medical records among themselves; revealing his HIV diagnosis, and thus causing him “humiliation, embarrassment, mental anguish, fear of social ostracism and other severe emotional distress,” the suit alleged.

The Ninth Circuit Court of Appeals in San Francisco ruled in February 2010 that Cooper could seek damages for emotional distress, as the San Francisco Chronicle reported. But the U.S. Supreme Court voted 5-3 in March of this year that though the government had violated the Privacy Act, Cooper could not collect damages for the emotional distress he suffered because “the act does not authorize the recovery of damages from the government for nonpecuniary mental or emotional harm.”

Since then, the Electronic Privacy Information Center has proposed changes to the Privacy Act that would in fact compensate individuals for nonpucuniary harms such as mental or emotional distress. Sen. Daniel Akaka (D-HI) introduced a bill in October 2011 that would revise the Privacy Act to allow for civil and criminal penalties for Privacy Act violations.

D. Reed Freeman, CIPP/US, of Morrison Foerster, said courts are increasingly hearing class-action cases that seek “harm” damages and that to date, defendants have largely been successful in having the allegations dismissed, citing plaintiffs’ failure to meet the Constitution’s “cognizable harm” statute.

“What you’re seeing is that by and large, plaintiffs have a very difficult time proving harm in the data loss or theft cases,” said Andrew Serwin of Foley & Lardner. Serwin added that although sovereign immunity applies in the Cooper case, “even now in the public-sector side, you’re seeing courts say ‘you can’t prove damages, and therefore, you can’t state a claim.’”

However, FAA v. Cooper, while illustrative of the growing trend toward monetary compensation sought for non-monetary damages, may not set a precedent in a broad sense because of the government’s sovereign immunity, the legal doctrine immunizing the government from liability in cases of ambiguity, experts say.

Though the government-as-defendant makes the impact of the ruling less significant in this case, the case could have a stronger persuasive value when it comes to state laws, according to Ann Waldo, CIPP/US, of Wittie, Letsche & Waldo.

“Since Congress didn’t make the Privacy Act clear in explicitly allowing damages for nonpecuniary injuries, the court said that this had to be construed narrowly,” Waldo said. “The holding unquestionably relied on (the justices’) perceived sense that they were compelled to limit actual damages narrowly because of the very strong canon of statutory interpretations.”

“With respect to claims of Privacy Act breaches against the government, the court has made it difficult to assert those claims,” agreed InfoLawGroup’s Dave Navetta, CIPP/US. He said that although the Cooper case may have a limited impact on future holdings, its outcome isn’t rare, adding that, in general, plaintiffs have struggled to allege harm because of the law’s narrow scope. Even time lost or the cost of credit monitoring are “damages that are typically not recognized in a court of law” and are often dismissed.

“I think plaintiffs in many cases may have the facts in their favor, but the law, in terms of harm, is very much not in their favor,” he said.

However, Navetta said high-profile cases where loss of data has occurred and a brand’s reputation is at risk may be more likely to be settled.

“With brand-name companies, even if it looks like cases are going to be dismissed early on the ‘harm’ issue, there’s still some risk involved. I think defendants look at them differently than smaller breaches where the risk may not be as great,” he said.

Carnegie Mellon researchers found that breaches that have occurred due to “unauthorized disclosure or disposal” of data are twice as likely to result in lawsuits than those due to hacking incidents and that financial loss and proof of harm were determining factors in whether companies settled suits.

Navetta points to the Hannaford Brothers data breach of 2007, in which millions of payment card numbers were exposed and fraudulent charges placed. A First Circuit Court in Maine ruled that victims could recover costs incurred when they purchased credit insurance or new identity theft monitoring--cognizable harms.

In September 2011, however, a U.S. District Court judge dismissed a group of consolidated class-action suits alleging that Apple and eight mobile-application makers shared users’ personal information without their consent, writing in her opinion that the plaintiffs did not show any tangible injuries.

In FAA v. Cooper, the defendant argued that while Cooper may have suffered an “adverse effect,” he didn’t necessarily suffer “actual damages.” One justice said Congress likely did intend the Privacy Act to cover emotional distress suits, but in the end, the majority disagreed.

Simon Frankel of Covington and Burling agrees that the question at hand is how lower courts will apply the Cooper ruling to other cases.

“Will lower courts interpret Cooper narrowly to mean that ‘actual damages’ is limited to monetary harm where it allows monetary relief against the government, acting as a waiver of sovereign immunity, or treat it as a broader holding that when statutes allow for actual damages, they only allow for recovery of monetary harm and not emotional distress or damages or reputational damages,” he said. “That’s what I think is the difficult open question.”

Mali Friedman, also of Covington and Burling, said the Cooper holding is representative of a tactic frequently used by plaintiff’s counsel, “which is to allege emotional harm and other types of damages that simply aren’t cognizable under certain statutes.”

Friedman said courts also have yet to attach the same value to personal data that plaintiffs deem it to have.

“No court has yet held that the collection or disclosure of an individual’s data has any cognizable economic value to that individual. Of course, personal data in the aggregate often has value to a company, but courts repeatedly have found that there is no compensable loss where an individual’s information is collected or shared.”

Dr. Deborah Peel, a physician and health privacy advocate, says the implications of Cooper are significant from a health privacy standpoint.

“Emotional injuries are real and they cause great harm,” said Peel. “All you have to do is think about post-traumatic stress disorder in the military.

She said the FAA and SSA’s actions in comparing personal data send a daunting message to Americans asked to disclose sensitive data to government agencies, such as Cooper’s HIV status, and those messages can have repercussions.

“Where you have situations where reporting a condition is going to destroy livelihood, reputation or future, many people will not seek medical treatment. Cooper counted on the Privacy Act to keep his records private, and it didn’t.”

As the U.S. healthcare system moves towards electronic health records, Peel said it’s “incredibly important that we move toward systems that are trusted. How can we ask the public to participate in these systems when they don’t even know where the data goes?”

Waldo said she expects the case could raise issues regarding future government data sharing.

“This was only in 2002,” she said of the agencies’ investigation into Cooper. “In 2012, there are many efforts­­–and in the next decade, I predict far more efforts–to make government more modern, integrated and data-interoperable. As that goes on, I think many people can expect some unwelcome surprises from government…Increasingly, government will become far more efficient and aggressive in achieving that data interoperability.”

As an example, Waldo noted strong efforts to connect state databases on prescription drug abuse for law enforcement purposes.

In the end, Morrison and Foerster’s Freeman said that although plaintiffs now struggle to collect harm damages, there’s time yet.

“There’s some possibility that the inability of consumers to have their day in court for the perceived privacy violations could spark Congress or state legislatures to respond with a new law that remedies that problem,” he said.

Written By

Angelique Carson, CIPP/US


If you want to comment on this post, you need to login.


Board of Directors

See the esteemed group of leaders shaping the future of the IAPP.

Contact Us

Need someone to talk to? We’re here for you.

IAPP Staff

Looking for someone specific? Visit the staff directory.

Learn more about the IAPP»

Daily Dashboard

The day’s top stories from around the world

Privacy Perspectives

Where the real conversations in privacy happen

The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

Privacy Tracker

Alerts and legal analysis of legislative trends

Privacy Tech

Exploring the technology of privacy

Canada Dashboard Digest

A roundup of the top Canadian privacy news

Europe Data Protection Digest

A roundup of the top European data protection news

Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

IAPP Westin Research Center

Original works. Groundbreaking research. Emerging scholars.

Advertise in IAPP Publications

Find out how to get your message in front the people you want to reach. Download a media kit now.

Get more News »

Find a KnowledgeNet Chapter Near You

Network and talk privacy at IAPP KnowledgeNet meetings, taking place worldwide.

Women Leading Privacy

Events, volunteer opportunities and more designed to help you give and get career support and expand your network.

IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

Join the Privacy List

Have ideas? Need advice? Subscribe to the Privacy List. It’s crowdsourcing, with an exceptional crowd.

Find more ways to Connect »

Find a Privacy Training Class

Two-day privacy training classes are held around the world. See the complete schedule now.

Online Privacy Training

Build your knowledge. The privacy know-how you need is just a click away.

The Training Post—Can’t-Miss Training Updates

Subscribe now to get the latest alerts on training opportunities around the world.

New Web Conferences Added!

See our list of upcoming web conferences. Just log on, listen in and learn!

Train Your Staff

Get your team up to speed on privacy by bringing IAPP training to your organization.

Learn more »

CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

CIPT Certification

The industry benchmark for IT professionals worldwide to validate their knowledge of privacy requirements

Certify Your Staff

Find out how you can bring the world’s only globally recognized privacy certification to a group in your organization.

Learn more about IAPP certification »

Get Close-up

Looking for tools and info on a hot topic? Our close-up pages organize it for you in one easy-to-find place.

Where's Your DPA?

Our interactive DPA locator helps you find data protection authorities and summary of law by country.

IAPP Westin Research Center

See the latest original research from the IAPP Westin fellows.

Looking for Certification Study Resources?

Find out what you need to prepare for your exams

More Resources »

GDPR Comprehensive: Registration Open

New! Intensive two-day GDPR training led by the sharpest minds in the field. It's a can't-miss event.

The Congress Is Cancelled

The IAPP Europe Data Protection Congress 2015 is cancelled. Click through to learn more.

Sponsor an Event

Increase visibility for your organization—check out sponsorship opportunities today.

Exhibit at an Event

Put your brand in front of the largest gatherings of privacy pros in the world. Learn more.

More Conferences »

Become a Member

Start taking advantage of the many IAPP member benefits today

Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits

Join the IAPP»