SCOTUS demands more concrete harm in collective data action
A sharply divided U.S. Supreme Court issued a ruling on Friday, which has a significant impact on plaintiffs’ ability to bring privacy and data breach class actions in federal courts. In TransUnion LLC v. Ramirez, case n ° 20-297, the Court considered that most of the plaintiffs had not demonstrated a “concrete” damage and therefore did not have standing to pursue their claims because they had not suffered personal damage real. Going beyond the specific facts of the case, this opinion has strengthened corporate legal defense in federal privacy class actions. Despite the restriction on the ability of plaintiffs to pursue their claims in federal court, this decision does not entirely exclude such lawsuits. Instead, complainants must now carefully assess their chances of success in a federal forum before filing their case, or risk facing a cumbersome petition practice and final dismissal on permanent grounds.
The facts of the Ramírez case are as interesting as the decision itself. In Ramírez, the plaintiffs sued TransUnion after it falsely labeled them as potential terrorists on credit reports, which prevented the main plaintiff from purchasing a car. Plaintiffs named on the Terrorist Watchlist sued and – following a lengthy legal battle and rare jury verdict – ultimately won a $ 40 million prize, which the company later appealed. up to the Supreme Court. In its opinion of June 25, 2021, the Court ruled that the vast majority of complainants had suffered no identifiable harm when it ruled that only certain complainants had standing. Concretely, only plaintiffs whose credit reports were effectively disseminated to third parties could sue, while the others had not suffered “concrete” damage and therefore did not have standing.
This case has been closely watched by the plaintiffs’ lawyers and the Privacy Bar, as breaches of privacy are notoriously difficult to establish, and the Court has so far given little consideration. indications on the meaning of a “concrete infringement”. As we have previously reported, the Supreme Court has rendered a key decision on this subject in Spokeo vs. Robins in May 2016, finding that plaintiffs must allege concrete harm in order to have standing to bring an action for a violation of the law. Simply put, this meant that simple procedural violations would not be enough to assert legal privacy claims, and tangible losses had to be alleged. After Speak, however, the courts have struggled with the precise meaning of “concrete” harm.
Speak asked the courts to analyze whether the alleged injuries were sufficient to substantiate alleged violations of various federal and state consumer protection laws, such as the Federal Credit Reporting Act, the Telephone Consumer Protection Act, and the Biometric Information Privacy Act, to name a few. It has also had an impact on data breach class actions. Again, Speak did not provide sufficient guidance on this issue. Ultimately, this led to inconsistent decisions across the country and significant forum buys by consumer lawyers. Last Friday the Ramírez majority finally shed light on the intended meaning of Speak– this time by making it clear that the harm is only concrete if the plaintiffs can sufficiently plead that they have suffered personal harm as a result of the alleged conduct.
Ramírez resulted in a partial victory for some complainants. The notice clearly stated that “the Court has no difficulty in concluding that the 1,853 members of the group have suffered tangible harm which constitutes harm in fact.” In stark contrast, however, despite the fact that “the credit records of the remaining 6,332 members of the group also contained misleading OFAC alerts,” the “mere existence of inaccurate information, without dissemination, has traditionally failed. provided the basis for legal action ”, and these“ claimants cannot demonstrate that the misleading information in internal credit records in itself constitutes tangible harm ”.
It is still unclear how the lower courts will apply Ramírez in the context of class actions for data breach. In these actions, complainants typically allege that their personal information was exposed as a result of a breach or ransomware attack. However, they don’t always claim that the data was actually misused. So companies facing data breach class actions in federal court may now have a stronger argument for dismissal under Ramírez. Ultimately, however, even if this argument is successful, it simply leads to the case being re-filed in state court. For this very reason, the dissenting opinion in Ramírez called the decision a “Pyrrhic victory”, explaining that it “does not prevent Congress from creating statutory rights for consumers; it simply argues that federal courts do not have jurisdiction to hear some of these cases “, potentially leaving state courts” as the only forum for such cases, with defendants unable to seek transfer to federal court. “
There are often significant advantages for both parties to litigating data breach class actions and other privacy protection actions in federal court. They include, for example, greater efficiency, speed, predictability, preservation or resources, and potentially even reduced litigation costs. So, companies facing such lawsuits may want to think twice before invoking Ramírez as a defense. Depending on the specifics of their case and the jurisdiction that governs it, defendants in a federal privacy class action lawsuit should work closely with their defense attorneys to analyze and pursue the most optimal strategy.
© 1994-2021 Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, PC All rights reserved.Revue nationale de droit, volume XI, number 180