How SCOTUS wiretap ruling helps Internet privacy defendants
I’ve spent the last two weeks vacationing out of the country, with only intermittent access to headlines from the United States. Every time I checked in, I felt as though I’d missed another huge legal story: the U.S. Supreme Court’s ruling on materiality and securities class certification in Amgen v. Connecticut Retirement Plans; oral arguments in Argentina’s appeal in the renegade bondholder litigation; a New York state court’s long-awaited holding that insurance regulators were within their rights to approve MBIA’s $5 billion restructuring in 2009; Credit Suisse throwing in the towel on Ambac’s mortgage-backed securities claims; and the slashing of Apple’s billion-dollar patent infringement damages against Samsung. But one of the great things about legal journalism is that first-day coverage isn’t usually the end of the story, especially when it comes to judicial opinions.
Take, for example, the Supreme Court’s ruling late last month in Clapper v. Amnesty International. On its face, the decision addresses a challenge by human rights advocates and media groups to a 2008 amendment of the Foreign Intelligence Surveillance Act that makes it easier for the government to obtain approval from a special court for wiretaps on intelligence targets outside of the United States. Opponents of the amendment, who asserted that their work requires them to engage in sensitive phone and email communications with likely targets of such surveillance, claimed the law violates the First and Fourth Amendments and the separation of powers doctrine. The court, as you probably read soon after the decision was announced on Feb. 26, said that the 2nd Circuit Court of Appeals erred when it concluded the plaintiffs had standing to bring their case. In a 5-to-4 ruling, the Supreme Court held that the human rights and media groups could not show, without resorting to speculation, that they faced “certainly impending” harm from the 2008 amendment. The majority also said that the plaintiffs could not establish standing through the costs they incurred to prevent harm from the new law.
That’s good news for government spooks, of course. But as Ropes & Gray noted in a very smart client alert last week, it’s also good news for companies facing class actions based on alleged breaches of their customers’ online privacy. Defendants have shelled out tens of millions of dollars (mostly in charitable contributions and legal fees for the other side) in consumer class actions filed in the wake of data breaches or revelations of undisclosed customer tracking. The Clapper ruling should make it easier for Internet businesses to win the quick dismissal of these cases on standing grounds.
Standing arguments have been a primary defense in Internet privacy class actions since 2011, when trial courts first began ruling that customers couldn’t bring claims against companies that tracked them online unless they could show actual harm from the practice. Last December, for instance, federal magistrate Paul Grewal of San Jose, California, said Google users didn’thave standing to sue because they hadn’t shown any injury from the universal terms of service the company imposed in March 2012. Not all judges, however, have had the same view of standing in these cases, so plenty of data privacy classes have been certified, sometimes with millions of members. When Facebook’s $20 million Sponsored Stories settlement received preliminary approval in December, the company put to rest claims by more than 100 million users. That’s a scary number for any defendant.
Internet companies were hoping for help from the Supreme Court last year in First American Financial v. Edwards, which presented the question of whether plaintiffs can show harm through a statutory violation or must establish standing through an actual injury. First American was fully briefed and argued, but the justices ultimately dismissed certiorari as “improvidently granted.”
Clapper didn’t attract First American’s amicus attention from tech companies, but according to the Ropes client alert, Justice Samuel Alito’s opinion in the case gives data privacy defendants pretty much all they could have wanted. The decision holds that standing cannot be based on the speculative possibility of future harm or even on the 2nd Circuit’s standard of an “objectively reasonable likelihood” of injury. Supreme Court precedent, Alito wrote, demands that plaintiffs show a “certainly impending” threat of harm in order to establish standing. “A highly attenuated chain of possibilities,” he wrote, “does not satisfy the requirement that threatened injury must be certainly impending…. We decline to abandon our usual reluctance to endorse standing theories that rest on speculation about the decisions of independent actors.”
That requirement, said Patrick Carome of Wilmer Cutler Pickering Hale and Dorr (who submitted an amicus brief for Facebook and other Internet companies in last year’s First American case), should spell the end of privacy breach class actions premised on arguments that customer information could potentially be misused. “Clapper confirms the trend of courts being really demanding at the front end of cases,” Carome said.
Clapper also precludes data privacy plaintiffs from claiming that they have standing based on the cost of monitoring their credit reports for misuse of their private information, the Ropes client alert noted. The opinion firmly rejected the 2nd Circuit’s reasoning that the expense of avoiding reasonably anticipated harm is itself sufficient to constitute an injury. “If the law were otherwise, an enterprising plaintiff would be able to secure a lower standard for Article III standing simply by making an expenditure based on a non-paranoid fear,” Alito wrote. “(Plaintiffs) cannot manufacture standing merely by inflicting harm on themselves based on their fears of hypothetical future harm that is not certainly impending.”
If Ropes and Carome are right – and I’m quite sure they are – we’re going to be seeing that quote again soon in data privacy litigation.
For more of my posts, please go to Thomson Reuters News & Insight