The Nature of Privacy Harms: Financial and Physical Harm vs. Emotional and Mental Harm

The 9th Circuit is hearing an interesting case involving the Privacy Act — Cooper v. Federal Aviation Administration, No. C 071383 VRW (N.D. Cal. 2008).   The Federal Aviation Administration (FAA) shared information about pilot Stanmore Cooper’s HIV positive status with other government agencies.  The district court found this information sharing to be improper under the Privacy Act, 5 U.S.C. § 552a:

Because DOT-OIG transmitted Cooper’s records to another agency without his prior consent and this use does not fall within the routine use or another exception to 5 USC § 552a(b), the DOTOIG’s use of Cooper’s record was unlawful under 5 USC § 552a(b).

However, the fact that an agency violates the Privacy Act does not mean that a plaintiff can obtain redress.  In a decision I find wrongheaded–both as a matter of statutory interpretation as well as normative policy–the U.S. Supreme Court has held that the Privacy Act requires that a plaintiff prove actual damages before being able to get monetary relief under the Act.  See Doe v. Chao, 540 U.S. 614 (2004).  The Supreme Court reached this conclusion even though the Privacy Act has a liquidated damages provision:

[T]he United States shall be liable to the individual in an amount equal to the sum of . . . actual damages sustained by the individual as a result of the refusal or failure, but in no case shall a person entitled to recovery receive less than the sum of $1,000.

5 U.S.C. § 552a(g)(4).  In order to receive the liquidated damages of $1000, plaintiffs must first demonstrate they are “entitled to recovery” and prove actual damages.

I believe the holding in Chao is misguided because the very function of a liquidated damages provision is to address difficulties in proving harm.  Privacy Act violations often involve harms that are not akin to traditional types of injuries.  Privacy harms caused by misuse or improper dissemination of information are more abstract in nature and often can’t be directly linked to financial losses or physical injury.  Nevertheless, they are harms, and without a way for plaintiffs to recover damages for such harms, there is not a sufficient incentive for plaintiffs to bring Privacy Act lawsuits and for agencies to follow the Privacy Act.

Unfortunately, until Congress amends the Privacy Act to more clearly establish that liquidated damages can be recovered without proof of actual damages, plaintiffs must establish actual damages.

The issue in Cooper is what kind of damages can constitute actual damages.  Can emotional/mental damages alone constitute actual damages?

There’s a circuit split on the issue.  As the district court noted:

Two circuits that have addressed the definition of actual damages in the context of the Privacy Act examined the statute’s legislative history to reach different conclusions. In Fitzpatrick v. Internal Revenue Service, 665 F.2d 327 (11th Cir. 1982), the Eleventh Circuit focused on the evolution of the Privacy Act’s damages provisions and noted that while early versions of the legislation included provisions for punitive damages and general damages, these damages provisions were not included in the version that became law.  Fitzpatrick, 665 F.2d at 329-31. The court found support in the legislative history for a narrow reading of actual damages and held that “‘actual damages’ as used in the Privacy Act permits recovery only for proven pecuniary losses and not for generalized mental injuries, loss of reputation, embarrassment or other non-quantifiable injuries.” Fitzpatrick, 665 F.2d at 331.

In Johnson v. Department of Treasury, IRS, 700 F.2d 971 (5th Cir. 1983), the Fifth Circuit reached the opposite conclusion. The court noted that one of the Privacy Act’s stated purposes is requiring federal agencies to “be subject to civil suit for any damages which occur as a result of willful or intentional” violation.” Johnson, 700 F.2d at 974-75; see 88 Stat. 1896 § 2(b)(6). After a lengthy analysis of the legislative history, see Johnson, 700 F2d at 974-83, the Fifth Circuit concluded that the plaintiff there could recover for proven mental injuries. Johnson, 700 F.2d at 986.

The district court in Cooper sided with Fitzpatrick, reasoning that the Act was ambiguous about what actual damages constituted and such ambiguity should be resolved in favor of the government.

I disagree.   If Doe v. Chao is combined with a rule that actual damages must involve physical injury or financial loss, then it becomes extremely difficult for plaintiffs to recover under the Privacy Act.  There will be a large group of cases where plaintiffs suffer Privacy Act violations but can’t get damages because privacy harms are often emotional harms.  When they wrote their seminal article, The Right to Privacy, inspiring a significant development of privacy law, Samuel Warren and Louis Brandeis recognized that privacy was an “injury to the feelings” and that the law at the time (1890) had evolved sufficiently to redress such harms that did not constitute physical injuries or financial loss.

It would certainly be ironic if the Privacy Act wouldn’t recognize the nature of most privacy harms.  Agencies could violate the Privacy Act, improperly sharing and disseminating information, and in a large number of cases, then be able to argue that there’s no harm.  Why should Congress have bothered to pass the Privacy Act limiting such practices and providing plaintiffs with a remedy if in many of these cases there would be no cognizable harm and plaintiffs won’t be able to recover any damages?  It seems like a wrongheaded interpretation to me.

If we must live with Doe v. Chao, at the very least, to avoid making a total mockery of the Privacy Act, emotional/mental harm must be sufficient to establish actual injury.

You may also like...

6 Responses

  1. “In a decision I find wrongheaded–both as a matter of statutory interpretation as well as normative policy…”

    Why should we be looking to the Supreme Court for “normative policy”? When did that become part of the job descripton?

    Obviously the normative policy of the Labor Department was not to give away $1,000 just because they screwed up on a Privacy matter. The courts, in this instance, agreed with that policy.

    And this is apparently a bi-partisan policy. The case originated as a result of the Clinton administration’s DOL screwup. And it was that DOL that fought the original suit by Doe and his co-plaintiffs. Absent legislative language (not history – the Great One was correct to opt out of that part of the decision), the decision squares with what Congress wrote.

    And if you really believe that this:

    “Agencies could violate the Privacy Act, improperly sharing and disseminating information, and in a large number of cases, then be able to argue that there’s no harm.”

    …is a real fear then I’m sure you’re with me in rooting on Scott Brown in Massachusetts as a potential way to stop the so-called Heath Care bills being considered. Think of the privacy nightmare such legislation could encourage.

  2. Daniel Solove says:

    Maryland Conservatarian,

    Note that the Privacy Act damages provision applies only to willful violations of the Act. This requirement was put in the act to ensure mere “screwups” would not suffice for damages. Negligence won’t be sufficient. Accordingly, your argument that Doe v. Chao was to ensure agencies wouldn’t be socked with damages for mere screwups is not really valid since the damages provision at issue already doesn’t apply to mere screwups.

  3. okay – I read “willfull’ or “intentional” to include screwups, as in “I screwed up – I made a bad decision” – the decision was intentional – i.e. the decision to include the SS #s, although I’m sure it wasn’t malicious or ill-intended.

    And I don’t think Doe v. Chao really stands for anything more than the agency reading of the law is a correct one – note, not the only correct one, but a correct one. Had Clinton’s DOL agreed with Plaintiffs that it should get a $1,000, I doubt the District Court would have overruled both parties. I further believe, although I’m not positive, that if the Obama administration thought this reading of the law was unfair or wrong it could expand the Feds reading and give Cooper a $1,000 or even $10,000…and then, of course, blame it on Bush.

  4. Daniel Solove says:

    Maryland Conservatarian,

    For the definition of “intentional” or “willful” under the Privacy Act, I’m relying on Andrews v. Veterans Administration, 838 F.2d 418 (10th Cir. 1988):

    [T]he term “willful or intentional” clearly requires conduct amounting to more than gross negligence. We are persuaded by the District of Columbia Circuit’s definitions of willful or intentional that contemplate action “so ‘patently egregious and unlawful’ that anyone undertaking the conduct should have known it ‘unlawful,’” or conduct committed “without grounds for believing it to be lawful” or action “flagrantly disregarding others’ rights under the Act,” and we adopt those definitions, and add the view . . . that the conduct must amount to, at the very least, reckless behavior. Those, and similar definitions, describe conduct more extreme than gross negligence.

    If there is caselaw supporting an alternative less restrictive approach to “intentional or willful” under the Privacy Act, I’d be very pleased to learn about it.

  5. According to Justice Ginsburg’s dissent, she took note of the Magistrate Judge’s finding (FN 5):

    “The undisputed evidence shows that the Department took little, if any, action to see that it complied with the Privacy Act… . Several of the Administrative Law Judges responsible for sending out the multi-captioned hearing notices testified that they had received no training on the Privacy Act.”).”

    …is that “patently unlawful and egregious”? I’m not going to argue if you so think but dislaying a lax attitude toward monitoring compliance…eh. I’m certainly no Privacy Act maven but my instinct remains: they screwed up.

  6. Stan Cooper says:

    Significant evidence that the Privacy Act violations were willful and intentional in this case was obtained as a result of the District Court’s order compelling production of further discovery by the defendants (over the defendants’ strenuous objections).

    This was no unintentional screw-up.