This is a guest post. The views expressed are the author’s own and should not be attributed to anyone else.
Yesterday’s oral argument in Spokeo v. Robins revealed a Court divided on the proper scope and application of standing doctrine. There was one point of agreement amongst the justices, however, with particular relevance to the future of information privacy law.
With the possible exception of Justice Sotomayor, no one on the Court seems ready to hold that a mere violation of the FCRA’s statutory requirements could confer standing on a plaintiff. Even Justice Kagan, who came out firmly in support of Robins, was hesitant to concede that a bare violation of the FCRA’s procedural requirements, such as the requirement that credit agencies post their 1-800 numbers, might constitute a redressable “injury in fact” for an affected consumer. In other words, in order to have an actionable claim under a consumer privacy law like the FCRA, plaintiffs have to do more than show that a defendant deviated from legally mandated data-handling rules (“thou shalt take reasonable steps not to publish misinformation”) with respect to their data; plaintiffs also have to show some additional substantive harm on top of that deviation.
If that’s the Court’s position, then it has broad implications for information privacy. That’s because information privacy law is currently understood and articulated almost exclusively as a set of data handling requirements on data holders, rather than as a list of substantive rights of (or harms to) data subjects. Indeed, there is arguably no widely accepted theory of substantive information privacy rights. Our current best understanding of information privacy — of what it means to get privacy right, and what it means to get privacy wrong — is almost entirely procedural, meaning that good and bad acts are primarily understood in terms of data handlers’ compliance with or deviations from well-accepted best practices.