In 2008, the Foreign Intelligence Surveillance Act (FISA) was amended, broadening the surveillance powers of the federal government with respect to communications outside of the United States. In Clapper v. Amnesty International, a group including journalists, human rights activists, and labor leaders challenged those amendments. Plaintiffs claimed that their work required open communication with persons around the globe, and that the prospect of government surveillance chilled that communication. Plaintiffs also claimed that they had incurred costs to prevent this surveillance, such as the cost to travel abroad to communicate in person with potential surveillance targets.
The Supreme Court issued a 5-4 decision, in which the majority (Alito, J.) found that the plaintiffs had no Article III standing to sue.
The majority’s decision provides substantial guidance on fundamental issues of Article III standing where informational/privacy interests are concerned.
The majority reaffirmed the importance of Article III standing, emphatically, noting its prior statement that “no principle is more fundamental to the judiciary’s proper role.”
The majority noted that for any of the plaintiffs to suffer actual informational harm (interception of their communications), a number of events would have to take place, from the government choosing to exercise its power under the amendment, to the FISA court granting the application to do so, to the government’s chosen target being a person with whom the plaintiff communicates at the moment of interception.
The majority reiterated that future harms are not justiciable unless “injury is certainly impending….allegations of possible future injury are not sufficient.” (Quotations and citation marks omitted.) Moreover, the Court found itself “reluctant to endorse standing theories that require guesswork as to how independent decision makers will exercise their judgment.” While Clapper was not a data breach or theft case, the majority’s standing analysis is in line with courts across the country that have dismissed breach suits attempting to rely on the possibility of future injury -- such claims usually being premised on the hypothetical future actions of would-be identity thieves not before the court.
The majority also ruled that the plaintiffs could not establish standing by pointing to costs voluntarily incurred. “The Second Circuit’s analysis improperly allowed respondents to establish standing by asserting that they suffer present costs and burdens that are based on a fear of surveillance, so long as that fear is not ‘fanciful, paranoid, or otherwise unreasonable’.… This improperly waters down the fundamental requirements of Article III.” Per the majority, plaintiffs simply “cannot manufacture standing by incurring costs in anticipation of non-imminent harm.” That holding will figure prominently in defense efforts opposing data breach class actions that seek to recover the cost of credit monitoring or other identity protection tools.
The dissent, written by Justice Breyer, contains much that will sound familiar to anyone who has read a plaintiffs’ brief in a data breach case. The dissent notes that the government has the opportunity, motive, capacity, and track record to indicate that it will someday, somehow, harm the plaintiffs. Data security-breach plaintiffs argue the same points about the persons who acquire personal information unlawfully. At one point, the dissent argues that the “certainly impending” standard does not really require certainty. “Taken together the case law uses the word ‘certainly’ as if it emphasizes, rather than literally defines, the immediately following term ‘impending’.” The dissent notes, as the plaintiffs’ privacy bar frequently argues, that all requests for injunctive relief are by nature somewhat probabilistic. However, this lax standard, urged by the dissent is now definitively a minority position, not the law of the land. Reed Smith’s data privacy, security, and management team will continue to review and advise on the ripple effects of this Supreme Court decision on privacy breach cases pending around the country.
Client Alert 2013-055