By Gordon Hull
In one of the Seinfeld episodes, the proprietor of a popular lunch stop would deny service to customers who offended his arbitrary sensibilities with a loud “No Soup for You!” This is basically the outcome of the Supreme Court’s June decision on standing, TransUnion v. Ramirez. “Standing” in this sense refers to access to the federal legal system; to simplify, to be able to sue somebody, you need to show that you’ve suffered a “concrete” injury. A number of recent standing cases have been about the outer limits of “concrete.” In principle, privacy harms can be concrete, but SCOTUS has been making standing harder, particularly in data breach cases.
And so it goes here. Per a 5-4 opinion authored by Justice Kavanaugh, you don’t have standing to sue a credit agency for flagging you as a terrorist, unless you can show that they also disseminated that information to somebody else. This opinion explicitly overrides a Congressional determination that you do, in fact, have standing in cases like that, arrogating to the Court the right to decide when Congress is and is not allowed to establish when statutory rights are actionable. This was too much for Justice Thomas, who, joined by the court’s liberals, points out in dissent that this both violates separation of powers in the name of preserving it, and turns historical standing doctrine on its head. As Dan Solove and Danielle Citron put it in a sharp critique that builds on Thomas’ dissent, TransUnion is “an activist decision that nullifies Congress’s power to protect consumers and that enables courts to rewrite privacy laws to alter how they are enforced.”
The Federal Credit Reporting Act (FCRA) mandates that credit agencies try to maintain accurate information about the people whose data they score and sell. Credit reports are ubiquitous and very influential on people’s lives, and how your credit score is constituted is already pretty much a mysterious black box, a leading example of the creeping control that proprietary and secret algorithms have over everyday life. For a small fee, TransUnion would bundle additional information with your credit score – specifically, whether you’re also on a Treasury Department list of “specially designated nationals,” people who were known drug traffickers, terrorists, and so on (assume for the sake of argument here that this determination is correct and that this list is A Good Thing. But then go read Margaret Hu’s “Big Data Blacklisting” and be very afraid).
How did TransUnion decide if you were on the list? They looked at first and last names to see if they were similar or identical to a name on the list. What could go wrong? As Justice Thomas points out, “TransUnion did not compare birth dates, middle initials, Social Security numbers, or any other available identifier routinely used to collect and verify credit-report data” (dissent, slip op., 2). TransUnion had already lost a suit over this practice, but rather than actually attempt to comply with the FCRA’s requirements, they just started saying that someone was a “potential match” rather than a “match.” As Justice Thomas says, it’s not surprising that they got sued again.
This time, Sergio Ramirez tried to buy a car and the dealer refused him credit on the basis of the erroneous match. Ramirez eventually got the information about his problem from TransUnion, though they couldn’t be bothered to format it correctly or to send it in one mailing or to send it in a way that told him of his rights under the FCRA. He then filed suit, and sought class certification for himself and over 6000 other plaintiffs whose information was also inaccurate. They won at the district and appellate court levels, but Kavanaugh ruled for SCOTUS that only Ramirez and the subset of those whose erroneous matches were sold to third parties suffered “concrete” injury sufficient to grant them standing.
Kavanugh argues:
“For standing purposes, therefore, an important difference exists between (i) a plaintiff ’s statutory cause of action to sue a defendant over the defendant’s violation of federal law, and (ii) a plaintiff ’s suffering concrete harm because of the defendant’s violation of federal law. Congress may enact legal prohibitions and obligations. And Congress may create causes of action for plaintiffs to sue defendants who violate those legal prohibitions or obligations. But under Article III, an injury in law is not an injury in fact. Only those plaintiffs who have been concretely harmed by a defendant’s statutory violation may sue that private defendant over that violation in federal court” (11).
So Congress can make all the rights it wants, but only those who have suffered an “injury in fact” as determined by SCOTUS, which says it will defer to common law, actually have a right they can vindicate in federal court (aside: state courts are not bound by this, and as Justice Thomas notes, this may be a “Pyrrhic victory” for TransUnion, because plaintiffs will now sue them in 50 different state courts (18 n9)). Kavanaugh then reasons that when the false assertion that you are a terrorist is disseminated by TransUnion, that is very close to defamation, and is “unquestionably” sufficient to confer standing. But when they just have it in their files, this is more like having a defamatory letter in your desk that you never send, which is not actionable.
Justice Thomas shows just how silly this line of reasoning is at two levels. First, it completely eviscerates the legislative power to determine statutory rights. The original distinction was between private and public rights. If the law says that you are owed something then you need only assert that you have been denied that to have standing to sue. If the law says the public in general is owed this, then you need to show that you’ve personally been harmed by the failure to provide it. The FCRA very clearly vests rights in consumers and not in the public at large. So in denying them the right to sue for statutory harm, Kavanaugh’s opinion gets things backwards. Justice Thomas:
“This approach is remarkable in both its novelty and effects. Never before has this Court declared that legal injury is inherently insufficient to support standing. And never before has this Court declared that legislatures are constitutionally precluded from creating legal rights enforceable in federal court if those rights deviate too far from their common-law roots. According to the majority, courts alone have the power to sift and weigh harms to decide whether they merit the Federal Judiciary’s attention. In the name of protecting the separation of powers … this Court has relieved the legislature of its power to create and define rights” (12-13).
Second, it misconstrues the nature of “harm.” Historically, a risk of injury, especially if it is “immanent,” is sufficient to confer standing. If Congress requires that car manufacturers take reasonable care that their cars are safe, and I discover that my car doesn’t have brakes installed, it does not matter that I have not yet died in a car crash. I still get to vindicate my right in court. Here, Kavanaugh argues that the plaintiffs whose files had wrong information that had not been disclosed did not show that the risk of disclosure was sufficiently likely.
Thomas is having nothing of it: “Here, in a 7-month period, it is undisputed that nearly 25 percent of the class had false OFAC-flags sent to potential creditors. Twenty-five percent over just a 7-month period seems, to me, “a degree of risk sufficient to meet the concreteness requirement.” If 25 percent is insufficient, then, pray tell, what percentage is?” (15). Justice Kagan, joining Thomas nearly in full, rhetorically asks for good measure “why is it so speculative that a company in the business of selling credit reports to third parties will in fact sell a credit report to a third party?”
This seems like a decisive argument to me. Credit reporting has become absolutely ubiquitous as a form of social gatekeeping, and the credit agencies have a tremendous amount of power over people’s housing, employment, and so forth. Any reasonable theory of “risk” would weigh the magnitude of the harms that falsely labeling someone a terrorist would do to them – not only no soup, but no job, no house and no car – as a factor in determining the concreteness of the harm. If the harm was minor, then maybe a 25% risk wouldn’t be sufficient to trigger liability. But a major harm ought to have a lower probability threshold. That’s just basic risk calculus. A 10% chance of giving somebody a headache is one thing; a 10% chance of causing a nuclear war is another. This line of reasoning is buttressed by two factors. On the one hand, Justice Kagan’s reminder that this is in fact the business of the credit reporting agencies, combined with the ubiquity of credit reporting, suggests that the risk of harm is always already immanent. It’s not just that this problem might happen at some time in the distant future; you could be called on to authorize someone to look at your credit report at any time. On the other hand, recall that TransUnion had already lost a lawsuit over this practice. Treating a first and last name “similarity” as sufficient to trigger calling somebody a terrorist is a breathtakingly inadequate risk management strategy. Here is Justice Thomas recounting what happened the first time:
“TransUnion had sold an OFAC credit report about this consumer to a car dealership. The report flagged her—Sandra Jean Cortez, born in May 1944—as a match for a person on the OFAC list: Sandra Cortes Quintero, born in June 1971. TransUnion withheld this OFAC alert from the credit report that Cortez had requested. And despite Cortez’s efforts to have the alert removed, TransUnion kept the alert in place for years.” (2)
Did TransUnion make meaningful changes to do better? They did not:
“It did not begin comparing birth dates. Or middle initials. Or citizenship. In fact, TransUnion did not compare any new piece of information. Instead, it hedged its language saying a consumer was a ‘potential match’ rather than saying the person was a ‘match.’ And instead of listing matches for similar names, TransUnion required that the first and last names match exactly. Unsurprisingly, these reports kept flagging law-abiding Americans as potential terrorists and drug traffickers. And equally unsurprising, someone else sued” (3).
That TransUnion had already had the inadequacy of their procedure pointed out to them in court would suggest that their continuing of those practices ought to tend toward further liability because their culpability is willful. If nothing else, the likelihood of these things happening is buttressed by the fact that … these things keep happening.
Maybe you are not persuaded that the TransUnion’s sitting on a piece of paper that falsely says you are a terrorist is a harm. Justice Thomas has an argument for you too: if you request your credit report and it says you’re a terrorist, that itself is harmful: “one need only tap into common sense to know that receiving a letter identifying you as a potential drug trafficker or terrorist is harmful. All the more so when the information comes in the context of a credit report, the entire purpose of which is to demonstrate that a person can be trusted” (17). And if that letter isn’t harmful, he adds, what would it need to say? That you are a child molester?
Next time I’ll have some thoughts about what this means, beyond the context of data breach cases.
Recent Comments