Danielle K. Citron of the University of Virginia School of Law and Daniel J. Solove of George Washington University Law School have written “Privacy Harms.” The following is the abstract.

Privacy harms have become one of the largest impediments in privacy law enforcement. In most tort and contract cases, plaintiffs must establish that they have been harmed. Even when legislation does not require it, courts have taken it upon themselves to add a harm element. Harm is also a requirement to establish standing in federal court. In Spokeo v. Robins, the U.S. Supreme Court has held that courts can override Congress’s judgments about what harm should be cognizable and dismiss cases brought for privacy statute violations.

The caselaw is an inconsistent, incoherent jumble, with no guiding principles. Countless privacy violations are not remedied or addressed on the grounds that there has been no cognizable harm. Courts conclude that many privacy violations, such as thwarted expectations, improper uses of data, and the wrongful transfer of data to other organizations, lack cognizable harm.

Courts struggle with privacy harms because they often involve future uses of personal data that vary widely. When privacy violations do result in negative consequences, the effects are often small – frustration, aggravation, and inconvenience – and dispersed among a large number of people. When these minor harms are done at a vast scale by a large number of actors, they aggregate into more significant harms to people and society. But these harms do not fit well with existing judicial understandings of harm.

This article makes two central contributions. The first is the construction of a road map for courts to understand harm so that privacy violations can be tackled and remedied in a meaningful way. Privacy harms consist of various different types, which to date have been recognized by courts in inconsistent ways. We set forth a typology of privacy harms that elucidates why certain types of privacy harms should be recognized as cognizable. The second contribution is providing an approach to when privacy harm should be required. In many cases, harm should not be required because it is irrelevant to the purpose of the lawsuit. Currently, much privacy litigations suffers from a misalignment of law enforcement goals and remedies. For example, existing methods of litigating privacy cases, such as class actions, often enrich lawyers but fail to achieve meaningful deterrence. Because the personal data of tens of millions of people could be involved, even small actual damages could put companies out of business without providing much of value to each individual. We contend that the law should be guided by the essential question: When and how should privacy regulation be enforced? We offer an approach that aligns enforcement goals with appropriate remedies.

Read the full article on TeachPrivacy or SSRN.

Danielle K. Citron

UVA Law

Danielle Citron is the Jefferson Scholars Foundation Schenck Distinguished Professor in Law at UVA, where she writes and teaches about privacy, free expression and civil rights. Her scholarship and advocacy have been recognized nationally and internationally. In 2019, Citron was named a MacArthur Fellow based on her work on cyberstalking and intimate privacy. In 2018, she received the UMD Champion of Excellence award and in 2015, the United Kingdom’s Prospect Magazine named her one of the Top 50 World Thinkers and The Daily Record named her one of the Top 50 Most Influential Marylanders.

Daniel J. Solove

Reporter, Data Privacy Principles

Daniel J. Solove is the John Marshall Harlan Research Professor of Law at the George Washington University Law School.  He is also the founder of TeachPrivacy, a company that provides computer-based privacy and data security training.  One of the world’s leading experts in privacy law, Solove is the author of 10+ books and textbooks and 50+ articles. He served as co-reporter on the ALI’s Principles of Law, Data Privacy. Professor Solove writes at LinkedIn as of its “thought leaders,” and he has more than 1 million followers.  He more routinely blogs at Privacy+Security Blog.

0 Comments