On February 26, 2013, the United States Supreme Court decided in Clapper v. Amnesty International that U.S. persons who engage in communications with individuals who may be potential targets of surveillance under the Foreign Intelligence Surveillance Act (“FISA”) lack standing to challenge the statute’s constitutionality. The Supreme Court determined that the plaintiffs’ alleged injuries were not “certainly impending” and that the measures they claimed to have taken to avoid surveillance were not “fairly traceable” to the challenged statute. Although this 5-4 decision would not be considered a “privacy” or “data breach” case, the Court’s analysis will have a significant impact on such cases going forward, and may thwart the ability of individuals affected by data breaches to assert standing based on possible future harm.
The FISA was enacted in 1978 to authorize and regulate certain government electronic surveillance of communications for foreign intelligence purposes. Congress also created a specialized court, known as the Foreign Intelligence Surveillance Court (“FISC”) to approve electronic surveillance for foreign intelligence purposes where there is probable cause to believe that the target of the electronic surveillance is a foreign power or the agent of a foreign power.
Following the attacks on 9/11, President George W. Bush authorized the National Security Agency (“NSA”) to conduct warrantless wiretapping in cases where one party to a telephone or electronic communication was located outside the U.S. and a participant in the communication was reasonably believed to be a member or agent of al-Qaeda or an affiliated terrorist organization. In the wake of FISC decisions that subjected the NSA’s surveillance program to FISC review and narrowed the scope of Bush’s authorization, Congress enacted the FISA Amendments Act of 2008. The FISA Amendments Act created a new framework under which the government may seek the FISC’s authorization to conduct foreign intelligence surveillance targeting the communications of non-U.S. persons located abroad without requiring that the government show the target is a foreign power or agent thereof.
Clapper v. Amnesty International involved a constitutional challenge to a part of the FISA Amendments Act by a group of attorneys, human rights, labor, legal and media organizations who allegedly engaged in sensitive and sometimes privileged communications with individuals abroad who they believed to be likely targets of surveillance under the FISA Amendments Act.
The group asserted Article III standing by claiming that (1) there is “an objectively reasonable likelihood” that their communications will be intercepted in the future, and (2) they can establish injury resulting from measures that they undertook to avoid surveillance. They argued that their injuries are “fairly traceable to [the statute] because the risk of surveillance [under the statute] requires them to take costly and burdensome measures to protect the confidentiality of their communications.”
Writing for the majority, Justice Alito held that whether the Government would imminently target the group’s communications was “speculative,” stating that the fact they “merely speculate and make assumptions about whether their communications with their foreign contacts will be acquired” was insufficient as they had failed to set forth “specific facts.” The majority concluded that the “speculative chain of possibilities does not establish that injury based on potential future surveillance is certainly impending or is fairly traceable to” the challenged statute. The affirmation that potential future injury must be “certainly impending” or “fairly traceable” is instructive in the privacy and data breach context given the abundance of cases alleging fear or anxiety on the part of affected individuals despite the absence of any credible threat of identity theft.
As to the group’s argument that that they suffered injury based on measures affirmatively taken to avoid surveillance, Justice Alito reasoned that the group “cannot manufacture standing merely by inflicting harm on themselves based on their fears of hypothetical future harm that is not certainly impending.” Further, allowing an “action based on costs they incurred in response to a speculative threat would be tantamount to accepting a repacked version of respondents’ first failed theory of standing.” The majority’s clear directive that incurring costs to avoid speculative harm does not create standing will have plain applicability to allegations common in privacy and data breach suits that injury occurred when individuals took extra precautions, such as purchasing identity theft protection, out of fear of a possible future harm.
Search
Recent Posts
Categories
- Behavioral Advertising
- Centre for Information Policy Leadership
- Children’s Privacy
- Cyber Insurance
- Cybersecurity
- Enforcement
- European Union
- Events
- FCRA
- Financial Privacy
- General
- Health Privacy
- Identity Theft
- Information Security
- International
- Marketing
- Multimedia Resources
- Online Privacy
- Security Breach
- U.S. Federal Law
- U.S. State Law
- Workplace Privacy
Tags
- Aaron Simpson
- Accountability
- Adequacy
- Advertisement
- Advertising
- American Privacy Rights Act
- Anna Pateraki
- Anonymization
- Anti-terrorism
- APEC
- Apple Inc.
- Argentina
- Arkansas
- Article 29 Working Party
- Artificial Intelligence
- Australia
- Austria
- Automated Decisionmaking
- Baltimore
- Bankruptcy
- Belgium
- Biden Administration
- Big Data
- Binding Corporate Rules
- Biometric Data
- Blockchain
- Bojana Bellamy
- Brazil
- Brexit
- British Columbia
- Brittany Bacon
- Brussels
- Business Associate Agreement
- BYOD
- California
- CAN-SPAM
- Canada
- Cayman Islands
- CCPA
- CCTV
- Chile
- China
- Chinese Taipei
- Christopher Graham
- CIPA
- Class Action
- Clinical Trial
- Cloud
- Cloud Computing
- CNIL
- Colombia
- Colorado
- Committee on Foreign Investment in the United States
- Commodity Futures Trading Commission
- Compliance
- Computer Fraud and Abuse Act
- Congress
- Connecticut
- Consent
- Consent Order
- Consumer Protection
- Cookies
- COPPA
- Coronavirus/COVID-19
- Council of Europe
- Council of the European Union
- Court of Justice of the European Union
- CPPA
- CPRA
- Credit Monitoring
- Credit Report
- Criminal Law
- Critical Infrastructure
- Croatia
- Cross-Border Data Flow
- Cyber Attack
- Cybersecurity and Infrastructure Security Agency
- Data Brokers
- Data Controller
- Data Localization
- Data Privacy Framework
- Data Processor
- Data Protection Act
- Data Protection Authority
- Data Protection Impact Assessment
- Data Transfer
- David Dumont
- David Vladeck
- Delaware
- Denmark
- Department of Commerce
- Department of Health and Human Services
- Department of Homeland Security
- Department of Justice
- Department of the Treasury
- District of Columbia
- Do Not Call
- Do Not Track
- Dobbs
- Dodd-Frank Act
- DPIA
- E-Privacy
- E-Privacy Directive
- Ecuador
- Ed Tech
- Edith Ramirez
- Electronic Communications Privacy Act
- Electronic Privacy Information Center
- Elizabeth Denham
- Employee Monitoring
- Encryption
- ENISA
- EU Data Protection Directive
- EU Member States
- European Commission
- European Data Protection Board
- European Data Protection Supervisor
- European Parliament
- Facial Recognition Technology
- FACTA
- Fair Credit Reporting Act
- Fair Information Practice Principles
- Federal Aviation Administration
- Federal Bureau of Investigation
- Federal Communications Commission
- Federal Data Protection Act
- Federal Trade Commission
- FERC
- FinTech
- Florida
- Food and Drug Administration
- Foreign Intelligence Surveillance Act
- France
- Franchise
- Fred Cate
- Freedom of Information Act
- Freedom of Speech
- Fundamental Rights
- GDPR
- Geofencing
- Geolocation
- Georgia
- Germany
- Global Privacy Assembly
- Global Privacy Enforcement Network
- Gramm Leach Bliley Act
- Hacker
- Hawaii
- Health Data
- Health Information
- HIPAA
- HIPPA
- HITECH Act
- Hong Kong
- House of Representatives
- Hungary
- Illinois
- India
- Indiana
- Indonesia
- Information Commissioners Office
- Information Sharing
- Insurance Provider
- Internal Revenue Service
- International Association of Privacy Professionals
- International Commissioners Office
- Internet
- Internet of Things
- IP Address
- Ireland
- Israel
- Italy
- Jacob Kohnstamm
- Japan
- Jason Beach
- Jay Rockefeller
- Jenna Rode
- Jennifer Stoddart
- Jersey
- Jessica Rich
- John Delionado
- John Edwards
- Kentucky
- Korea
- Latin America
- Laura Leonard
- Law Enforcement
- Lawrence Strickling
- Legislation
- Liability
- Lisa Sotto
- Litigation
- Location-Based Services
- London
- Madrid Resolution
- Maine
- Malaysia
- Markus Heyder
- Maryland
- Massachusetts
- Meta
- Mexico
- Microsoft
- Minnesota
- Mobile App
- Mobile Device
- Montana
- Morocco
- MySpace
- Natascha Gerlach
- National Institute of Standards and Technology
- National Labor Relations Board
- National Science and Technology Council
- National Security
- National Security Agency
- National Telecommunications and Information Administration
- Nebraska
- NEDPA
- Netherlands
- Nevada
- New Hampshire
- New Jersey
- New Mexico
- New York
- New Zealand
- Nigeria
- Ninth Circuit
- North Carolina
- Norway
- Obama Administration
- OECD
- Office for Civil Rights
- Office of Foreign Assets Control
- Ohio
- Oklahoma
- Opt-In Consent
- Oregon
- Outsourcing
- Pakistan
- Parental Consent
- Payment Card
- PCI DSS
- Penalty
- Pennsylvania
- Personal Data
- Personal Health Information
- Personal Information
- Personally Identifiable Information
- Peru
- Philippines
- Phyllis Marcus
- Poland
- PRISM
- Privacy By Design
- Privacy Policy
- Privacy Rights
- Privacy Rule
- Privacy Shield
- Protected Health Information
- Ransomware
- Record Retention
- Red Flags Rule
- Regulation
- Rhode Island
- Richard Thomas
- Right to Be Forgotten
- Right to Privacy
- Risk-Based Approach
- Rosemary Jay
- Russia
- Safe Harbor
- Sanctions
- Schrems
- Scott Kimpel
- Securities and Exchange Commission
- Security Rule
- Senate
- Serbia
- Service Provider
- Singapore
- Smart Grid
- Smart Metering
- Social Media
- Social Security Number
- South Africa
- South Carolina
- South Dakota
- South Korea
- Spain
- Spyware
- Standard Contractual Clauses
- State Attorneys General
- Steven Haas
- Stick With Security Series
- Stored Communications Act
- Student Data
- Supreme Court
- Surveillance
- Sweden
- Switzerland
- Taiwan
- Targeted Advertising
- Telecommunications
- Telemarketing
- Telephone Consumer Protection Act
- Tennessee
- Terry McAuliffe
- Texas
- Text Message
- Thailand
- Transparency
- Transportation Security Administration
- Trump Administration
- United Arab Emirates
- United Kingdom
- United States
- Unmanned Aircraft Systems
- Uruguay
- Utah
- Vermont
- Video Privacy Protection Act
- Video Surveillance
- Virginia
- Viviane Reding
- Washington
- Whistleblowing
- Wireless Network
- Wiretap
- ZIP Code