In Clapper v. Amnesty International, 568 U.S. 2013, the United States Supreme Court upheld the strict requirements under Article III for a plaintiff to have standing to sue in privacy cases. Rejecting Respondents' arguments as too speculative, the Court held that for future harm to constitute injury, that harm cannot be hypothetical; instead, the harm must be "certainly impending." Plaintiffs cannot create injury and harm to themselves through subjective and unsubstantiated fears. Reaffirming heightened standards for future harm may significantly aid corporations in obtaining dismissals for data security and cyber beach lawsuits where plaintiffs frequently cannot show that their personal information will subject them to identity theft or be used in a manner to cause them some other concrete financial harm.

Background

In Clapper, Respondents (including U.S. human rights, labor, legal and media organizations) challenged the constitutionality of the government's broad power to intercept communications of non-U.S. persons located abroad under section 1881a of the amendments to the Foreign Intelligence Surveillance Act. The question before the Supreme Court was whether Respondents had Article III standing to seek relief. Even though the Supreme Court applied a heightened standard of review in Clapper because it was reviewing the actions of the legislative branches of government, the principles may apply to other data and privacy cases.

Federal courts require plaintiffs to meet all Article III standing requirements before seeking the court's jurisdiction. Article III specifically requires that plaintiffs allege an "injury in fact," which the Supreme Court interprets to mean a “concrete, particularized, and actual or imminent” injury. Allegations of a future injury are not sufficient because the injury is not impending or imminent. The injury must also be caused by the alleged violations and conduct forming the complaint.

Particularly in privacy and data breach cases, courts across the nation have inconsistently applied Article III standing requirements. Some courts found that plaintiffs must allege that their identity was stolen or fraudulent charges were made. Other courts, following the Second Circuit’s “objectively reasonable likelihood” test, have held that the increased risk of identity theft or steps taken by plaintiffs to mitigate the threat of identity theft or fraudulent charges was sufficient to create Article III standing.

Assertions and Allegations

In Clapper, Respondents asserted that the 2008 amendments to the Foreign Intelligence Surveillance Act of 1978 (FISA) section 1881a were unconstitutional and sought (1) a declaration that section 1881a violates the First Amendment, the Fourth Amendment, Article III and separation of powers principles and (2) a permanent injunction against the use of section 1881a. Section 1881a allows the federal government to conduct surveillance on electronic communications of non-U.S. persons without showing that those persons are a foreign power or agents of a foreign power. Moreover, the government does not have to disclose the locations of facilities where the surveillance will occur. However, the government still needs to obtain approval of the surveillance from the Foreign Intelligence Surveillance Court (FISC) and cannot conduct surveillance within the United States or on any U.S. person abroad.

Respondents claimed that: 

  • Their communications with foreign contacts would be intercepted by the government under section 1881a, thereby impeding their work. 
  • Section 1881a compromised their ability to locate witnesses, cultivate sources, obtain information and communicate confidential information to their clients. 
  • They had "ceased engaging" in certain telephone and email conversations with non-U.S. sources.
  • The threat of surveillance by the U.S. government would compel them to travel abroad in order to have in-person conversations that could not be intercepted.
  • They had to undertake various "costly and burdensome measures" to protect the confidentiality of their sources and sensitive communications.

The Supreme Court rejected Respondents’ alleged injuries, explaining that the injuries were too speculative and not “certainly impending.” The Court claimed that Respondents’ injuries were just “an attenuated chain of possibilities” because they could not show that:

  • Their contacts would be the subject of surveillance
  • The surveillance would be conducted pursuant to section 1881a as opposed to other statutes
  • Even if the surveillance under section 1881a were approved by FISC, the interception of the communications would be successful
  • Respondents would be parties to the intercepted communications.

Furthermore, the Supreme Court was not impressed by Respondents’ assertions that they were harmed because of the costly measures implemented to protect their communications. As the Court observed: “[R]espondents cannot manufacture standing by choosing to make expenditures based on hypothetical future harm that is not certainly impending.”

Conclusion

In summary, the Supreme Court in Clapper held that plaintiffs did not have Article III standing because they failed to establish that they had suffered an "injury in fact." In particular, the Court observed that plaintiffs did not demonstrate that there was an objectively reasonable likelihood that their own communications would be intercepted under section 1881a. The Court also noted that plaintiffs' theory of a future injury was too speculative to satisfy Article III's requirement that a threatened injury must be "imminent." The Court also rejected plaintiffs' claim that they suffered any present injury by having to incur additional costly or burdensome measures to protect the confidentiality of the international communications.

Future data security breach litigation may be impacted by Clapper as more plaintiffs could see their cases dismissed for lack of standing. The Supreme Court's ruling may bolster companies' argument that the threat of injury from stolen information is too speculative. There is no way to predict that the hackers will actually use the stolen information to the financial detriment of the plaintiffs by stealing their identity, incurring unauthorized charges or otherwise. Moreover, plaintiffs whose data was stolen cannot “manufacture standing” by presently incurring costs to protect against the mere threat of a future harm.