PRIVACY + SECURITY BLOG

News, Developments, and Insights

high-tech technology background with eyes on computer display

Standing and Privacy Harms: A Critique of TransUnion v. Ramirez

Standing and Privacy Harms

I recently published a short essay with Professor Danielle Citron critiquing the recent Supreme Court decision, TransUnion v. Ramirez (U.S. June 25, 2021) where the Court held that plaintiffs lacked standing to use FCRA’s private right of action to sue for being falsely labeled as terrorists in their credit reports.

The essay is here:

Daniel J. Solove & Danielle Keats Citron, Standing and Privacy Harms: A Critique of TransUnion v. Ramirez, 101 B.U. L. Rev. Online 62 (2021)

Here’s a short abstract:

Through the standing doctrine, the U.S. Supreme Court has taken a new step toward severely limiting the effective enforcement of privacy laws.  The recent Supreme Court decision, TransUnion v. Ramirez (U.S. June 25, 2021) revisits the issue of standing and privacy harms under the Fair Credit Reporting Act (FCRA) that began with Spokeo v. Robins, 132 S. Ct. 1441 (2012). In TransUnion, a group of plaintiffs sued TransUnion under FCRA for falsely labeling them as potential terrorists in their credit reports. The Court concluded that only some plaintiffs had standing – those whose credit reports were disseminated. Plaintiffs whose credit reports weren’t disseminated lacked a “concrete” injury and accordingly lacked standing – even though Congress explicitly granted them a private right of action to sue for violations like this and even though a jury had found that TransUnion was at fault.

In this essay, Professors Daniel J. Solove and Danielle Keats Citron engage in an extensive critique of the TransUnion case. They contend that existing standing doctrine incorrectly requires concrete harm. For most of U.S. history, standing required only an infringement on rights. Moreover, when assessing harm, the Court has a crabbed and inadequate understanding of privacy harms. Additionally, allowing courts to nullify private rights of action in federal privacy laws is a usurpation of legislative power that upends the compromises and balances that Congress establishes in laws.  Private rights of action are essential enforcement mechanisms.

Continue Reading

Cartoon: Privacy Harms

Cartoon Privacy Harms - TeachPrivacy Privacy Training 02 small

Friday’s U.S. Supreme Court decision, TransUnion v. Ramirez (U.S. June 25, 2021), prompted me to release this cartoon about privacy harms that I created a while ago.  In TransUnion, a group of plaintiffs sued TransUnion for falsely labeling them as potential terrorists in their credit reports. The Supreme Court held that only some plaintiffs had standing – those whose credit reports were disseminated. Plaintiffs whose credit reports weren’t disseminated lacked a “concrete” injury and accordingly lacked standing – even though Congress explicitly granted them a private right of action to sue for violations like this and even though a jury had found that TransUnion was at fault.

The TransUnion decision, authored by Justice Kavanaugh for a 5-4 majority, is wrong on so many levels. I wish the Supreme Court had read my recent article draft:

Danielle Keats Citron & Daniel J. Solove
Privacy Harms
forthcoming in B.U. L. Rev. 

More background about the article is at my post here. I will write soon about the case.

Continue Reading

Assessing Privacy Law Programs at Law Schools

Assessing Privacy Law Programs at Law Schools

For decades, I’ve been arguing that law schools must improve their programs for privacy law. A few years ago, I lead a group of academics and practitioners in crafting a letter to law school deans about why law schools must offer more in privacy law: An Open Letter to Law School Deans about Privacy Law Education in Law Schools.  Recently, the International Association of Privacy Professionals (IAPP) came out with its guide, Privacy and Data Protection in Academia, A Global Guide to Curricula.

The guide wisely avoids trying to rank programs, and it contains a lot of very useful information. But I think that law schools need criteria to evaluate the strength of their programs, so I developed this list below of the key components of what I would consider to be a strong program. I’ve written about this before, but I continue to hone my thinking. Below are my latest thoughts:

Continue Reading

Privacy and Data Protection in Academia Guide

IAPP Privacy and Data Protection in America 03

The inaugural issue of Privacy and Data Protection in Academia, A Global Guide to Curricula has just been released. This guide has information regarding privacy and data protection programs and courses offered at graduate schools, including law, computer science and business schools around the world. This information was based on a survey.

IAPP Privacy and Data Protection in America 02Some law schools with notable privacy faculty and course offerings are missing, but overall, this is a useful guide.  After seeing all the schools that offer some form of curriculum in privacy law, it might be tempting to conclude that this is a success story. It isn’t.  Although the field of privacy law has grown dramatically in past two decades, education in law schools about privacy law has significantly lagged behind. Most U.S. law schools lack a course on privacy law. Of those that have courses, many are small seminars, often taught by adjuncts. Of the law schools that do have a privacy course, most often just have one course. Most schools lack a full-time faculty member who focuses substantially on privacy law. Read my article called An Open Letter to Law School Deans about Privacy Law Education in Law Schools to learn more about my thoughts in this area.

It is a shame that the majority of law schools still lack even a course on privacy law. Some have occasional seminars taught by adjuncts.

Below is my law school’s listing in the Guide. Although GW offers a lot comparative to many other schools, I still think we have a long way to go.

Continue Reading

Funniest Privacy Videos

Funniest Privacy Videos

At my event, the Privacy Law Salon, we have a wonderful tradition of showing some of the year’s funniest privacy videos after dinner. I thought I’d share some of the videos I have enjoyed the most, plus some new ones I recently found.

Cookies

In Every time you try and go on a website, British comedian Stevie Martin engages in an absolutely hilarious dialogue with Lola-Rose Maxwell. The pacing of their back-and-forth is perfect.

Passwords

When you forget your password is another brilliant video by Stevie Martin. The comedic  timing is impeccable.

Continue Reading

VIDEO: Conversation with FPF’s Jules Polonetsky

Jules Polonetsky LI Live 01

On Friday, May 28, 2021, I had a conversation with Jules Polonetsky at the Future of Privacy Forum (FPF) on his LinkedIn Live show. We spoke about my children’s book, THE EYEMONGER, my paper, Privacy Harms, with Professor Danielle Citron, and other things. You can watch it here.

Continue Reading

VIDEO: Conversation with Guernsey’s Data Protection Commissioner Emma Martins

Conversation with Guernsey’s Data Protection Commissioner Emma Martins

 

Data Protection Authority Recently, I spoke with Emma Martins, Data Protection Commissioner at Guernsey’s Office of the Data Protection Authority as part of their Project Bijou. We spoke about a number of topics, including the effect of the GDPR and my new children’s book about privacy, The Eyemonger

You can watch the video of our conversation here.

 

Continue Reading

Developments in Data Incident Response: An Interview with Mahmood Sher-Jan

Developments in Data Incident Response

I had the great opportunity to interview Mahmood Sher-Jan about new developments in data incident response. Mahmood Sher-Jan, CHPC, is the Founder and CEO of RadarFirst, a company dedicated to applying innovation and software technology to address the growing data privacy and security challenges faced by organizations that maintain regulated personal data. He holds patents in incident management, fraud prevention, and secure identity solutions; Mahmood is the inventor of Radar, an award-winning and industry-leading incident response automation platform.

Continue Reading

Speaking at Privacy Week Event of the Philippines National Privacy Commission

Privacy Week Event by the National Privacy Commission of the Philippines

On May 28, 2021, at 9:30 AM Philippine time (Thursday, May 27 at 8:30 PM Eastern), I will be speaking about “The Myth of the Privacy Paradox” at the Philippines Privacy Week event put on by the Philippines National Privacy Commission (NPC).

My talk will be moderated by Jon Bello, a partner at Medialdea Bello and Suarez Law Offices.

If you’re interested in attending, you can register here.

Continue Reading

Privacy Laws Around the World

Worldwide Privacy Law Project

I am creating courses and whiteboards (1-page summaries) about privacy laws of world countries. I am making a few whiteboards available for free.

Each whiteboard is a 1-page visual summary of a country’s main privacy law. Check them out here!

Colombia Privacy Law Mexico Privacy Law Turkey Privacy Law

Continue Reading