Over on Cato at Liberty, Jim Harper writes:
A couple of years ago I wrote here about the Supreme Court case denying that a person could collect damages from the government under the Privacy Act based on mental and emotional distress. It’s a narrow point, but an important one, because the harm privacy invasions produce is often only mental and emotional distress. If such injuries aren’t recognized, the Privacy Act doesn’t offer much of a remedy.
Many privacy advocates have sought to bloat privacy regulation by lowering the “harm” bar. They argue that the creation of a privacy risk is a harm or that worrisome information practices are harmful. But I think harm rises above doing things someone might find “worrisome.” Harm can occur, as I think it may have in this case, when one’s (hidden) HIV status and thus sexual orientation is revealed. It’s shown by proving emotional distress to a judge or jury.
I agree with Jim, up to a point. So far courts have generally not recognized worrying as a “harm,” such as the worrying people may experience after a data breach that puts them at risk of financial and/or medical identity theft. Whether it’s the Privacy Act or any other statute relating to breaches, in their attempt to restrict liability to more serious cases, legislators have typically either not provided any individual cause of action or have set the bar so high on “harm” that most people do not have standing to sue. Just this week, for example, we saw how a doctor was charged with three misdemeanors for stealing almost 100,000 patients’ information because New York law did not provide for any felony charges in the absence of financial information.
So what happens to all the patients whose diagnoses and treatment information was stolen if they are now worried about identity theft (SSN were involved) or exposure of sensitive health information? One might argue that “harm” should be or could be demonstrated by “proving emotional distress to a judge or jury,” but that’s a pretty high hurdle when it comes to emotional distress and worry. Does a plaintiff have to go see a psychologist to get therapy for anxiety? Do they have to tell everyone in their lives how worried they are? How do victims of breaches demonstrate emotional harm or distress absent any other harm?
Jim seems to think Rep. Gerry Connolly (D-VA) has a “fix,” at least for the federal Privacy Act:
Rep. Gerry Connolly (D-VA) has introduced the fix for the Supreme Court’s overly narrow interpretation of the Privacy Act. His Safeguarding Individual Privacy Against Government Invasion Act of 2014 would allow for non-pecuniary damages—that is, mental and emotional distress—in Privacy Act cases.
It’s a simple fix to a contained problem in federal privacy legislation. It’s passage would not only close a gap in the statute. It would help channel the privacy discussion in the right way, toward real harms, which include provable mental and emotional distress.
Connolly’s bill (H.R. 5772) would amend section 552a(g)(4)(A) of title 5, United States Code
- (a) by striking `actual damages’ and inserting `provable damages, including damages that are not pecuniary damages,’; and
- (b) by striking `, but in no case shall a person entitled to recovery receive less than the sum of $1,000′ and inserting `or the sum of $1,000, whichever is greater’.
So Connolly’s bill would permit non-pecuniary damages, which is a Good Thing.
I agree with Jim that Connolly’s bill is an opportunity for us to revisit the Privacy Act’s provisions and to think about where we’re going with liability for emotional worrying and distress privacy harms as a result of government action.
CORRECTION: A previous version of this post incorrectly reported that the amendment would cap damages at $1,000. A commenter kindly pointed out my error and the post has been edited to delete the error.