Class actions are commonplace in the United States but relatively rare in Europe. The European Union wants to change that, by facilitating class actions for mass privacy and data breaches.
Two recent federal cases alleging privacy violations in the mobile context have been allowed to proceed based on novel damages allegations. The long-standing presumption that mere exposure of personal data is insufficient for standing and damage actions may become irrelevant if plaintiffs are able to link the exposure to increased costs of device usage.
Today, the U.S. Supreme Court in FAA v. Cooper held in a 5-3 decision that the “actual damages” clause in the Privacy Act is not sufficiently clear to authorize the recovery of non-pecuniary damages, such as for mental or emotional distress. While the Court acknowledged that the term “actual damages” is “sometimes understood to include nonpecuniary harm” and that such a reading is not “inconceivable,” it concluded that the term was not sufficient to overcome the sovereign immunity canon of statutory construction, which requires “an unmistakable statutory expression of congressional intent to waive the Government’s immunity.”
“Do time and effort alone, spent in a reasonable effort to avert reasonably foreseeable harm, constitute a cognizable injury under Maine common law?” That is the question a federal district judge in Maine has put to the Maine Supreme Court in the data security breach litigation involiving Hannaford Brothers. “If the Maine Law Court’s answer to the certified question on the cognizable harm issue favors the plaintiffs, the plaintiffs will have both a negligence claim and an implied contract claim.” Such a development could have a profound impact on the vulnerability of companies experiencing data security breaches to civil claims, something they so far largely have avoided.