1. Spokeo v Robins – No harm? No foul
!In the age of readily accessible data and free flows of information, it is not an understatement when privacy
professionals describe data as the new oil. It’s the currency that fuels innovation and technology. But what
happens when inaccurate data is exchanged and used by companies? How are the effects of such transactions
quantified and what are the redress measures awarded by the courts when deciding the degree of ‘injury-in-
fact’?
!This is an issue which has been under scrutiny on both sides of the Atlantic. In the UK, the landmark case of
Vidal Hall et al v Google removed the need for financial loss in claims for damages. The intricate facts of Vidal v
Google differ slightly to those presented in Spokeo v Robins, however, the fundamental question of material
loss in tortious claims for damages with misuse of personal information is considered in both.
!Vidal v Google upheld the arguments of the claimants that distress and anxiety were sufficient in terms of
harm suffered in cases of the misuse of personal information. This was quite a remarkable outcome as it
widened the baseline for bringing claims against technology companies engaging in questionable practices with
our personal information. It could be argued that section 13 of the Data Protection Act 1998 was blown wide
open and a floodgate of liability was introduced thanks to the claimants in this case. However, let’s take the
less dramatic approach and simply say that privacy rights were strengthened by the ruling.
!Nevertheless, the strengthening on one side of the Atlantic has not been reflected in the muddier waters of the
U.S. When enforcing such a right before U.S. courts, one must establish Article III standing. The case of
Spokeo v Robins called into question the components of an Article III right, focusing mainly on the ‘injury-in-
fact’ requirement. This is the requirement to have suffered actual harm in order to bring such a claim. But
before we can decipher whether such standing exists, a look into the intricacies of the case can provide clarity.
!Spokeo inc., an internet data broker company, sold inaccurate information about the claimant (Robins). In turn,
the inaccurate information published made Robins appear more financially well-off than he actually was,
apparently harming his employment prospects. Robins argued the fact that his employment prospects were
harmed from the disclosure of inaccurate information was not contrary to the typical standards of harm, but
was sufficient enough to warrant Article III standing.
!Whilst there has been no finalised decision from the Supreme Court, the returning of the case to the Ninth
circuit district court for further consideration as to ‘injury-in-fact’ can suggest a constitutional awakening of
privacy rights in the U.S. In the age of data breaches and increased threats to the security of information, it
would not be far-fetched to assert that adequate safeguards against the use of inaccurate data should be
common place in policy making.
!Security of information and rights of redress
!Returning the case to the Ninth circuit can only be deemed as a narrow victory for Spokeo, Inc. In a data
driven world where data brokers are making increasing amounts of profit on pooling massive amounts of
information about individuals together and allowing companies to access and use this data, one would suggest
that a high duty of care should be imposed to ensure accuracy. However, although this is a highly regarded
right under the fourth data protection principle in the UK, the U.S is still establishing such a right. The world
operates on data and its easily transferrable nature, and therefore the rights of redress must be intertwined
with the security of such information. Countries all over the world are now recognising modern day reliance on
the use of data and as such, a harmonised approach to the rights of redress in terms of inaccurate data should
be implemented.
!The battle between data brokers v consumers
!There’s a tug of war on accuracy and privacy rights between data brokers and consumers and whilst data
brokers are pulling in the direction of the amalgamation of easily accessible information for use and profit,
consumers are also pulling in the direction of stronger privacy rights. The obligations placed on companies that
provide information about consumers needs to be of a high standard. This stretches further than just data
brokers and credit reference agencies. Any automated decision making needs to be based on information about
a data subject that is accurate.
Whilst the accuracy of information used in automated decision making is important, when considering the
amicus curae briefs submitted by various parties, there were valid points raised by both sides of the argument.
A variety of organisations put forward their opinions as to why the case should be thrown out. Most of the
recurring opinions stipulated the floodgate of liability in terms of class action litigation which would in turn see
a massive rise in defence costs and settlement pay outs. Nevertheless, the rights of redress and protections of
freedoms were common place arguments, with the American Civil Liberties Union focusing mainly on these.
!Global obligations on companies
!The obligations placed on organisations to process accurate information must be equal across the globe. In an
increasingly data connected world, legal systems in each country must place equal emphasis on the need to
2. operate fairly, protecting the individual’s right to privacy. in doing so, it could be argued that the need to show
material harm should be widened to reflect potential damage rather than just particularised financial loss. It is
noteworthy to mention countries across the emerging markets that are also recognising this constitutional
right. India has no constitutional right to privacy and yet the Supreme court is now considering such a right as
it recognises the overwhelming reliance on data to fuel growth. In the same stance, the U.S. would do well to
not only recognise modern day reliance on data, but the need to place adequate safeguards on the use of this
data. Spokeo v Robins presents the perfect opportunity to do so. A verdict from the Ninth circuit would steer
the Supreme Court in the right direction to send a clear message to companies of the need to ensure the
accuracy of data when they operate. An even clearer direct message would be sent to data broker companies.
!Automated processing
!A lot of current data protection legislation has done well to address the increasing use of automated decision
making and place obligations on organisations to protect the individual’s right to have all automated decisions
explained. The European General Data Protection Regulation has specific clauses that require human
intervention in such decisions and the scope of the legislation covers all organisations that not only operate in
the EU, but also provide services to EU citizens. In harmonising the legislation covering organisations that
operate in the EU, a common approach to the protection of the individual’s right to privacy will be successfully
implemented. U.S. companies will have to adhere to the provisions within the GDPR and it may be worthwhile
for them to adopt similar protections in their processing of U.S. citizens’ data. Again, Spokeo v Robins would be
a good chance to implement case law precedent that places such an obligation on organisations, not in the
direct provisions for human intervention when carrying out automated decision making, but in the assurance of
accurate, fair and lawful processing of each individual’s data. We can only hope that the constitutional make up
of the Supreme court bench can look to the future and the immediate need for adequate protections against
processing of inaccurate data. However, with strict constructionists such as Clarence Thomas on the bench,
alongside moderates who would not want to open a floodgate of liability, it wouldn’t be far fetched to say that
material and particularised damage is still a key component for Article III standing. Only time will tell.