The Supreme Court Considers Whether a Privacy Act Plaintiff Can Recover $1000 Even Without Proof of Damages
By JULIE HILDEN
Tuesday, Nov. 25, 2003
On December 3, in Doe v. Chao, the Supreme Court will hear oral argument on an important question relating to the federal Privacy Act.
The Privacy Act, enacted in 1974, prevents the government from intentionally making an unauthorized disclosure of an individual's private information. It also says that, if such a disclosure is made, and the individual suffers an "adverse effect," the individual can sue for damages.
That much, at least, everyone involved in the case agrees upon. They disagree, however, about what happens when the individuals cannot prove he or she suffered actual damages.
The plaintiffs urge that in that case, they should still get a statutory minimum of $1,000. But the government (the Department of Labor is the defendant) suggests that plaintiffs who cannot prove damages, get nothing at all -- despite the fact that their privacy has been invaded.
The question of who is correct is a subtle question about Congress's intention in passing the Privacy Act. But I will argue that even if these plaintiffs lose, future plaintiffs should win, even if they cannot prove damages. That is because privacy is valuable in itself, even when actual damages cannot be proven.
The Linda Tripp Privacy Act Suit: A Case of Fairly Clear Damages
The most famous recent Privacy Act plaintiff is probably Linda Tripp -- who taped her phone calls with intern Monica Lewinsky, leading to the scandal concerning Lewinsky and former President Clinton.
Tripp's Privacy Act suit claimed that the Department of the Defense told The New Yorker magazine that Tripp had failed to report a juvenile arrest on her application for government employment. This disclosure was obviously humiliating and hurtful to Tripp. In the end, the Department of Defense settled with Tripp for over $595,000.
The Suit Before the Court: Damages Are Less Clear
In contrast, the plaintiffs in Doe v. Chao, do not have similarly clear evidence of damages.
The plaintiffs are coal miners who sought benefits because they suffered from Black Lung Disease. Before a hearing on their claims, the government sent out hearing notices -- notices to which outside persons had access. And those notices disclosed the plaintiffs' Social Security numbers (SSNs).
The problem for the plaintiffs is that -- unlike the disclosure of the arrest in the Linda Tripp case or, say, the disclosure of medical information -- disclosure of one's Social Security Number is not usually embarrassing or humiliating.
Indeed, a 2-1 majority of the appeals court panel -- a panel of the notoriously conservative U.S. Court of Appeals for the Fourth Circuit -- openly mocked one of the plaintiffs' evidence of "alleged angst" arising from the disclosure. And it found the other plaintiffs' evidence of distress so unconvincing, it relegated them to a mere footnote.
However, the third judge -- who dissented from the majority's Privacy Act holding -- argued that the panel majority was too dismissive. As he suggested, the release of a SSN can lead to other privacy violations. It can be the gateway to identity theft, or simply to theft. It can also be the gateway to giving unknown individuals unauthorized access to private financial data, medical records, or the like.
For example, in this case, the disclosure of the miners' SSNs was in conjunction with a hearing notice for a medical claim. Thus, at least in theory, an outsider's putting the SSNs together with the type of claim -- for Black Lung Disease -- could have compromised the miners' anonymity as to their medical conditions.
The Legal Issue: What Damages Are Proper When None Are Proven?
With a majority of the panel believing that the miners had not suffered actual damages, ordinarily the case would be dismissed. However, some cryptic language in the Privacy Act meant that the miners were able to argue that they deserve a damages award even without proof of any particular damages.
Here's the language: A prevailing plaintiff is entitled to "actual damages sustained by the individual as a result of the [government's failure to comply with the Act], but in no case shall a person entitled to recovery receive less than the sum of $1,000."
This language is convoluted and legalistic -- the kind of phrasing that gives lawyers a bad name. But basically, there are two ways to read it.
First, one could read this Privacy Act language to say, "You get actual damages, but if you can't prove them, you still get $1,000."
Why should the language be read this way? The dissenting judge offered a reason: The separate "adverse effect" requirement already weeds out plaintiffs who have no case. Thus, in his view, the $1,000 limit is best read, not as a hurdle, but as a guarantee of a "statutory minimum" in damages. (Such a minimum would not be unusual. Many statutes -- the Copyright Act is a good example -- specify statutory damages because Congress anticipated actual damages from a violation might be hard to prove.)
Or, second, one could read this Privacy Act language to say "If you can prove you suffered actual damages, then the least you can get is $1,000, but if you can't prove actual damages, you get nothing."
The Fourth Circuit panel majority read the Act this way. They saw the minimum as a guarantee, but a guarantee benefiting only those who could prove actual damages in the first place.
Why Congress Should Amend the Privacy Act If the Plaintiffs Lose At the Court
The Supreme Court will consider next week, and decide this Term, which of these two interpretations of the Privacy Act is correct. If the plaintiffs lose, then, in my view, Congress should take action. It should amend the Privacy Act to provide for minimum damages even when plaintiffs cannot prove actual damages.
Why give an individual money if he or she suffers no actual damages? Two reasons.
First, deterrence requires it. A guaranteed $1,000 liability for every disclosure of private information -- upon proof of the disclosure alone -- will make the government especially careful about such disclosures. Forcing the plaintiff to prove actual damages only allows the government to be lax.
Deterring disclosures is all the more necessary because damages are not always immediately traceable. Indeed, they may be invisible to the plaintiff. Suppose that one of the coal miners' insurers gets wind of the Black Lung diagnosis, because of the SSN disclosure, and thus invokes a technicality to cancel his policy. The miner may never know that the SSN disclosure -- not the technicality itself -- is the real reason his policy was cancelled. And that's a reason to make sure the SSN disclosure never happens in the first place.
Second, privacy is valuable in itself. People act and speak differently in private than they do in public. (If you doubt it, consider how you might speak to your spouse in a private moment, versus how you'd speak if you thought your comments would show up in the New York Times the next day.) And every gap in the wall of privacy that protects us, means we are less confident to speak, and act, freely even when we believe we are in private.
This basic freedom deserves strong protection. The fewer hurdles a plaintiff must clear to prove a privacy violation, the more protected our privacy is over the long run.