Failure to comply with the safe harbor principles could give rise to a number of private claims depending on the relevant circumstances. In particular, safe harbor organizations could be held liable for misrepresentation for failing to adhere to their stated privacy policies. Private causes of action for damages for breaches of privacy are also available under common law. Many federal and state statutes on privacy also provide for the recovery of damages by private individuals for violations.
The right to recover damages for invasion of personal privacy is well established under U.S. common law.
Use of personal information in a manner inconsistent with the safe harbor principles can give rise to legal liability under a number of different legal theories. For example, both the transferring data controller and the individuals affected could sue the safe harbor organization which fails to honor its safe harbor commitments for misrepresentation. According to the Restatement of the Law, Second, Torts (Second Restatement of the Law - Torts; American Law Institute (1997))
One who fraudulently makes a misrepresentation of fact, opinion, intention or law for the purpose of inducing another to act or to refrain from action in reliance upon it, is subject to liability to the other in deceit for pecuniary loss caused to him by his justifiable reliance upon the misrepresentation.
Restatement, § 525. A misrepresentation is “fraudulent” if it is made with the knowledge or in the belief that it is false. Id., § 526. As a general rule, the maker of a fraudulent misrepresentation is potentially liable to everyone who he intends or expects to rely on that misrepresentation for any pecuniary loss they might suffer as a result. Id. 531. Furthermore, a party who makes a fraudulent misrepresentation to another could be liable to a third-party if the tortfeasor intends or expects that his misrepresentation would be repeated to and acted upon by the third-party. Id., § 533.
In the context of the safe harbor, the relevant representation is the organization’s public declaration that it will adhere to the safe harbor principles. Having made such a commitment, a conscious failure to abide by the principles could be grounds for a cause of action for misrepresentation by those who relied on the misrepresentation. Because the commitment to adhere to the principles is made to the public at large, the individuals who are the subjects of that information as well as the data controller in Switzerland that transfers personal information to the U.S. organization could all have causes of action against the U.S. organization for misrepresentation. This might be the case, for example, where the individuals relied on the U.S. organization’s safe harbor commitments in giving their consent to the data controller to transfer their personal information to the United States. Moreover, the U.S. organization remains liable to them for the “continuing misrepresentation” for as long as they rely on the misrepresentation to their detriment. Restatement, § 535.
Those who rely on a fraudulent misrepresentation have a right to recover damages. According to the Restatement.
The recipient of a fraudulent misrepresentation is entitled to recover as damages in an action of deceit against the maker the pecuniary loss to him of which the misrepresentation is a legal cause.
Restatement, § 549. Allowable damages include actual out-of-pocket loss as well as the lost “benefit of the bargain” in a commercial transaction. Id.; see, e.g., Boling v. Tennessee State Bank, 890 S.W.2d 32 (1994) (bank liable to borrowers for USD 14825 in compensatory damages for disclosing borrowers’ personal information and business plans to bank president who had a conflicting interest).
Whereas fraudulent misrepresentation requires either actual knowledge or at least the belief that the representation is false, liability can also attach for negligent misrepresentation. According to the Restatement, whoever makes a false statement in the course of his business, profession, or employment, or in any pecuniary transaction can be held liable “if he fails to exercise reasonable care or competence in obtaining or communicating the information.” Restatement, § 552(1). In contrast with fraudulent misrepresentations, damages for negligent misrepresentation are limited to out-of-pocket loss. Id., § 552B(1).
In one case, for example, the Superior Court of Connecticut held that a failure by an electric utility to disclose its reporting of customer payment information to national credit agencies sustained a cause of action for misrepresentation. See Brouillard v. United Illuminating Co., 1999 Conn. Super. LEXIS 1754. In that case, the plaintiff was denied credit because the defendant reported payments not received within thirty days of the billing date as “late”. The plaintiff alleged that he had not been informed of this policy when he opened a residential electric service account with the defendant. The court specifically held that “a claim for negligent misrepresentation may be based on the defendant’s failure to speak when he has a duty to do so.” This case also shows that “scienter” or fraudulent intent is not a necessary element in a cause of action for negligent misrepresentation. Thus, a U.S. organization which negligently fails to fully disclose how it will use personal information received under the safe harbor could be held liable for misrepresentation.
Insofar as a violation of the safe harbor principles entailed a misuse of personal information, it could also support a claim by the data subject for the common law tort of invasion of privacy. American law has long recognized causes of action relating to invasions of privacy. In a 1905 case (Pavesich v. New England Life Ins. Co., 50 S.E. 68 (Ga. 1905)), the Georgia Supreme Court found a right to privacy rooted in natural law and common law precepts in holding for a private citizen whose photograph had been used by a life insurance company, without his consent or knowledge, to illustrate a commercial advertisement. Articulating now-familiar themes in American privacy jurisprudence, the court found that the usage of the photograph was “malicious”, “false”, and tended to “bring plaintiff into ridicule before the world.” (Id., at 69) The foundations of the Pavesich decision have prevailed with minor variations to become the bedrock of American law on this topic. State courts have consistently upheld causes of action in the realm of invasion of privacy, and at least 48 states now judicially recognize some such cause of action. A search of the LexisNexis electronic database performed on August 14, 2008, for “invasion of privacy” in actions in state courts since January 1, 2001, returned 2933 citations. Moreover, at least 12 states have constitutional provisions safeguarding their citizens’ right to be free from intrusive actions (See, e.g., Alaska Constitution, Art. 1 Sec. 22; Arizona, Art. 2, Sec. 8; California, Art. 1, Sec. 1; Florida, Art. 1, Sec. 23; Hawaii, Art. 1, Sec. 5; Illinois, Art. 1, Sec. 6; Louisiana, Art. 1, Sec. 5; Montana, Art. 2, Sec. 10; New York, Art. 1, Sec. 12; Pennsylvania, Art. 1, Sec. 1; South Carolina, Art. 1, Sec. 10; and Washington, Art. 1 Sec. 7), which in some cases could extend to protect against intrusion by non-governmental entities. See, e.g., Hill v. NCAA, 865 P.2d 633 (Ca. 1994); see also S. Ginder, Lost and Found in Cyberspace: Informational Privacy in the age of the Internet, 34 S.D.L. Rev. 1153 (1997) (“Some state constitutions include privacy protections which surpass privacy protections in the U.S. Constitution. Alaska, Arizona, California, Florida, Hawaii, Illinois, Louisiana, Montana, South Carolina, and Washington have broader privacy protection.”)
The Second Restatement of Torts provides an authoritative overview of the law in this area. Reflecting common judicial practice, the Restatement explains that the “right to privacy” encompasses four distinct causes of action in tort under that umbrella. See Restatement, § 652A. First, a cause of action for “intrusion upon seclusion” may lie against a defendant who intentionally intrudes, physically or otherwise, upon the solitude or seclusion of another or his private affairs or concerns (Id., at Chapter 28, Section 62B). Second, an “appropriation” case may exist when one takes the name or likeness of another for his own use or benefit (Id., at Chapter 28, Section 652C). Third, the “publication of private facts” is actionable when the matter publicized is of a kind that would be highly offensive to a reasonable person and is not of legitimate concern to the public (Id., at Chapter 28, Section 652D). Lastly, an action for “false light publicity” is appropriate when the defendant knowingly or recklessly places another before the public in a false light that would be highly offensive to a reasonable person (Id., at Chapter 28, Section 652E).
In the context of the safe harbor framework, “intrusion upon seclusion” could encompass the unauthorized collection of personal information whereas the unauthorized use of personal information for commercial purposes could give rise to a claim of appropriation. Similarly, the disclosure of personal information that is inaccurate would give rise to a tort of “false light publicity” if the information meets the standard of being highly offensive to a reasonable person. Finally, the invasion of privacy that results from the publication or disclosure of sensitive personal information could give rise to a cause of action for “publication of private facts.” (See examples of illustrative cases below.)
On the issue of damages, invasions of privacy give the injured party the right to recover damages for:
1. the harm to his interest in privacy resulting from the invasion;
2. his mental distress proved to have been suffered if it is of a kind that normally results from such an invasion; and
3. special damage of which the invasion is a legal cause.
Restatement, § 652H. Given the general applicability of tort law and the multiplicity of causes of action covering different aspects of privacy interests, monetary damages are likely to be available to those who suffer invasion of their privacy interests as a result of a failure to adhere to the safe harbor principles.
Indeed, state courts are replete with cases alleging invasion of privacy in analogous situations. Ex Parte AmSouth Bancorporation et al., 717 So. 2d 357, for example, involved a class action that alleged the defendant “exploited the trust depositors placed in the Bank, by sharing confidential information regarding Bank depositors and their accounts” to enable a bank affiliate to sell mutual funds and other investments. Damages are often awarded in such cases. In Vassiliades v. Garfinckel’s, Brooks Bros., 492 A.2d 580 (D.C.App. 1985), an appellate court reversed a lower court judgment to hold that the use of photographs of the plaintiff “before” and “after” plastic surgery in a presentation in a department store constituted an invasion of privacy through the publication of private facts. In Candebat v. Flanagan, 487 So.2d 207 (Miss. 1986), the defendant insurance company used an accident in which the plaintiff’s wife was seriously injured in an advertising campaign. The plaintiff sued for invasion of privacy. The court held that the plaintiff could recover damages for emotional distress and appropriation of identity. Actions for misappropriation can be maintained even if the plaintiff is not personally famous. See, e.g., Staruski v. Continental Telephone Co., 154 Vt. 568 (1990) (defendant derived commercial benefit in using employee’s name and photograph in newspaper advertisement). In Pulla v. Amoco Oil Co., 882 F.Supp. 836 (S.D. Iowa 1995), an employer intruded on the plaintiff employee’s seclusion by having another employee investigate his credit card records in order to verify his sick day absences. The court upheld a jury award of USD 2 in actual damages and USD 500000 in punitive damages. Another employer was held liable for publishing a story in the company newspaper about an employee who was terminated for allegedly falsifying his employment records. See Zinda v. Louisiana-Pacific Corp., 140 Wis.2d 277 (Wis.App. 1987). The story invaded the plaintiff’s privacy by publication of a private matter because the newspaper circulated in the community. Finally, a college which tested students for HIV after telling them the blood test was for rubella only was held liable for intrusion upon seclusion. See Doe v. High-Tech Institute, Inc., 972 P.2d 1060 (Colo.App. 1998). (For other reported cases, see Restatement, § 652H, Appendix.)
The United States is often criticized for being overly litigious, but this also means that individuals actually can, and do, pursue legal recourse when they believe they have been wronged. Many aspects of the U.S. judicial system make it easy for plaintiffs to bring suit, either individually or as a class. The legal bar, comparatively larger than in most other countries, makes professional representation readily available. Plaintiffs’ counsel representing individuals in private claims will typically work on a contingency fee basis, allowing even poor or indigent plaintiffs to seek redress. This brings up an important factor - in the United States, each side typically bears its own lawyers’ fees and other costs. This contrasts with the prevailing rule in Switzerland wherein the losing party has to reimburse the other side for costs. Without debating the relative merits of the two systems, the U.S. rule is less likely to deter legitimate claims by individuals who would not be able to pay the costs on both sides if they should lose.
Individuals can sue for redress even if their claims are relatively small. Most, if not all U.S. jurisdictions, have small claims courts which provide simplified and less costly procedures for disputes below the statutory limits. The potential for punitive damages also offers a financial reward for individuals who might have suffered little direct injury to bring suit against reprehensible misconduct. Finally, individuals who have been injured in the same way can marshal their resources as well as their claims to bring a class-action lawsuit.
A good example of the ability of individuals to bring suit to obtain redress is the litigation against Amazon.com for invasion of privacy. Amazon.com, the large online retailer, was the target of a class action, in which the plaintiffs allege that they were not told about, and did not consent to, the collection of personal information about them when they used a software program owned by Amazon called “Alexa.” In that case, plaintiffs alleged violations of the Computer Fraud and Abuse Act in unlawful access to their stored communications and of the Electronic Communications Privacy Act for unlawful interception of their electronic and wire communications. They also claimed an invasion of privacy under common law. This stems from a complaint filed with the FTC by an Internet security expert. The suit sought damages for class members, plus attorneys’ fees and profits earned as a result of violations of laws. As part of a settlement, the company agreed to destroy some of the personally identifiable records in its database and to pay up as much as $1.9 million in damages. The FTC also investigated the charges.
Federal and state privacy legislation often provides private causes of action for money damages.
In addition to giving rise to civil liability under tort law, non-compliance with the safe harbor principles could also violate one or another of the hundreds of federal and state privacy laws. Many of these laws, which address both government and private-sector handling of personal information, allow individuals to sue for damages when violations occur. For example:
State laws also protect personal privacy in a broad range of situations. Areas where the states have taken action include bank records, cable television subscriptions, credit reports, employment records, government records, genetic information and medical records, insurance records, school records, electronic communications, and video rentals. Of the 2933 cases found that involved “invasion of privacy” (see footnote 27), 1575 also included “damages”.