This week the U.S. Supreme Court held in Federal Aviation Administration v. Cooper that an individual harmed by a federal agency’s violation of the Privacy Act cannot recover damages unless he or she is able to prove an economic loss.  Under the Privacy Act, federal agencies are prohibited from disclosing “any record which is contained in a system of records by any means of communication to any person, or to another agency, except pursuant to a written request by, or with the prior written consent of, the individual to whom the record pertains,” unless one of twelve statutory exceptions applies.  An individual may sue an agency for “actual damages” if the agency intentionally or willfully violates the Act’s requirements. 

At issue in the case was whether mental and emotional distress could constitute “actual damages.”  The respondent, a pilot whose pilot certificate was revoked based on medical records that were wrongfully disclosed by the Social Security Administration (SSA) to another government agency, claimed that the SSA’s disclosure of his confidential medical information (including his HIV status) had caused him mental and emotional distress.  Acknowledging that the meaning of “actual damages” is ambiguous and varies depending on the context, Justice Alito, writing for a 5-3 majority (Justice Kagan did not participate in the case), interpreted the term narrowly in the government’s favor based on the concept of sovereign immunity, which limits a person’s ability to recover from sovereign governments.  Under this narrow interpretation, “actual damages” as used in the Privacy Act requires an economic loss and excludes recovery for mental and emotional distress.  Consequently, the respondent was left without recourse for the SSA’s unlawful disclosure of his medical information.     

Although the holding turned on the fact that the federal government — as opposed to, for example, a private entity — disclosed the information, the majority opinion drew parallels between the Privacy Act and common law defamation and privacy torts to differentiate between “general damages” and “special damages.”  Justice Alito equated “actual damages” with “special damages,” which he argued are limited to pecuniary losses.  In contrast, he argued that “general damages” cover nonpecuniary damages, including mental and emotional distress.   

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Lindsey Tonsager Lindsey Tonsager

Lindsey Tonsager co-chairs the firm’s global Data Privacy and Cybersecurity practice. She advises clients in their strategic and proactive engagement with the Federal Trade Commission, the U.S. Congress, the California Privacy Protection Agency, and state attorneys general on proposed changes to data protection…

Lindsey Tonsager co-chairs the firm’s global Data Privacy and Cybersecurity practice. She advises clients in their strategic and proactive engagement with the Federal Trade Commission, the U.S. Congress, the California Privacy Protection Agency, and state attorneys general on proposed changes to data protection laws, and regularly represents clients in responding to investigations and enforcement actions involving their privacy and information security practices.

Lindsey’s practice focuses on helping clients launch new products and services that implicate the laws governing the use of artificial intelligence, data processing for connected devices, biometrics, online advertising, endorsements and testimonials in advertising and social media, the collection of personal information from children and students online, e-mail marketing, disclosures of video viewing information, and new technologies.

Lindsey also assesses privacy and data security risks in complex corporate transactions where personal data is a critical asset or data processing risks are otherwise material. In light of a dynamic regulatory environment where new state, federal, and international data protection laws are always on the horizon and enforcement priorities are shifting, she focuses on designing risk-based, global privacy programs for clients that can keep pace with evolving legal requirements and efficiently leverage the clients’ existing privacy policies and practices. She conducts data protection assessments to benchmark against legal requirements and industry trends and proposes practical risk mitigation measures.