CRS Legal Sidebar – Enforcing Federal Privacy Law—Constitutional Limitations on Private Rights of Action, May 31, 2019: “Over the last two years, the prospect of a comprehensive federal data privacy law has been the subject of considerable attention in the press and in Congress. Some Members of Congress and outside groups have developed many proposals in the last six months alone. Some of the proposed legislation would limit companies’ ability to use personal information collected online, require that companies protect customers from data breaches, provide certain disclosures about their use of personal information, or allow users to opt out of certain data practices. Some proposals combine all of those elements or take still different approaches.
One overarching question that every data privacy proposal raises is how to enforce any new federal rights or obligations that a given bill would impose. One traditional method of enforcement would be by a federal agency, such as the Federal Trade Commission or Department of Justice, through civil penalties or criminal liability. A bill could also provide for enforcement in civil lawsuits brought by State Attorney Generals. Along with these methods, several outside commentator shave recently called for any new federal privacy legislation to include a federal private right of action—a right that would allow individuals aggrieved by violations of the law to file lawsuits against violators in order to obtain money damages in federal court. At least one bill proposed in Congress includes such a right: the Privacy Bill of Rights Act, S. 1214.
Such proposals for judicial enforcement by individual lawsuits must necessarily tangle with the constitutional limits on when federal courts can hear such claims. This Sidebar considers how the lower courts have addressed such questions in the wake of the Supreme Court’s 2016 decision in Spokeo v. Robins. As is discussed in detail below, these cases reveals some common principles on the limits of federal justiciability that might inform Congress’s efforts to craft a private right of action in the data privacy context…”