Privacy & Information Security Law Blog

On February 26, 2013, the United States Supreme Court decided in Clapper v. Amnesty International that U.S. persons who engage in communications with individuals who may be potential targets of surveillance under the Foreign Intelligence Surveillance Act (“FISA”) lack standing to challenge the statute’s constitutionality. The Supreme Court determined that the plaintiffs’ alleged injuries were not “certainly impending” and that the measures they claimed to have taken to avoid surveillance were not “fairly traceable” to the challenged statute. Although this 5-4 decision would not be considered a “privacy” or “data breach” case, the Court’s analysis will have a significant impact on such cases going forward, and may thwart the ability of individuals affected by data breaches to assert standing based on possible future harm.

The FISA was enacted in 1978 to authorize and regulate certain government electronic surveillance of communications for foreign intelligence purposes. Congress also created a specialized court, known as the Foreign Intelligence Surveillance Court (“FISC”) to approve electronic surveillance for foreign intelligence purposes where there is probable cause to believe that the target of the electronic surveillance is a foreign power or the agent of a foreign power.

Following the attacks on 9/11, President George W. Bush authorized the National Security Agency (“NSA”) to conduct warrantless wiretapping in cases where one party to a telephone or electronic communication was located outside the U.S. and a participant in the communication was reasonably believed to be a member or agent of al-Qaeda or an affiliated terrorist organization. In the wake of FISC decisions that subjected the NSA’s surveillance program to FISC review and narrowed the scope of Bush’s authorization, Congress enacted the FISA Amendments Act of 2008. The FISA Amendments Act created a new framework under which the government may seek the FISC’s authorization to conduct foreign intelligence surveillance targeting the communications of non-U.S. persons located abroad without requiring that the government show the target is a foreign power or agent thereof.

Clapper v. Amnesty International involved a constitutional challenge to a part of the FISA Amendments Act by a group of attorneys, human rights, labor, legal and media organizations who allegedly engaged in sensitive and sometimes privileged communications with individuals abroad who they believed to be likely targets of surveillance under the FISA Amendments Act.

The group asserted Article III standing by claiming that (1) there is “an objectively reasonable likelihood” that their communications will be intercepted in the future, and (2) they can establish injury resulting from measures that they undertook to avoid surveillance. They argued that their injuries are “fairly traceable to [the statute] because the risk of surveillance [under the statute] requires them to take costly and burdensome measures to protect the confidentiality of their communications.”

Writing for the majority, Justice Alito held that whether the Government would imminently target the group’s communications was “speculative,” stating that the fact they “merely speculate and make assumptions about whether their communications with their foreign contacts will be acquired” was insufficient as they had failed to set forth “specific facts.” The majority concluded that the “speculative chain of possibilities does not establish that injury based on potential future surveillance is certainly impending or is fairly traceable to” the challenged statute. The affirmation that potential future injury must be “certainly impending” or “fairly traceable” is instructive in the privacy and data breach context given the abundance of cases alleging fear or anxiety on the part of affected individuals despite the absence of any credible threat of identity theft.

As to the group’s argument that that they suffered injury based on measures affirmatively taken to avoid surveillance, Justice Alito reasoned that the group “cannot manufacture standing merely by inflicting harm on themselves based on their fears of hypothetical future harm that is not certainly impending.” Further, allowing an “action based on costs they incurred in response to a speculative threat would be tantamount to accepting a repacked version of respondents’ first failed theory of standing.” The majority’s clear directive that incurring costs to avoid speculative harm does not create standing will have plain applicability to allegations common in privacy and data breach suits that injury occurred when individuals took extra precautions, such as purchasing identity theft protection, out of fear of a possible future harm.