March 2, 2023Tatjana Calimpong-Burke

The Cry for Stronger Consumer Protection Standing in the United States

A blog post by Kaitlin Maguire, Junior Associate

Privacy law and data breaches face head-to-head at the narrowest of crossroads. Data consumer protection standing in the United States is comprised of dead ends, leaving consumers unable to achieve the high bar of Article III. [1] The United States embodies a patchwork of regulations stemming from various areas of law, producing insufficient legal theories and causes of action.[2] While a patchwork scheme encompasses the United States cyber law and data consumer protection, the European Union promotes firmer consistency and security with the “General Data Protection Regulation” (herein referred to as “GDPR”). [3]

Article 82 of the GDPR permits a European Union consumer organization to assert a claim against a data “processor” without demonstrating that actual harm has occurred to the consumer. [4] European courts consistently interpret the concept of “damage” broadly, thus favoring and providing protection for the consumer. [5]In the United States, however, to constitute “injury in fact,” under Article III, a consumer must show the harm suffered is “concrete” and “particularized,” thus making it nearly impossible to demonstrate such after a breach occurred. [6]

For the United States to equate itself with the strength of the GDPR, it must adopt similar regulations and supply a registry of certified consumer organizations that will be permitted to bring an action on behalf of consumers. Article III standing would benefit by expanding to groups of pre-authorized entities to obtain an injunction, preventing litigation, encouraging entities to put more robust data-protection schemes in place, and acting as a prospective scheme.

[1] Thomas Haley, ARTICLE: DATA PROTECTION IN DISARRAY, 95 WASH. L. REV. 1193 (2020).

[2] See generally Monique Leahy, J.D. Litigation of Data Breach, 140 AM JUR TRIALS 327 (explaining the various sources that compose cybersecurity law and data regulation).

[3] See General Data Protection REGULATION (EU) 2016/679 Directive 95/ 46/ EC (April 2016).

[4] HOGAN LOVELLS PUBLICATIONS (July 2018) (Last accessed February 8, 2023).

[5] Johanna Chamberlain & Jane Reichel, PRIVACY FORUM: THE RELATIONSHIP BETWEEN DAMAGES AND ADMINISTRATIVE FINES IN THE EU GENERAL DATA PROTECTION REGULATION, 89 MISS. L.J. 667 (2020).

[6]Haley, supra, note 1.

Leave a Reply

Your email address will not be published. Required fields are marked *