Mass., EU courts wrestle with requisite harm in defamation, data protection cases

The vexing problem of proof of damages in defamation and privacy has turned up recently in the Massachusetts Court of Appeals and the Court of Justice of the European Union. Meanwhile, the Massachusetts Gaming Commission borrowed European privacy principles for new data security rules.

Tiny turkey. Stéphanie Kilgast via Flickr CC BY-NC-ND 2.0

'Stolen' Turkey Money in Massachusetts

The Appeals Court in April vacated dismissal in a business dispute over turkeys. Nonprofit and business collaborators fell out over spending on variably sized turkeys for a charitable food event. The defendant wrote on social media that the plaintiff "stole" money intended for charitable purposes.

The complaint, which was filed by a Massachusetts lawyer, was messy—narrative in excess, numbering in disarray, and allegations jumbled between liability theories—so it was difficult for the trial court to parse the pleadings. With the aid of oral argument on appeal, the court teased out the defamation count and determined that it had been dismissed for want of pleaded loss.

However, Massachusetts is among jurisdictions that continue to recognize the historical doctrines of libel per se and slander per se. Those doctrines allow some pleadings to proceed without allegation of loss, and for good reason. Reputational harm is exceedingly difficult to prove, even when it seems self-evident. After all, whom should a plaintiff call to testify to prove her damaged reputation, people who now think an awful falsity about her? Witnesses will be less than eager. Even in case of a business plaintiff that suffers economic loss, it can be exceedingly difficult to tie specific losses to specific assertions of falsity.

The historical approach allows a plaintiff to demand presumed damages. That's a messy solution, because the jury is entrusted with broad discretion to assess the damages. On the plaintiff side, perhaps that's OK; we just juries to measure intangible losses all the time, as in the case of general damages for injuries, or pain and suffering. The defense bar and allied tort reformers have rebelled against presumed damages, though, arguing that they afford juries a blank check. That unpredictability makes it difficult for defendants and insurers to assess their liability exposure. Defense-oriented tort reformers have been successful in extinguishing per se defamation actions in many U.S. states.

Massachusetts splits the difference, I think in a healthy way. Per se actions are preserved, but the plaintiff is entitled to nominal damages, plus proved actual losses, but not presumed damages. I mentioned recently that the E. Jean Carroll case has spurred overblown commentary about the potential of defamation law to redress our misinformation problem. The unavailability of per se actions in many states is one reason that defamation is not up to the job. A defamation action for nominal damages helps, though, coming about as close as U.S. jurisdictional doctrine allows to a declaration of truth—which is what defamation plaintiffs usually most want.

Allegation of a crime, such as theft or misappropriation of charitable funds, fits the class of cases that qualify for per se doctrine, whether libel or slander. There is some room debate about whether social media better fits the historical mold of libel or slander, but that's immaterial here. The allegation of "stolen" money fit the bill.

The Appeals Court thus vacated dismissal and remanded the claim for defamation and related statutory tort. The court clerk entered the Memorandum and Order for Judges Mary Thomas Sullivan, Peter Sacks, and Joseph M. Ditkoff in Depena v. Valdez, No. 22-P-659 (Mass. App. Ct. Apr. 28, 2023).

Austrian post box.
High Contrast via Wikimedia Commons CC BY 3.0 DE

Non-Consensual Political Analysis in Austria

The Court of Justice of the European Union (CJEU) also recently tussled with a problem of proof of damages. The court held early in May that a claimant under the EU General Data Protection Regulation (GDPR) must claim harm for a personal data processing violation, but need not meet any threshold of seriousness.

The court's press release summarized the facts in the case:

From 2017, Österreichische Post collected information on the political affinities of the Austrian population. Using an algorithm, it defined "target group addresses" according to socio-demographic criteria. The data thus collected enabled Österreichische Post to establish that a given citizen had a high degree of affinity with a certain Austrian political party. However, that data processed were not communicated to third parties.

The citizen in question, who had not consented to the processing of his personal data, claimed that he felt great upset, a loss of confidence and a feeling of exposure due to the fact that a particular affinity had been established between him and the party in question. It is in the context of compensation for the non-material damage which he claims to have suffered that he is seeking before the Austrian courts payment of the sum of €1,000.

The plaintiff endeavored to quantify his emotional upset, but in the absence of communication of the conclusions about the plaintiff to to any third party, the claim of harm was thin. Emotional suffering resulting from the mere processing of personal data in contravention of one's advance permissions seems minimal. Accordingly, the Austrian courts, following the example of neighboring Germany, were inclined to disallow the plaintiff's action for failure to demonstrate harm.

Harm has been a sticking point in privacy law in the United States, too. Privacy torts are a relatively modern development in common law, and they don't import the per se notion of historical defamation doctrine. Tort law balances culpability with harm to patrol the borders of social contract. Thus, intentional battery is actionable upon mere unwanted touching, while merely accidental infliction of harm requires some degree of significance of injury. Defamation law arguably defies that dynamic, especially in per se doctrine, in part for the reasons I explained above, and in part because, for much of human history, personal integrity has been as essential for survival as physical security.

Not having inherited the paradigm-defying dynamic, privacy law has posed a puzzle. Scholars disagree whether damages in privacy should follow the example of business torts, requiring at least economic loss; the example of emotional distress torts, requiring at some threshold of severity; or defamation per se torts, recognizing some sui generis harm in the disruption of personal integrity. As personal data protection has grown into its own human right independent of privacy, the problem has been amplified, because, exactly as in the Austrian case, a right against the non-consensual processing of data that are personal, but not intimately personal, is even more difficult to generalize and quantify.

The problem is not only a European one. In the United States, courts and scholars have disagreed over when claims in the burgeoning wave of state data protection laws, such as the Illinois Biometric Information Privacy Act, can satisfy the "case or controversy" constitutional requirement of jurisdiction. Failure to see a sui generis harm in privacy violations means, arguably, that there is no "case or controversy" over which courts, particularly federal courts, have competence.

The CJEU balked at Austrian courts' unwillingness to see any wrong upon a claim of only intangible loss. But the court agreed that the plaintiff must demonstrate harm. Hewing to the text of the GDPR, the court reasoned that a plaintiff must show a violation of the regulation, a resulting harm, and a causal connection between the two. Thus, harm is required, but there is no requirement that the harm meet some threshold of seriousness or economic measure.

The CJEU decision was touted in headlines as "clarifying" the law of damages under the GDPR, while the stories beneath the headlines tended to do anything but. Some writers said that the court raised the bar for GDPR claims, and others said the court lowered it. Confusion stems from the fact that the court's decision spawns subsequent many questions. Conventionally, the GDPR leaves the quantum of damages to national courts. So how must a claim of de minimis harm be measured on remand? Are nominal damages sufficient compensation, or must the data protection right be quantified?

Moreover, Sara Khalil, an attorney with Schönherr in Vienna, observed that the court left out a component of tort liability that national courts sometimes require: culpability. Is there a minimal fault standard associated with recovery for mere data processing? Because tort law ties together the elements of harm and fault, at least in some jurisdictions, the one question necessarily begets the other.

RW v. Österreichische Post AG, No. C-154/21 (May 4, 2023), was decided in the First Chamber of the CJEU.

Data Security in Gambling in Massachusetts

Policymakers and courts on both sides of the Atlantic are wrestling with the problems of contemporary personal data protection. And while the gap between the GDPR and patchwork state and federal regulation in the United States has stressed international relations and commerce, it's no wonder that we see convergence in systems trying to solve the same problems.

To wit, the Massachusetts Gaming Commission has employed recognizably European privacy principles in new data security rules. For Israeli law firm Herzog Fox & Neeman, attorneys Ariel Yosefi, Ido Manor, and Kevin David Gampel described the overlap. The commission adopted the regulations for emergency effect in December 2022; final rules were published in April.

The attorneys detailed the requirements of gambling operators:

• to establish and plainly disclose to players comprehensive data privacy policies, including measures regarding data collection, storage, processing, security, and disclosure, the latter including the specific identities of third-party recipients; 
• to guarantee player rights including access, correction, objection, withdrawal of consent, portability, and complaint;
• to eschew purely automated decision-making; and
  
• to implement physical, technical, and organization security practices.

The regulations are 205 CMR 138 and 205 CMR 248 (eff. Mar. 9, 2023, publ. Apr. 28, 2023).

No right to physician aid in dying, Mass. high court holds, rejecting analogy to same-sex marriage right

In 2017, Rep. Eleanor Holmes Norton (D-D.C.) and D.C. residents
protest to protect "death with dignity" law from congressional meddling.
Ted Eytan, MD, via Flickr CC BY-SA 2.0

There is no right to physician aid in dying in the Massachusetts constitution, the commonwealth high court held in December, leaving room for legislators to fill the gap.

A cancer patient and a doctor brought the case. The plaintiff patient, a retired physician with metastatic prostate cancer, wanted counseling on physician aid in dying; the plaintiff doctor wanted to give counsel to his patients struggling with potentially terminal illness. Both plaintiffs argued that they could not get what they want for fear that doctors can be prosecuted for the state common law crime of manslaughter, that is, reckless killing, or worse.

The court opinion refers consistently to "physician-assisted suicide" (PAS), but I'm here using the term "physician aid in dying" (PAD), a difference I'll explain. The medical action at issue here is the ability to "prescri[be] ... barbiturates [with] instructions on the manner in which to administer the medication in a way that will cause death." But the plaintiffs confined their demand to patients facing fatality within six months. 

In a footnote, the court said it used "PAS" because the American Medical Association (AMA) prefers the term. The AMA regards "PAD," or the more modish "medical aid in dying" (MAID), preferred by the plaintiffs, as unfavorably "ambiguous."

Massachusetts remains with majority of states in not recognizing PAD right.
Terrorist96 (upd. Apr. 2021) via Wikimedia Commons CC BY-SA 4.0

Facially, both terms are potentially ambiguous; the quibble over semantic precision faintly masks the policy disagreement. "PAS" implicates suicide in the conventional sense, comprising the intentional ending of one's life for any reason, including the expression of mental illness. That's a bigger ask in terms of constitutional entitlement. The 10 states (plus D.C.) that allow PAD, such as Oregon, require a terminal diagnosis and purport to exclude conventional suicide. "PAD" and "MAID," accordingly, mean to narrow the fact pattern to a patient who is hastening a process of natural death that already is under way, or at best ending an inescapable and intolerable suffering.

I learned about this distinction, and more in this area, only recently, as a student in my Comparative Law class is working on a research paper comparing MAID laws in Oregon and the Netherlands. In her early stage of topic selection, I referred her to, and recommend to everyone, my top This American Life segment of 2022, "Exit Strategy." The heartbreaking segment comprises excerpts of Connecticut writer Amy Bloom reading from her book, In Love: A Memoir of Love and Loss, which documented the figurative and literal journey of her and her husband to end his life in Switzerland after his diagnosis with Alzheimer's. I might one day read the whole book, but I'll need to work up the emotional strength.

The court's thorough opinion by Justice Frank M. Gaziano largely tracked the reasoning of the U.S. Supreme Court in declining to recognize PAD as a fundamental right, because it's supported neither by historical tradition nor widespread acceptance. Insofar as PAD is a reality on the ground for doctors and terminally ill patients, it still carries a stigma, the Massachusetts opinion observed. The medical community itself is divided over PAD, evidenced by amici in the case. In the absence of a fundamental right, state criminal law easily survives rational-basis review for substantive due process.

The Supreme Judicial Court recognized its own power and responsibility, in contrast with the more conservative U.S. Supreme Court, to tend and grow the scope of fundamental rights protected in Massachusetts, adapting the state Declaration of Rights to new social challenges. The Massachusetts court exercised that very power when it approved same-sex marriage in the commonwealth in Goodridge v. Department of Public Health (2003), 12 years before the U.S. Supreme Court did likewise for the nation in Obergefell v. Hodges (2015).

Voters reject the PAD initiative in Massachusetts in 2012.
Emw & Sswonk via Wikimedia Commons CC BY-SA 3.0

But the milieu in Massachusetts is hardly conducive to Goodridge delivering this plaintiff ball across the goal line, the court concluded. To the contrary, the court observed, Massachusetts voters rejected a PAD ("Death with Dignity") ballot initiative in 2012 (51% to 49% in "ferocious political battle"), "over a dozen bills" to legalize PAD have failed in the legislature, and statutes regulating healthcare affirmatively disallow PAD counseling.

The court opinion includes an intriguing discussion of standing. The case was something of a put-on, because local prosecutors did not threaten the plaintiff physician with prosecution. Again, the court acknowledged that doctors engage in PAD now, if quietly, criminal law notwithstanding. In reality, there is not a bright line between PAD and appropriate palliative care, or between "terminal sedation" and "palliative sedation." Prosecutors helped plaintiffs to sustain the case by saying that they would not decline to prosecute.

In the end, the court decided the case only in the matter of the physician. The court rejected the plaintiff patient's claim because he had not been given a six-month prognosis, and his cancer remained susceptible to treatment by multiple options. In the patient's defense, I'm not sure someone with a six-month prognosis would have time to prosecute the case to the high court, nor should be expected to. Justice Dalila Argaez Wendlandt aptly dissented on the point. The patient here submitted that he did not necessarily want PAD, but wanted to have the option to be counseled for it if the need arises. Anyway, the court allowed standing for the doctor on a theory of jus tertii ("third-party right"), when one person is allowed to assert the rights of another upon a close nexus of interests. This notion is implicated on the issue of standing in the mifepristone case now before the U.S. Supreme Court.

In separate opinions, Justices Wendlandt and Elspeth B. Cypher left the door ajar to a rights argument on the right facts. Justice Cypher wrote that some "constitutional zone of liberty and bodily autonomy" should preclude prosecution for "late-stage palliative care." Justice Wendlandt reasoned similarly that as a patient approaches death, the state interest in preserving life by way of criminal law wanes, eventually even as to fail rational-basis review of a "nonfundamental right."

Nothing about the court's opinion precludes the state legislature from reengaging with PAD, which has been legalized in the northeast in New Jersey, Maine, and Massachusetts neighbor Vermont.

The case is Kligler v. Attorney General, No. SJC-13194 (Mass. Dec. 19, 2022), available from the Alliance Defending Freedom, a conservative religious freedom advocacy group that participated as amicus on the side of the Attorney General.

Boston Bar panel surveys landscape of privacy law, data protection policy, class action litigation

Attorneys Melanie Conroy, Marjan Hajibandeh, and Matthew M.K. Stein

We had great fun yesterday, as lawyer fun goes, talking about privacy law in the United States, from the impact of the Privacy Shield collapse to the latest litigation under California's groundbreaking consumer privacy protection law.  I was privileged to appear in a Boston Bar Association program on privacy class action litigation, led by attorney Melanie A. Conroy, CIPP/US, of Pierce Atwood LLP, alongside practicing-attorney panelists Matthew M.K. Stein, of Manatt, Phelps & Phillips, LLP, and Marjan Hajibandeh of CarGurus, Inc. 

Our topical reach was a breathless sprint across a dramatic landscape.  We opened with our respective thoughts on developments in privacy law, Conroy observing that the fast-paced field has undergone seismic shifts again and again in recent years, from the implementation of the California Consumer Privacy Act (CCPA) to the $18m Equifax data breach settlement in Massachusetts.

I spoke to the impact of the European Court of Justice decision ("Schrems II" (ECJ July 16, 2020)) invalidating the U.S.-EU Privacy Shield as a motivator for U.S. reform.  Besides the significance of the case in Europe and our foreign relations, the decision signals that a quarter century after adoption of the first European Data Protection Directive, Europe's patience with American recalcitrance has finally run out.

Julie Brill (MS CC) and William Kovacic

Former Federal Trade Commissioner Julie Brill told the Senate Commerce Committee this week that in two years, 65% of the world will be living under data protection laws, most of them modeled after the EU General Data Protection Regulation (GDPR).  As former Federal Trade Commission (FTC) Chairman William Kovacic put it, if we don't pass legislation in the United States, "we will get a national privacy policy: the GDPR."  As I tweeted this week, hearing testimony drove the usually cool and collected Senator Maria Cantwell (D-Wash.) to exclaim, "My God, this is clear, we need a strong privacy law." And Americans are ready; Brill said that nine out of ten Americans now believe that privacy is a human right.

Sen. Cantwell

Our panel ran down the latest developments in class action privacy litigation, loosely divided on the fronts of biometric data class actions, mostly arising under Illinois's pioneering Biometric Information Privacy Act; CCPA-related class actions in California; and data breach litigation.  I ran down cases in the latter vein and talked some about the present circuit split over Article III standing.  Federal courts have divided over whether "theft alone" can constitute concrete injury for constitutionally minimal standing, or plaintiffs must show some subsequent misuse of their data.  This issue is not limited to the data breach area, but has implications across a wide range of statutory enforcement systems, including the Fair Credit Reporting Act.

For my part, I predict that our dawning, if belated, understanding of the monetary value of personally identifiable information (PII) will lead us to the inevitable conclusion that theft alone suffices.  This is evidenced, for example, in Hogan v. NBCUniversal (D.R.I. filed Aug. 27, 2020), over the sale of Golf Channel subscriber identities, which subsequently were associated with other PII and resold.  Though for the time being, my favored conclusion is arguably not the inclination evidenced in the U.S. Supreme Court in Spokeo, Inc. v. Robins, in 2016.  Senator Dick Blumenthal (D.-Conn.) mentioned this week, apropos of current events, that Justice Ginbsburg, joined by Justice Sotomayor, dissented in Spokeo on just this point.

The late Justice Ginsburg; Sen. Blumenthal

Our next panel focus was developments in the First Circuit and Massachusetts.  In Massachusetts Superior Court in Boston, data breach litigation, filed in May 2019, against Massachusetts General Hospital, Brigham & Women's Hospital, and the Dana-Farber Cancer Institute, over online patient-service communications occurring outside secure portals, raises the very question of concrete harm, which may be resolved differently at the state level than under the federal Constitution.  Meanwhile in federal court, the same issue in data breach litigation, filed in March 2020, in Hartigan v. Macy's, highlights the lack of First Circuit precedent on the question since Spokeo, while citing strong pre-Spokeo indications that the First Circuit would favor the misuse-required position.

In parting observations, I offered that we have a long road ahead.  Of all the bills pending in Congress (see EPIC's excellent April report), only some propose a private cause of action and none attacks the problem of government surveillance, both purported prerequisites to European restoration of authorized trans-Atlantic data flow.  Within the U.S Congress, there appears to be bipartisan support for some kind of nationwide privacy legislation.  But the questions of private or FTC enforcement, and whether preemption would mean a legislative floor or ceiling remain sticking points that could derail the process.