U.S. Supreme Court and State Legislatures Address Privacy Issues in the Workplace

A loaded question, admittedly, but the answer for the Supreme Court, once again, is no.

In Federal Aviation Administration v. Cooper, No. 10-1024 (March 28, 2012), the Supreme Court had to decide whether individuals may recover actual damages under the Privacy Act for sustaining mental or emotional distress. 5 U.S.C. §552a(g)(4)(A). Writing for the majority in a 5-3 decision, (which did not involve Justice Kagan), Judge Alito dispatched with all suspense by first declaring the holding that the Act does not provide for such remedies. The Privacy Act bears unique qualities. It covers the activities of Executive Branch agencies who hold confidential records. The Act permits an individual to file a civil suit against an agency over "intentional or willful" violations of the Act. 5 U.S.C. §552a(g)(1)(D) & 5 U.S.C. §552a(g)(4)(A). An individual can recover "actual damages" upon proving that an agency has violated the requirements of the Act "in such a way as to have an adverse effect on an individual". Id.

In Cooper, the plaintiff pilot had been a licensed pilot since 1964. In 1985, he was diagnosed as having the immunodeficiency virus (HIV) infection and, as a result, started taking antiretroviral medication. In 1985, pilots with such conditions did not receive medical certificates. Plaintiff did not apply for a medical certificate until 1994, and did not disclose his HIV status or detail his medication. Through 2004, he renewed his medical certificate four times while knowingly not disclosing data about his medical condition. During the same time span, however, plaintiff separately applied for Social Security disability benefits. Later, in 2002, the Department of Transportation initiated a criminal investigation to find individuals who had obtained medical certificates to pilot planes even though they had disqualifying medical conditions. To pursue its investigation, the FAA gave the Social Security Administration a list of 45,000 licensed pilots in California, along with other designated data for cross-checking purposes. The SSA compared the FAA data with its own data on recipients of benefits and produced a spreadsheet provided to the FAA. .

The first outcome was somewhat predictable. Plaintiff was indicted with three counts of making a false statement to a government agency. 18 U.S.C. §1001. Plaintiff eventually pled guilty to one count of making and delivering a false official writing under 18 U.S.C. §1018. His sentence included two years of probation and a $1,000 fine. The post-conviction phase, however, likely started an unexpected journey for all involved. Plaintiff filed his civil suit and charged the FAA, DOT and SSA with violating the Privacy Act by sharing his data with one another without his consent. Plaintiff lost on summary judgment, but not over whether defendants had intentionally or willfully violated the Act through their sharing of data. ("With certain exceptions, it is unlawful for an agency to disclose a record to another agency without the written consent of the person to whom the record pertains. 5 U.S.C. 552a(b)."). Instead, the plaintiff lost because the District Court found that the plaintiff sought damages solely for mental and emotional harm, and that in the absence of a waiver of sovereign immunity for such damages, the Privacy Act did not provide for such relief. The Ninth Circuit reversed the District Court and remanded which returns us to the Supreme Court's holding that pronounces the absence of a remedy for mental or emotional distress damages under the Privacy Act. The balance of the majority opinion focuses on the plaintiff's inability to show a waiver of sovereign immunity for damages other than what is termed special damages. As the majority states in its summation, "In sum, applying traditional rules of construction, we hold that the Privacy Act does not unequivocally authorize an award of damages for mental or emotional distress."

Nevertheless, and in particular, private employers must remain aware that their state legislatures may see privacy from a different perspective than courts who are saddled with precedents. For example, last week, the Illinois House passed a bill to amend the Illinois Right to Privacy in the Workplace Act, 820 ILCS 55/10. The amendments would bar employers from demanding usernames, passwords, or other related account data to access a social networking site where an applicant or employee maintains an account or profile. HB3782 (Illinois House). The bill passed by a wide margin in the Illinois House and is expected to pass in the Illinois Senate. As a result, when an employer ponders hiring or disciplinary decisions based on data obtained from outside the workplace, the first step is to review whether procuring and using such data will not result in later litigation or liability exposure.