No Harm, No Court: An International Approach to Data Privacy Harms and Article III Standing - Student Journal of Information Privacy Law

No Harm, No Court: An International Approach to Data Privacy Harms and Article III Standing

Emily Fowler

In the United States, cases brought regarding privacy violations are being dismissed early in the litigation process because U.S. law remains tied to historical analysis of injuries, whereas other legal systems around the world are taking a more forward-thinking approach to these issues. Trends in recent cases show that claims for privacy violations, such as the capture of individual interactions with websites through session-replay technology, are being dismissed for lack of standing.^[1] Article III standing is a concept based in Constitutional Law. Under Article III, federal courts’ authority is limited so that they may only hear “Cases” and “Controversies”.^[2] To bring a case or controversy before a federal court, plaintiffs must have standing (a “personal stake” in the case).^[3] Three elements must be met to have standing: (1) there is “an ‘injury in fact’ that is both ‘concrete and particularized’ and ‘actual or imminent’”; (2) “the injury is ‘fairly traceable’ to the challenged conduct”; and (3) the injury likely “‘will be redressed by a favorable decision.’”^[4]

These standing requirements pose problems for plaintiffs seeking compensation for privacy harms in the U.S. Frequently, when individuals’ privacy is invaded, they feel legitimately injured; however, because they cannot show actual loss, their cases are dismissed for lack of standing.^[5] This pattern can be seen in the 2025 case of Popa v. Microsoft Corp., 153 F.4th 791 (2025).^[6] In this case, Plaintiff Ashley Popa filed a class-action suit in the U.S. District Court for the Western District of Pennsylvania bringing claims under Pennsylvania’s Wiretapping and Electronic Surveillance Control Act and for the tort of Invasion of Privacy – Intrusion Upon Seclusion.^[7] Popa claimed that her privacy was invaded when she interacted with a pet supply website that made use of Microsoft’s Clarity session-replay technology.^[8] This technology allows businesses to track users’ activity on their websites (including mouse movements, keystrokes, browser and operating system information, etc.) to “determine which parts of its website are effective with customers and which are not.”^[9] Popa alleged privacy violations occurred when her information was collected by Clarity.^[10] On appeal, the U.S. Court of Appeals for the Ninth Circuit held that “Popa ha[d] not met her burden to demonstrate that she has standing.”^[11]

This decision highlights significant U.S. jurisprudence that is (perhaps overly) focused on history when assessing concreteness of an alleged injury.^[12] For the purposes of this article, there are a few key takeaways from the court’s analysis. First, the court reached its holding because binding Supreme Court precedent identified history and close historical common law analogues “as the touchstone for concreteness.”^[13] Here, the court found that Popa’s alleged injury had no analogue.^[14] The court determined that the tracking Popa described is not highly offensive and “seems more similar to a store clerk’s observing shoppers in order to identify aisles that are particularly popular . . . .”^[15] Furthermore, the potential for harm, even if it is very serious, is not enough to meet standing requirements.^[16] Thus, even though Popa legitimately felt injured by this tracking and collecting of her information, she still could not meet the standing requirements and could not have her case heard further, let alone be compensated for her perceived harms.

While the analysis in this decision is sound under current U.S. law, it may be time for the U.S. to start reconsidering concreteness of injury in the context of privacy harms in order to better protect consumers and keep pace with influential legal systems around the world. For example, the Court of Justice of the European Union (CJEU), the EU’s highest Court, held that, under the General Data Protection Regulation (GDPR), national courts are precluded from requiring non-material damage suffered to reach “a certain degree of seriousness” for compensation.^[17] This 2023 case arose when an Austrian address broker collected information on individuals’ political affiliation and sold data to organizations for targeted advertising.^[18] The plaintiff “had not consented to the processing of his personal data, [and] felt offended by the fact that an affinity with the party in question had been attributed to him.”^[19] Notably, he alleged the harms of feeling “great upset, a loss of confidence, and a feeling of exposure.”^[20] In reaching its decision, the court notes that Article 82 of the GDPR clearly contemplates non-material damage without a threshold of seriousness, and that “damage” should be interpreted broadly to reflect the objectives of the GDPR.^[21]

Building on this reasoning, the Court of Appeal (Civil Division) in the UK relied on the same CJEU case and similarly held that claims cannot “be dismissed for failing to meet a threshold of seriousness.”^[22] Here, a class of members of a pension scheme alleged a misuse of personal information and infringement of the GDPR when their annual benefit statements were mailed to the wrong addresses.^[23] The appellants sought “compensation for injury to feelings . . . suffered due to fear of third-party misuse of their personal data.”^[24] This court similarly found that “damages” should be broadly construed and referred to the CJEU’s decision in its reasoning, even though the UK is not bound by CJEU decisions made after Brexit was completed.^[25] The court held that “in principle a claimant can recover compensation for fear of the consequences of an infringement if the alleged fear is objectively well-founded but not if the fear is (for instance) purely hypothetical or speculative.”^[26] Furthermore, “[i]t is obvious that a person can hold well-founded fears about future harm even if no such harm in fact results.”^[27] Interestingly, in support of its decision not to introduce a seriousness threshold, this court discusses how two similar torts that protect the same value do not need to provide identical remedies and that “the mere fact that differences exist between the ingredients of individual torts is not proof of incoherence.”^[28]

Taking the UK and EU approach might lead to the same outcome for plaintiffs like Popa. She may not be compensated for her real fear that she is constantly being surveilled, even on seemingly neutral and innocuous websites, and for her concern for how these sites might use her data nefariously. However, it is clear that consumers around the world feel this type of fear from privacy violations and are continuing to file lawsuits, so courts seem likely to continue facing these types of questions. When confronted with these lawsuits, influential courts both in the EU and in the UK’s common law system are not looking to history. They are not attempting to fit complex online injuries into molds made years before anyone was even contemplating issues like session-replay technology. It may be time for the U.S. to start thinking this way as well.

Along these lines, I would suggest that the court in this case misapplies its analogy to the store clerk. Online tracking and data collection create unique risks because bad actors can access and keep much more personal information than a store clerk can through in-person observation. Even if the analogy applies, I doubt many people would feel safe if they could feel a clerk watching and following their every move. As everyday life moves increasingly online, it is important to find a balance in the law that remains true to the constitutional limits on federal courts’ authority and avoids overburdening the courts, especially with frivolous claims. However, basing this analysis purely on historical analogues does not account for our quickly-evolving and evermore online reality. As the UK case shows, courts can account for new concepts of injury given changes in technology and access to information but still dismiss purely hypothetical claims of injury.^[29] The CJEU further describes how removing a “threshold of seriousness” can actually create more consistency in the application of the law across cases.^[30] Modern issues require new approaches, and these international cases could provide a starting point for the U.S. to consider as these issues continue to be brought before federal courts.

^[1] E.g., Popa v. Microsoft Corp., 153 F.4th 784, 791 (9th Cir. 2025).

^[2] Id. at 788 (quoting U.S. Const. art. III, § 2).

^[3] Id. (quoting TransUnion LLC v. Ramirez, 594 U.S. 413, 430–31 (2021)).

^[4] Id. (quoting Lujan v. Defs. of Wildlife, 504 U.S. 555, 560–61 (1992)).

^[5] See id. at 791.

^[6] Id.

^[7] Id. at 787.

^[8] Id. at 786-787.

^[9] Id. at 786.

^[10] Id. at 786-787.

^[11] Id. at 791.

^[12] See id. at 788-791.

^[13] Id. at 789.

^[14] Id. at 791.

^[15] Id.

^[16] Id. n.5.

^[17] UI v. Österreichische Post AG, Case C-300/21, ECLI:EU:C:2023:370, ¶ 51 (2023).

^[18] Id. at ¶ 11.

^[19] Id. at ¶ 12.

^[20] Id.

^[21] Id. at ¶¶ 45-46.

^[22] Farley v. Paymaster, Case CA-2024-000578, [2025] EWCA Civ 1117, ¶ 6 (2025).

^[23] Id. at ¶ 2.

^[24] Id.

^[25] Id. at ¶¶ 30, 54.

^[26] Id. at ¶ 75.

^[27] Id. at ¶ 80.

^[28] Id. at ¶¶ 68-69.

^[29] Id. at ¶ 81.

^[30] UI, Case C-300/21, ¶ 49.