This past June, the United States Supreme Court emphatically declared: “No concrete harm, no standing.” TransUnion v. Ramirez, 142 S. Ct. 2190 (2021). This holding may seem entirely consistent with parallel pronouncements in Supreme Court opinions such as Lujan v. Defenders of Wildlife and its progeny. But its implications are, in fact, far reaching. The “concrete harm” and “injury in fact” requirements that have seemed relatively unambiguous in, e.g., breach-of-contract and personal injury cases, are often nebulous when applied to claims that arise in a cyber environment at a time when cyber activity is an increasingly prominent part of our daily lives.

The TransUnion ruling reinforced problematic tendancies in the application of traditional doctrine of standing to data privacy claims, making it very difficult for plaintiffs facing potentially catastrophic harm down the road from data breaches to articulate a present harm.