McDonough v. Anoka County
- Federal Appeals Court Revives Driver Privacy Claims: In McDonough v. Anoka County, a federal appeals court has revived several cases under the Driver's Privacy Protection Act. A lower court previously ruled that the plaintiffs, including female journalists, failed to bring the claims in time. EPIC argued as amicus that "discovery" not "occurrence" is the correct standard for time limitations in privacy cases. Although the appellate court affirmed that some claims were time barred, it permitted many of the claims to proceed. The defendants' justifications for accessing the plaintiffs' driving records, wrote the court, "are not sufficiently convincing to undermine the reasonable inference of impermissible purpose." The appellate court also acknowledged that "[EPIC] raises legitimate concerns about the ability of identity thieves to utilize sensitive personal information found in motor vehicle records and the difficulty in detecting such a crime within the applicable limitations period." (Aug. 20, 2015)
- EPIC Urges Extended Relief for Driver Privacy Claims: EPIC has filed a "friend of the court" brief in McDonough v. Anoka County, a case involving the Driver's Privacy Protection Act. That law protects the privacy of driver record information held by state Department of Motor Vehicles. EPIC argued that a court was wrong to dismiss legal claims before people knew that their information was improperly disclosed by the DMVs. EPIC said that courts should follow the "discovery rule" so that victims can bring cases after they learn their personal information has been impermissibly accessed. EPIC has frequently defended this important federal privacy law. For more information, see EPIC - Reno v. Condon, EPIC - DPPA, EPIC - Maracich v. Spears, and EPIC - Gordon v. Softech Int'l. (Jun. 6, 2014)
The Drivers Privacy Protection Act (DPPA), Public Law No. 103-322 codified as amended by Public Law 106-69, was originally enacted in 1994 to protect the privacy of personal information assembled by State Department of Motor Vehicles (DMVs). The DPPA was passed in reaction to a series of abuses of drivers' personal information held by the government.
Reno v. Conden
The DPPA survived a Constitutional challenge in Reno v. Condon, 528 U.S. 141 (2000). In that case, the state of South Carolina challenged the DPPA arguing that the Act violated principles of federalism. The Supreme Court upheld the constitutionality of the Act as a proper exercise of Congress' authority to regulate interstate commerce under the Commerce Clause. EPIC filed an amicus brief in that case that argued in part:
"The Drivers Privacy Protection Act safeguards the personal information of licensed drivers from improper use or disclosure. It is a valid exercise of federal authority in that it seeks to protect a fundamental privacy interest. It restricts the activities of states only to the extent that it concerns the subsequent use or disclosure of the information in a manner unrelated to the original purpose for which the personal information was collected. The states should not impermissibly burden the right to travel by first compelling the collection of sensitive personal information and then subsequently disclosing the same information for unrelated purposes."
Maracich v. Spears
In 2012, EPIC urged the U.S. Supreme Court in another amicus brief to limit the disclosure of personal information covered by the Driver's Privacy Protection Act. At issue in Maracich v. Spears was a lower court decision to allow disclosure of information stored in state departments of motor vehicles for the solicitation of clients by lawyers. EPIC's amicus brief detailed the staggering amount of personal information available in driver's records, particularly as a consequence of the REAL ID regulations. EPIC urged the Court to construe the statutory exceptions narrowly.
The Court concluded that the "litigation exception" of the Driver Privacy Protection Act ("DPPA") did not permit attorney solicitation of clients. Writing for the 5-4 majority, Justice Kennedy stated that a broad interpretation of “in connection with” in (b)(4) should be avoided for the following reasons: (1) such indefinite phrases must have a limiting principle; (2) Congress intended the DPPA exceptions to be narrow; and (3) driver privacy should be protected because state residents cannot avoid submitting personal information to the DMV. As one of the four exceptions that allow for disclosure of not only “personal information” but “highly restricted personal information” - which includes Social Security Numbers, photographs and medical information - a narrow reading of the exception was most prudent. Accordingly, “investigation in anticipation of litigation” was also read narrowly to be limited to background research in order to determine the necessity of a complaint.
The Court's opinion in Maracich represented a strong endorsement for the general structure of privacy protecting statutes: blanket prohibitions on use of sensitive information, with narrow, targeted exceptions for permissible uses. When interpreting these statutes, the Court made clear that exceptions must be explicit and should not be read to the broadest extent allowed by the text, but rather should follow Congressional intent.
The Driver's Privacy Protect Act of 1994, 18 U.S.C. §§ 2721-2725 was enacted to protect individuals from the harm caused by misuse and unauthorized disclosures of the personal information they provide to state agencies that maintain motor vehicle records. The DPPA protects Americans from both physical and financial harms. In addition, the DPPA provides important limits on the collection and use of personal information by data brokers.
In McDonough v. Anoka County, a plaintiff brought suit against the Minnesota Department of Public Safety, as well as numerous cities and counties, alleging violations of the Driver's Privacy Protection Act ("DPPA") and other laws. The plaintiff brought suit after she learned through a state DMV audit that her driver records had been accessed hundreds of times. The United States District Court of Minnesota dismissed some of McDonough's DPPA claims after it concluded that they were barred by the statute of limitations.
Issue on Appeal
Whether Plaintiff's Driver's Privacy Protection Act claims against all Defendants should be barred by the statute of limitations under 28 U.S.C. § 1658(a), applying the rule that the claim accrues upon occurrence of the acts violating the Driver's Privacy Protection Act rather than when Plaintiff discovered or in the exercise of reasonable diligence should have discovered those acts?
EPIC has an interest in maintaining strong privacy protections for driver records and other personally identifiable data held by state DMVs. The DPPA provides an important privacy right to all Americans, but the statute of limitations rule applied by the lower court in McDonough would limit the ability of many DPPA victims to seek redress in federal court. EPIC has previously filed "friend of the court" briefs in other DPPA cases, including Maracich v. Spears, 133 S. Ct. 2191 (2013), and Gordon v. Softech International Inc., 726 F. 3d 42 (2d Cir. 2013).
United States Court of Appeals for the Eighth Circuit
- Appellant Bass's Statement of the Issues
- Appellant McDonough's Opening Brief
- Brief of Amicus Curiae Electronic Privacy Information Center in Support of Appellant McDonough
- Brief of Amicus Curiae Electronic Privacy Information Center in Support of Appellant Mitchell
- Appellees' Responses in Opposition to EPIC's Motion to File Amicus Curiae Brief
- McDonough v. Anoka County et al.
- Opposition of Cities of Apple Valley et al.
- Opposition of Benton County et al.
- Opposition of City of Minneapolis
- Opposition of Ramsey County
- Opposition of City of St. Paul
- Mitchell v. Aitkin County et al.
- Memorandum Opinion (Aug. 20, 2015)
United States District for the District of Minnesota
- Tom Steward, Data privacy snooping claims mount against MN cops, government employees, Watchdog.org (Oct. 10, 2013)
Share this page:
EPIC relies on support from individual donors to pursue our work.
Subscribe to the EPIC Alert
The EPIC Alert is a biweekly newsletter highlighting emerging privacy issues.
Communications Law and Policy
Jerry Kang and Alan Butler