Concerning the Applicable Statute of Limitations for DPPA Claims
The Drivers Privacy Protection Act (DPPA), Public Law No. 103-322 codified as amended by Public Law 106-69, was originally enacted in 1994 to protect the privacy of personal information assembled by State Department of Motor Vehicles (DMVs). The DPPA was passed in reaction to a series of abuses of drivers’ personal information held by the government.
Reno v. Conden
The DPPA survived a Constitutional challenge in Reno v. Condon, 528 U.S. 141 (2000). In that case, the state of South Carolina challenged the DPPA arguing that the Act violated principles of federalism. The Supreme Court upheld the constitutionality of the Act as a proper exercise of Congress’ authority to regulate interstate commerce under the Commerce Clause. EPIC filed an amicus brief in that case that argued in part:
“The Drivers Privacy Protection Act safeguards the personal information of licensed drivers from improper use or disclosure. It is a valid exercise of federal authority in that it seeks to protect a fundamental privacy interest. It restricts the activities of states only to the extent that it concerns the subsequent use or disclosure of the information in a manner unrelated to the original purpose for which the personal information was collected. The states should not impermissibly burden the right to travel by first compelling the collection of sensitive personal information and then subsequently disclosing the same information for unrelated purposes.”
Maracich v. Spears
In 2012, EPIC urged the U.S. Supreme Court in another amicus brief to limit the disclosure of personal information covered by the Driver’s Privacy Protection Act. At issue in Maracich v. Spears was a lower court decision to allow disclosure of information stored in state departments of motor vehicles for the solicitation of clients by lawyers. EPIC’s amicus brief detailed the staggering amount of personal information available in driver’s records, particularly as a consequence of the REAL ID regulations. EPIC urged the Court to construe the statutory exceptions narrowly.
The Court concluded that the “litigation exception” of the Driver Privacy Protection Act (“DPPA”) did not permit attorney solicitation of clients. Writing for the 5-4 majority, Justice Kennedy stated that a broad interpretation of “in connection with” in (b)(4) should be avoided for the following reasons: (1) such indefinite phrases must have a limiting principle; (2) Congress intended the DPPA exceptions to be narrow; and (3) driver privacy should be protected because state residents cannot avoid submitting personal information to the DMV. As one of the four exceptions that allow for disclosure of not only “personal information” but “highly restricted personal information” – which includes Social Security Numbers, photographs and medical information – a narrow reading of the exception was most prudent. Accordingly, “investigation in anticipation of litigation” was also read narrowly to be limited to background research in order to determine the necessity of a complaint.
The Court’s opinion in Maracich represented a strong endorsement for the general structure of privacy protecting statutes: blanket prohibitions on use of sensitive information, with narrow, targeted exceptions for permissible uses. When interpreting these statutes, the Court made clear that exceptions must be explicit and should not be read to the broadest extent allowed by the text, but rather should follow Congressional intent.
The Driver’s Privacy Protect Act of 1994, 18 U.S.C. §§ 2721-2725 was enacted to protect individuals from the harm caused by misuse and unauthorized disclosures of the personal information they provide to state agencies that maintain motor vehicle records. The DPPA protects Americans from both physical and financial harms. In addition, the DPPA provides important limits on the collection and use of personal information by data brokers.
In McDonough v. Anoka County, a plaintiff brought suit against the Minnesota Department of Public Safety, as well as numerous cities and counties, alleging violations of the Driver’s Privacy Protection Act (“DPPA”) and other laws. The plaintiff brought suit after she learned through a state DMV audit that her driver records had been accessed hundreds of times. The United States District Court of Minnesota dismissed some of McDonough’s DPPA claims after it concluded that they were barred by the statute of limitations.
Issue on Appeal
Whether Plaintiff’s Driver’s Privacy Protection Act claims against all Defendants should be barred by the statute of limitations under 28 U.S.C. § 1658(a), applying the rule that the claim accrues upon occurrence of the acts violating the Driver’s Privacy Protection Act rather than when Plaintiff discovered or in the exercise of reasonable diligence should have discovered those acts?
EPIC has an interest in maintaining strong privacy protections for driver records and other personally identifiable data held by state DMVs. The DPPA provides an important privacy right to all Americans, but the statute of limitations rule applied by the lower court in McDonough would limit the ability of many DPPA victims to seek redress in federal court. EPIC has previously filed “friend of the court” briefs in other DPPA cases, including Maracich v. Spears, 133 S. Ct. 2191 (2013), and Gordon v. Softech International Inc., 726 F. 3d 42 (2d Cir. 2013).
United States Court of Appeals for the Eighth Circuit
- Appellant Bass’s Statement of the Issues
- Appellant McDonough’s Opening Brief
- Brief of Amicus Curiae Electronic Privacy Information Center in Support of Appellant McDonough
- Brief of Amicus Curiae Electronic Privacy Information Center in Support of Appellant Mitchell
- Appellees’ Responses in Opposition to EPIC’s Motion to File Amicus Curiae Brief
- McDonough v. Anoka County et al.
- Mitchell v. Aitkin County et al.
- Memorandum Opinion (Aug. 20, 2015)