Widening the lane: an argument for broader interpretation of permissible uses under the Driver's Privacy Protection Act.

• Author: Berg, Candace D.

The Driver's Privacy Protection Act of 1994 (DPPA) was passed as part of an omnibus crime bill to protect the privacy of individuals from the violent stalking crimes that had been perpetrated through access to the automated records of state departments of motor vehicles. Congress generally prohibited the release of personal information contained in the records. However, Congress also recognized that the general prohibition needed to contain certain limits to allow for the legitimate needs of business and government to have access to the personal information. In order to accomplish this balance of interests, Congress included in the statute various permissible uses that accounted for a wide range of legitimate disclosures.

This Note argues that the recent judicial interpretations of the DPPA by the Supreme Court and the Seventh Circuit have improperly limited the scope of permissible uses. The imposition of reasonableness limitations on disclosure, and the judicial analysis of disclosure to determine the exclusive predominant purpose, were novel judicial interpretations of a longstanding and established statute. Courts' narrow interpretations of the permissible uses of the DPPA are contrary to the text of the statute and do not advance the statute's central goals. The courts' approaches are also likely to have significant practical effect contrary to general policy aims. Such changes are better considered by Congress than in the courts.

Part I of this Note details the origins of the DPPA and identifies the congressional intent underlying the text of the statute. Part II provides a brief history of the constitutional challenges to the DPPA and notes the past treatment of the statute's permissible uses in various circuits. Parts III and IV give a detailed account of two recent court cases that have imposed new limits on permissible uses of personal information. Part V argues against these interpretations and explores their likely practical implications. The argument highlights the plain language of the statute and its relationship with the Act's legislative history and purpose, while remarking on the implications of civil liability, the role of the rule of lenity, and the need to ensure proper notice of violations falling under the statute. The Note concludes that if new constraints are to be placed onto the scope of permissible uses under the DPPA, the limitations should arise from congressional action and should not be imposed through judicial usurpation of the lawmaking role.

1. THE DRIVER'S PRIVACY PROTECTION ACT OF 1994

   The Driver's Privacy Protection Act of (1994) regulates the disclosure of personal information found within the records of state departments of motor vehicle (DMV). (1) With a stated purpose "to protect the personal privacy and safety of licensed drivers consistent with the legitimate needs of business and government," (2) the Act is a general prohibition on knowingly disclosing, obtaining, and using personal information or highly restricted personal information from a motor vehicle record. (3) The Act's sponsors sought to respond to the violence connected to incidents of stalking in which the perpetrator obtained the victim's address through DMV records. (4) In one high-profile incident, television actress Rebecca Schaeffer was shot and killed outside of her apartment by a man who had obtained the address of her private residence by hiring a private investigator who purchased the information from the California DMV. (5) At the time of the Act's introduction to Congress, there were thirty-four states that allowed any member of the public to go to a DMV office and pay a fee to obtain the personal information of any individual. (6) Many of these states also allowed for the mass sale of personal information to direct marketers. (7) Throughout congressional debate over the bill, members of Congress highlighted the need for the Act by describing numerous incidents of violence that had been accomplished through the use of DMV records. (8) The focus of the bill could not have been summarized more clearly than when Representative Goss stated: "[T]he intent of [the] bill is simple and straightforward: We want to stop stalkers from obtaining the name[s] and address[es] of their prey before another tragedy occurs." (9)

   Although the Act protected the privacy of certain personal information, its sponsors stressed that it was "essential" for the government to "[b]alanc[e] the interests of public disclosure with an individual's right to privacy." (10) Congress was careful to account for the legitimate needs for the use and disclosure of the personal information in certain cases. Congress recognized several instances that could give rise to the necessity to disclose or use the protected personal information that would not give rise to the privacy concerns that were the target of the bill. The language of the Act takes these legitimate needs into account by statutorily recognizing several "permissible uses" that are not subject to the general prohibition on disclosure and use. (11) As the floor debate over the DPPA indicated, members of Congress saw the permissible uses as a means to "strike[] a critical balance between the legitimate governmental and business needs for this information, and the fundamental right of our people to privacy and safety." (12) The fourteen permissible uses allow for disclosure for use by government agencies, (13) for legitimate business reasons, (14) in connection with legal proceedings (including "service of process", (15) with express consent, (16) and for solicitation with consent. (17) The statute also permits uses concerning vehicle safety, (18) the operation of towing and toll roads, (19) insurance activities, (20) and private investigation. (21)

   In an effort to enforce the DPP A, Congress included two penalties that may be imposed upon violation of the Act and a civil cause of action for those whose information is wrongfully disclosed. Any "person who knowingly violates" the statute is subject to a criminal fine and any state DMV that is in "substantial noncompliance" with the statute is subject to a civil penalty of up to $5,000 per day. (22) Additionally, "[a] person who knowingly obtains, discloses or uses personal information, from a motor vehicle record, for a purpose not permitted ... shall be liable to the individual to whom the information pertains." (23) That individual may then bring a civil action in federal court to recover actual damages with a liquidated value not less than $2,500, punitive damages, reasonable attorneys' fees, and "such other preliminary and equitable relief' as found appropriate by the court. (24)

2. CONSTITUTIONAL CHALLENGES TO THE DPPA

   After becoming law in 1994, the Act gave rise to several constitutional challenges as to the validity of Congress's powers to impose such a measure upon the states. (25) Different states and private actors argued for the courts to overturn the Act under the Commerce Clause and the Tenth, Eleventh, and

   Fourteenth Amendments. (26) The matter was eventually settled when the Supreme Court held the Act constitutional in Reno v. Condon. (27) The Court held that the information regulated by the DPPA is an item of interstate commerce that is sold or released within the interstate stream and is "therefore a proper subject of congressional regulation." (28) Additionally, the Court held that the DPPA does not violate principles of federalism because the Act does not require the states to regulate in a specific manner, but rather regulates the states themselves as participants in the market for data information. (29) Until 2012, Reno v. Condon was the singular case in which the Supreme Court heard a controversy on an issue centrally involving the DPPA. (30)

   After the Court upheld the constitutionality of the DPPA, there were several instances of lower court litigation as to the scope and applicability of the permissible uses under the Act. The district and circuit courts have applied the fourteen named permissible uses in a traditionally broad manner, with an eye towards allowing the justifiable operation of legitimate business and other needs for the protected information. (31) The broad approach to judicial enforcement continued to be the norm for nearly a decade after the Supreme Court's consideration of the Act in Reno, and for almost twenty years after the passage of the Act, until two court cases unexpectedly and significantly changed the treatment of use and disclosure of personal information under the DPPA.

3. SENNE V. VILLAGE OF PALATINE, ILLINOIS: A REASONABLE DISCLOSURE LIMITATION

   On August 20, 2010, Jason Senne parked his vehicle on a public roadway in violation of the Village of Palatine's ordinance imposing an overnight parking ban. (32) During the night, a Palatine police officer cited the vehicle for violating the ordinance and placed the parking citation under a windshield wiper on the front of the vehicle. (33) The citation had been on the windshield, open to public access, for approximately five hours when Mr. Senne discovered it. (34) The ticket, which had been electronically printed on a form, included the date, time, parking offense, and officer information. The ticket also included the "make, model, color, year, license number and vehicle identification number" of Mr. Senne's vehicle, as well as personal data about Mr. Senne himself including his "full name, address, driver's license number, date of birth, sex, height and weight." (35) The information that had been automatically filled into the form was obtained from the automated motor vehicle records maintained by the Illinois Secretary of State. (36) The citation was also created in such a way so as to allow the ticket to act as an envelope for the recipient to mail the fine to the Village. The personal information that had been included on the citation would be viewable on the outside of the envelope if the payment was mailed. The...