Summary
holding that the DPPA precludes a § 1983 action because the inability to sue state officials in their official capacity under the DPPA is “significant, especially in light of the statute's overall comprehensive remedial scheme.”
Summary of this case from Rollins v. City of Albert LeaOpinion
Civil No. 13-185 (JNE/TNL) C/w: Civil No. 13-389 (JNE/TNL) C/w: Civil No. 13-208 (JNE/TNL) C/w: Civil No. 13-358 (JNE/TNL) C/w: Civil No. 13-286 (JNE/TNL)
09-20-2013
Lorenz F. Fett, Jr., Susan M. Holden, and Daniel E. Gustafson appeared for Plaintiffs. Oliver J. Larson appeared for Defendants Tom Landwehr, Ramona Dohman, Mark Holsten, Michael Campion, Rodmen Smith, James Konrad, Keith Parker, Robert Maki, Steve Lime, Charlie Regnier, Stan Gruska, and Sheila Deyo.
ORDER Lorenz F. Fett, Jr., Susan M. Holden, and Daniel E. Gustafson appeared for Plaintiffs. Oliver J. Larson appeared for Defendants Tom Landwehr, Ramona Dohman, Mark Holsten, Michael Campion, Rodmen Smith, James Konrad, Keith Parker, Robert Maki, Steve Lime, Charlie Regnier, Stan Gruska, and Sheila Deyo.
Plaintiffs in these consolidated putative class actions are Minnesota residents who provided private data about themselves to the Minnesota Department of Public Safety ("DPS") in order to obtain and use a state driver's license. Plaintiffs' claims in these actions primarily stem from the conduct of a former Minnesota Department of Natural Resources ("DNR") employee, John Hunt, who engaged in unauthorized viewing of private data from their motor vehicle records. The consolidated amended complaint alleges violations of the Drivers' Privacy Protection Act ("DPPA"), 18 U.S.C. § 2721 et seq., and Plaintiffs' constitutional right to privacy by Hunt and various employees of the DPS and DNR, in their individual capacities. The complaint also names the commissioners of the DPS and DNR as defendants in their official capacities for purposes of seeking prospective relief. The Defendants other than Hunt ("State Defendants") filed the present motion pursuant to Federal Rule of Civil Procedure 12(b)(6), seeking to dismiss the complaint against them for failure to state a claim upon which relief can be granted. For the reasons stated below, the State Defendants' motion to dismiss is granted.
Plaintiffs initially filed five separate class action complaints and received the following case numbers: 13-cv-185, 13-cv-208, 13-cv-286, 13-cv-358, and 13-cv-389. The Magistrate Judge's June 17, 2013 Order consolidated the actions and designated 13-cv-185 as the master docket. Plaintiffs filed a consolidated, amended complaint on June 21, 2013. (Dkt. 51.) This opinion addresses the claims of that complaint.
BACKGROUND
According to the complaint, defendant John Hunt ("Defendant Hunt") accessed private motor vehicle record data of more than five thousand individuals, approximately nineteen thousand times, without any legitimate reason to do so. Defendant Hunt's accesses occurred while he was a DNR employee and over a five-year period. The DNR terminated Defendant Hunt's employment sometime prior to January 14, 2013.
On or around that date, the DNR sent Plaintiffs a letter regarding Defendant Hunt's conduct. The complaint includes a sample letter as an exhibit. The letter notifies its recipients that "a DNR employee engaged in unauthorized viewing of private data from your driving and/or motor vehicle records." The letter confirms that the DNR no longer employs the employee. It explains that the records viewed "contain information such as your full name, date of birth, driver's license number, address, license status, and license photo."
The complaint does not allege that any of the Defendants other than Defendant Hunt personally viewed or used private data from Plaintiffs' records for an improper purpose. Rather, the complaint seeks to hold the State Defendants liable for Defendant Hunt's acts of improper viewing of information about them. The general thrust of the allegations against the State Defendants is that they failed to implement systems or procedures to adequately protect Plaintiffs' data, despite knowing of system-wide and rampant abuse by employees like Defendant Hunt. In elaborating on its claim of widespread misuse, the complaint alleges that the Minnesota Legislative Auditor has revealed that at least 50% of law enforcement officers are misusing motor vehicle records information.
The complaint categorizes the State Defendants as DNR Supervisors, DNR Does, Defendant Commissioners, and DPS Does. It identifies the DNR Supervisors and their titles as follows:
• Keith Parker, Regional Director of the Central Region for the DNRThe complaint identifies the Defendant Commissioners as follows:
• Robert Maki, Chief Information Officer of the DNR
• Steve Lime, Data and Applications Manager of the DNR
• Charlie Regnier, Computer Hardware and Software Procurement Manager of the DNR
• Stan Gruska, Network Services Manager of the DNR
• Sheila Deyo, Data Practices Compliance Commissioner of the DNR
• DNR Does, officers, supervisors, employees, staff, independent contractors, or agents of the DNR
• Tom Landwehr, Commissioner of the DNRThe complaint describes the DPS Does as those "who created, installed, monitored, regulated, coded, enforced, supervised, maintained, oversaw, updated, or otherwise worked on the Department of Vehicle Services' ('DVS') database or Bureau of Criminal Apprehension ('BCA') database, each of which contained Plaintiffs' and class members' private driver's license information (collectively or individually, 'DPS Databases')."
• Mark Holsten, former Commissioner of the DNR
• Ramona Dohman, Commissioner of the DPS
• Michael Campion, former Commissioner of the DPS
The complaint lists five counts. Count I claims violations of the DPPA against all Defendants in their individual capacities. Count II asserts DPPA violations against Defendant Hunt only. Count III asserts violations under 42 U.S.C. § 1983 against the DNR personnel—"DNR Supervisors, DNR Commissioners and DNR Does"—in their individual capacities. Count IV alleges violations under 42 U.S.C. § 1983 against the "DPS Commissioners and DPS Does" in their individual capacities. Finally, Count V alleges a violation under 42 U.S.C. § 1983 by current DNR Commissioner Landwehr and DPS Commissioner Dohman in their official capacities and seeks prospective, injunctive relief. The § 1983 claims allege violations of both statutory and constitutional rights of the Plaintiffs. The State Defendants' motion does not apply to Count II, since the complaint limits that count to Defendant Hunt. The motion seeks to dismiss the remaining counts as to the State Defendants and John and Jane Does.
Because the complaint does not distinguish its claims against the Doe defendants or set out facts unique to them, this order applies to the Doe defendants as well as the named State Defendants.
DISCUSSION
A defendant may seek to dismiss a complaint for failure to state a claim on which relief can be granted. Fed. R. Civ. P. 12(b)(6). Federal Rule of Civil Procedure 8(a)(2) requires a complaint to contain "a short and plain statement of the claim showing that the pleader is entitled to relief." Although a pleading need not contain detailed factual allegations, "[a] pleading that offers 'labels and conclusions' or 'a formulaic recitation of the elements of a cause of action will not do.'" Ashcroft v. Iqbal, 556 U.S. 662, 678 (2009) (quoting Bell Atl. Corp. v. Twombly, 550 U.S. 544, 555 (2007)).
"To survive a motion to dismiss, a complaint must contain sufficient factual matter, accepted as true, to 'state a claim to relief that is plausible on its face.'" Id. (quoting Twombly, 550 U.S. at 570). Thus, the complaint must do more than merely leave "open the possibility that a plaintiff might later establish some set of undisclosed facts to support recovery." Twombly, 550 U.S. at 561 (internal quotation marks omitted). It must plead "factual content that allows the court to draw the reasonable inference that the defendant is liable for the misconduct alleged." Iqbal, 556 U.S. at 678.
In ruling on a motion to dismiss for failure to state a claim under Rule 12(b)(6), a court accepts the facts alleged in the complaint as true. Crooks v. Lynch, 557 F.3d 846, 848 (8th Cir. 2009). "This tenet does not apply, however, to legal conclusions or formulaic recitation of the elements of a cause of action; such allegations may properly be set aside." Braden v. Wal-Mart Stores, Inc., 588 F.3d 585, 594 (8th Cir. 2009) (internal quotation marks omitted). Nonetheless, all "reasonable inferences supported by the facts alleged" must be granted in favor of the plaintiff. Id. at 595.
I. Alleged Violations of the DPPA by the State Defendants (Count I)
A. Background and Framework of the DPPA
The DPPA generally restricts state departments of motor vehicles ("DMVs"), other organizations, and individuals from disclosing personal information contained in motor vehicle records except as allowed for under the statute. See 18 U.S.C. §§ 2721-2725. Congress enacted the DPPA as part of the Violent Crime Control and Law Enforcement Act of 1994. See Pub. L. No. 103-322, tit. XXX. Concern about use of personal information—then readily accessible from state DMVs—for criminal or threatening conduct provided the impetus for the DPPA. See Gordon v. Softech Int'l, Inc., No. 12-661, 2013 WL 3939442, *1 (2d Cir. July 31, 2013) (citing congressional record); Senne v. Vill. of Palatine, Ill., 695 F.3d 597, 607 (7th Cir. 2012) (same). The highly-publicized murder of actress Rebecca Schaeffer by a stalker who obtained her unlisted address from the California DMV has often been noted as a specific example of the basis for that concern. See, e.g., Gordon, 2013 WL 3939442, at *1; Senne, 695 F.3d at 607; Downing v. Globe Direct LLC, 682 F.3d 18, 26 n.9 (1st Cir. 2012).
The DPPA protects "personal information," defined as "information that identifies an individual," and includes a person's photograph, social security number, driver identification number, name, address, telephone number, and medical or disability information. 18 U.S.C. § 2725(3). The first section of the DPPA starts with a general provision specifying that a state DMV or any "officer, employee, or contractor thereof shall not knowingly disclose or otherwise make available to any person or entity" personal information "about any individual obtained by the department in connection with a motor vehicle record" except as allowed for under 18 U.S.C. § 2721(b). Id. § 2721(a)(1).
The exception provision, 18 U.S.C. § 2721(b), enumerates multiple permissible uses of personal information for various governmental and business purposes. Some of the items listed in the exception provision specify a user and/or certain conditions that make a use permissible. See id. § 2721(b). The next provision confirms that an "authorized recipient" also "may resell or redisclose the information only for a use permitted" under 18 U.S.C. § 2721(b) with further limitations. See id. § 2721(c).
In addition to the restriction of 18 U.S.C. § 2721(a) on state DMVs, the DPPA makes it "unlawful for any person knowingly to obtain or disclose personal information, from a motor vehicle record, for any use not permitted" under 18 U.S.C. § 2721(b). Id. § 2722(a). Under the DPPA a "person means an individual, organization or entity, but does not include a State or agency thereof." Id. § 2725(2). The statute provides for criminal fines against a "person who knowingly violates" it. Id. § 2723(a). It also provides for a civil action as follows:
A person who knowingly obtains, discloses or uses personal information, from a motor vehicle record, for a purpose not permitted under this chapter shall be liable to the individual to whom the information pertains, who may bring a civil action in a United States district court.Id. § 2724(a). For remedies in such an action, a court may award "actual damages, but not less than liquidated damages in the amount of $ 2,500;" punitive damages for "willful or reckless disregard of the law;" attorneys' fees and litigation costs; and appropriate preliminary and equitable relief. Id. § 2724(b).
The criminal penalty and civil action provisions only apply to a "person," from which the statute explicitly excludes states and state agencies. But the DPPA includes a provision directed at "[v]iolations by State department of motor vehicles." Id. § 2723(b). It provides that any state DMV "that has a policy or practice of substantial noncompliance with this chapter shall be subject to a civil penalty imposed by the Attorney General of not more than $ 5,000 a day for each day of substantial noncompliance." Id.
B. Complaint's Claim of DPPA Violations by the State Defendants
The complaint asserts DPPA violations against the State Defendants in their individual capacities. The State Defendants seek dismissal of Plaintiffs' DPPA claim against them on the ground that the complaint does not allege any act by any State Defendant that falls within the scope of 18 U.S.C. § 2724(a). In particular, the State Defendants argue that the complaint does not allege, as required under 18 U.S.C. § 2724(a), that any State Defendant knowingly "obtain[ed], disclose[d], or use[d]" any of their personal information "for a purpose not permitted" by the DPPA. In response, Plaintiffs contend that the complaint alleges that the State Defendants "made an individual, affirmative, and knowing disclosure of personal information in violation of the DPPA by granting Hunt access to the DVS database without proper safeguards to ensure that Hunt's access was for a permissible purpose." (Pl. Opp. Br. (Dkt. 61) at 12 (emphasis added).) Thus, according to Plaintiffs, granting database access to Defendant Hunt constitutes the liability-inducing act of the State Defendants.
As an initial matter, the complaint does not allege that each of the State Defendants affirmatively granted Defendant Hunt access to the DPS Databases. The complaint only arguably makes that assertion as to DPS Commissioners Campion and Dohman, DNR Commissioner Landwehr, and unnamed DPS Does. (See Compl. ¶¶ 80, 137-138.) Nonetheless, even if the complaint could be read as alleging that each State Defendant personally gave Hunt unfettered access to the DPS Databases, such an allegation fails to state a claim cognizable under the DPPA.
1. The complaint fails to state a DPPA claim against the State Defendants
Plaintiffs' contention that the State Defendants' culpable act was granting Hunt database access fails to state a claim for relief under the DPPA for a straight-forward reason: the complaint alleges no facts that make it plausible that the defendants "knowingly" gave defendant Hunt database access "for a purpose not permitted" by the DPPA. At no point does the complaint allege that Defendant Hunt should not have received access to the DPS Databases for purposes of his legitimate job duties as a DNR employee. The list of permissible uses of personal information under the DPPA covers the operations of the DNR. See 18 U.S.C. § 2721(b)(1) ("For use by any government agency, including any court or law enforcement agency, in carrying out its functions, or any private person or entity acting on behalf of a Federal, State, or local agency in carrying out its functions.").
For purposes of this motion, the parties do not dispute whether Defendant Hunt's actions amount to violations of the DPPA. The question of whether the complaint states a violation of the DPPA by Defendant Hunt is not presently before the Court. This Order expresses no opinion on that issue, but assumes for purposes of the motion, that Defendant Hunt's conduct with regard to Plaintiffs' personal information violated the DPPA.
The complaint acknowledges that at all material times, Defendant Hunt was an employee of the DNR. It alleges that he was the administrative manager of the DNR's enforcement division, was among those in charge of open records and data training at the DNR, and handled public requests for records as a data compliance officer at the DNR. These alleged facts imply that the State Defendants gave Defendant Hunt access to the DPS Databases for purposes of performing his job at the DNR. The complaint does not contend otherwise. Under these circumstances, Plaintiffs' complaint fails to state a claim for a DPPA violation by any of the State Defendants.
Moreover, Plaintiffs' brief refers to Defendant Hunt as an "authorized user" of the DPS Databases. (Pl. Opp. Br. (Dkt. 61) at 16.)
2. Plaintiffs' arguments do not rescue the complaint
Plaintiffs attempt to avoid the problem with their position by advocating two theories, neither of which is availing. First, Plaintiffs contend that 18 U.S.C. § 2724(a) should be read to require only that a defendant knowingly disclose personal information, such that liability may arise whether or not the defendant knew that the recipient had an impermissible purpose for the information. Thus, under Plaintiffs' view, a cause of action could be stated against the State Defendants if they knowingly gave Defendant Hunt database access that he intended to abuse, whether or not the State Defendants knew of his intent. Second, Plaintiffs contend that 18 U.S.C. § 2724(a) provides for a cause of action if the State Defendants gave an employee database access for legitimate purposes, but without adequate monitoring and control of the employee's use of the access.
i. Section 2724(a) requires a proscribed act with knowledge of a purpose that is impermissible
In support of their position that the DPPA's civil action provision has a narrow knowledge requirement, Plaintiffs rely on Pichler v. UNITE, 228 F.R.D. 230, 241-42 (E.D. Pa. 2005), for the proposition that in the text of 18 U.S.C. § 2724(a), the word "knowingly" modifies "obtains, discloses or uses personal information," but not the phrase "for a purpose not permitted under this chapter." Thus, Plaintiffs contend that the State "Defendants need not know that their disclosure was for an improper purpose, only that they knowingly disclosed the personal information." (Pl. Opp. Br. (Dkt. 61) at 15.) The plain language of the statute does not support such an interpretation.
Under a plain reading of 18 U.S.C. § 2724(a), to be liable a defendant must obtain, disclose, or use personal information, knowing that it is for a purpose other than one of the permissible purposes. As a grammatical matter, the main sentence of the provision is "[a] person who knowingly obtains, discloses or uses personal information ... for a purpose not permitted under this chapter shall be liable to an individual to whom the information pertains." See 18 U.S.C. § 2724(a). The sentence includes a parenthetical phrase in the middle, offset by commas, which requires that the personal information be "from a motor vehicle record." The sentence ends with another qualifying phrase, offset by a comma, about the individual to whom the information pertains: "who may bring a civil action in a United States district court."
Thus, the sentence structure of the provision allows for no separation of the type that Plaintiffs seek between the person who performs the act of obtaining, disclosing, or using and the one who has the impermissible purpose. Under the plain language of the statute, the person who obtains, discloses, or uses the information must do so for an impermissible purpose. If the person discloses the information for a permissible purpose, the plain language of the provision does not make the person liable for a subsequent misuse by the recipient.
Other courts considering liability under 18 U.S.C. § 2724(a) for state DMV officials have reached conclusions that accord with this reading of the provision. In Roth v. Guzman, 650 F.3d 603, 607-609 (6th Cir. 2011), the plaintiffs had sued Ohio officials for providing the plaintiffs' personal information in bulk to a company called Shadowsoft, Inc., which sold the information to another entity that placed the information on its public website, presumably in undisputed violation of the DPPA. The Sixth Circuit found that because the officials had disclosed the data to Shadowsoft for an explicitly permissible purpose—for use in the "normal course of business" as allowed for by 18 U.S.C. § 2721(b)(3)—they could not be liable under the DPPA for the subsequent misuse by a downstream party. See id. at 611-12.
A case that Plaintiffs rely on, Welch v. Theodorides-Bustle, 677 F. Supp. 2d 1283 (N.D. Fla. 2010), involved facts similar to Roth's, but with a material difference that makes its outcome consistent with Roth. In Welch, Florida officials had also sold data to Shadowsoft that subsequently became publicly available on another company's site. 677 F. Supp. 2d at 1286. The complaint, however, alleged that the sale to Shadowsoft was for an impermissible purpose and the contracts before the court did "not specify a proper purpose for the disclosures to Shadowsoft." Id. at 1286. Consequently, the court denied the officials' motion to dismiss the DPPA claim against them. Id. at 1284, 1286-87. The stated purpose for the disclosure in Welch materially distinguishes the case from Roth, in which the Sixth Circuit found that the contract between the state representatives and Shadowsoft included "express written representations that the disclosures were 'for use in the normal course of business'—as permitted by § 2721(b)(3)." Roth, 650 F.3d at 610.
Similarly, in Collier v. Dickinson, 477 F.3d 1306, 1309-10 (11th Cir. 2007), the Eleventh Circuit found that a complaint stated a DPPA claim against Florida officials when it alleged that they had sold the plaintiffs' motor vehicle information to mass marketers without the plaintiffs' consent. The potential permissible uses under the DPPA that might have applied, such as for mass marketing, required the plaintiffs' consent. See, e.g., 18 U.S.C. § 2721(b)(12) ("For bulk distribution for surveys, marketing or solicitations if the State has obtained the express consent of the person to whom such personal information pertains."); Collier, 477 F.3d at 1309 (listing 18 U.S.C. § 2721(b)(11)-(13)). Thus, the complaint stated a DPPA violation by the named officials only because they themselves had disclosed the personal information for no permissible purpose.
Although not involving a claim against state officials, even the Pichler case does not counsel that a disclosure without knowledge of the recipient's improper purpose makes the discloser liable under 18 U.S.C. § 2724(a). In Pichler, two labor unions had allegedly obtained names and addresses from motor vehicle records of the plaintiffs using license plate numbers from cars in the parking lot of the company whose employees they were trying to organize. 228 F.R.D. at 234. Some of the employees, whose data was used to contact them, filed suit alleging that the unions had violated the DPPA. Id. at 238-40.
The defendant unions argued that the plaintiffs had to show that the unions "(1) knowingly obtained, disclosed, or used personal information; (2) knew that the information was from motor vehicle records; and (3) knew that the purpose for which the information was obtained, disclosed, or used was impermissible." Id. at 241. The parties disputed the third requirement, with the plaintiffs arguing that they did not need to show that the unions "knew that it was illegal to obtain, disclose, or use the information." Id. The court analyzed the structure of the statutory provision and concluded that the term "knowingly" does not modify the clause "for a purpose not permitted" in the provision and so the unions could be liable, even if they did not know that their intended use was impermissible. Id. at 241-42.
On appeal the Third Circuit agreed with the district court's analysis of the "knowingly" issue. Pichler v. UNITE, 542 F.3d 380, 396-97 (3d Cir. 2008). Both the facts at issue and the Third Circuit's opinion, however, show that the real question before the court was whether ignorance of the law could be a defense. The Third Circuit characterized the labor unions' argument as claiming "that civil liability requires a defendant knowingly obtain or disclose personal information for a use the defendant knows is impermissible." Pichler, 542 F.3d at 396 (emphasis in original). In other words, the defendants in Pichler emphasized their lack of knowledge of the impermissibility of their purpose and were not suggesting that they lacked knowledge of the purpose itself for their obtaining of the data.
Obviously, the Pichler defendants knew of their own purpose for obtaining the data. So the question before the courts was limited to whether the defendants' lack of knowledge of the impermissibility of their undeniably-known purpose precluded liability under the DPPA. The determination in Pichler thus does not bear on the question here—whether a state official who provides access to motor vehicle records to an employee for purposes of conducting government functions may be liable, under 18 U.S.C. § 2724, for subsequent misuses by the employee.
ii. Section 2724 is not a mechanism to improve policies and procedures by state officials in the absence of a direct violation by them
Plaintiffs alternatively pursue a theory that 18 U.S.C. § 2724(a) allows for a cause of action if the State Defendants gave Defendant Hunt access for a proper purpose, but without implementing adequate monitoring and controls to ensure that he only used his access for the permissible purpose. But the plain language of the provision does not create liability under those circumstances. The provision requires an affirmative act of disclosure for an impermissible purpose. Thus, to state a claim based on the act of giving Defendant Hunt database access, the complaint would need to allege that the State Defendants gave him database access for purposes of his intended misuse. The complaint does not make such an allegation.
Plaintiffs, nonetheless, seek to avoid dismissal by requesting a deviation from the plain language of 18 U.S.C. § 2724(a). They point to the Second Circuit's opinion in Gordon v. Softech International, Inc., No. 12-661, 2013 WL 3939442 (2d Cir. July 31, 2013), as a basis for doing so. The court in Gordon held that "resellers are subject to a duty of reasonable care before disclosing DPPA-protected personal information." 2013 WL 3939442, at *12. Plaintiffs seek an analogous finding for the State Defendants and an allowance for the complaint to go forward on the grounds that the State Defendants gave Defendant Hunt database access without reasonable care.
Whatever the correctness of the Gordon holding as to resellers, it does not determine the outcome in this case. The Second Circuit explicitly limited the holding in Gordon to resellers—private intermediaries who sell data obtained from state DMVs—and noted that the court had not conducted an analysis to make its determinations more generally applicable. Id. at n.14 ("Notwithstanding the similarities among upstream sources of DPPA-protected personal information, as this case does not require us to consider the effect on state DMVs, we limit our holding to private resellers under the statute.").
More importantly, while the alleged scale of private data misuse by law enforcement personnel may well raise legitimate concerns, the structure of the DPPA signals that Congress did not intend the civil action provision to serve as the means to remedy systemic problems of the type to which the complaint alludes. The Act excludes "a State or agency thereof" from the definition of "person" and makes the civil remedy of 18 U.S.C. § 2724(a) available only against a "person" who violates the Act. The Act provides for the United States Attorney General to take action against and impose sanctions on state DMVs that have "a policy or practice of substantial noncompliance" with the DPPA. 18 U.S.C. § 2723(b). This provision for sanctions by the Attorney General indicates that Congress intended to address the concern that Plaintiffs attempt to raise here—of inadequate policies and practices at state DMVs to protect the privacy of drivers' personal information—via that mechanism.
A comparison of the language of the DPPA's civil action provision to that of a civil damages provision from the Internal Revenue Code is also indicative of congressional intent about the knowledge requirement for the DPPA provision. That provision of the Internal Revenue Code explicitly allows for a civil action for knowing or negligent disclosures of confidential information. See 26 U.S.C. § 7431(a). In particular, it allows for a civil action for damages by a taxpayer, when a specified individual "knowingly, or by reason of negligence, inspects or discloses any return or return information" about the taxpayer in violation of the applicable provisions. Id. (emphasis added).
In contrast, the plain language of the civil action provision of the DPPA limits its applicability to a person who knowingly obtained, disclosed, or used personal information for an impermissible purpose. Thus any individual law enforcement officer who knowingly obtains, discloses, or uses protected information for an impermissible purpose may be liable under 18 U.S.C. § 2724. But the provision may not be stretched to the point of rewriting it so it reaches others at a state agency who gave the officer database access for a legitimate purpose, merely because they did so in a negligent manner.
Federal courts, unlike state courts, are courts of limited, rather than general, jurisdiction. Federal jurisdiction depends upon an identifiable grant of authority. Absent a proper grant of authority, a wrong—even a grievous one—must be pursued in state courts. Congress created a circumscribed private right of action through the DPPA. Even if the State Defendants' conduct as alleged in the complaint is encompassed by the DPPA, it is not encompassed by the Act's provision of a private right of action. II. Alleged Violations Under 42 U.S.C. § 1983 by the State Defendants (Counts III, IV, V)
A. Claims Under 42 U.S.C. § 1983 Generally
To state a claim under § 1983, a plaintiff must allege deprivation of a right secured by the Constitution and laws of the United States and must show that the deprivation was committed by a person acting under color of state law. West v. Atkins, 487 U.S. 42, 48 (1988). In relevant part, 42 U.S.C. § 1983 provides:
Every person who, under color of any statute, ordinance, regulation, custom, or usage, of any State or Territory or the District of Columbia, subjects, or causes to be subjected, any citizen of the United States or other person within the jurisdiction thereof to the deprivation of any rights, privileges, or immunities secured by the Constitution and laws, shall be liable to the party injured in an action at law, suit in equity, or other proper proceeding for redress....Section 1983 does not itself create any substantive rights, "but merely provides a method for vindicating federal rights elsewhere conferred." Albright v. Oliver, 510 U.S. 266, 271 (1994) (internal quotation marks omitted). While the primary focus of § 1983 and related provisions was to ensure a right of action to enforce the protections of the Fourteenth Amendment and federal laws enacted pursuant to it, the section has been broadly construed to provide a remedy against official violation of federally protected rights. Dennis v. Higgins, 498 U.S. 439, 444-45 (1991). Thus, it is well settled that § 1983 covers violations of statutory rights as well as constitutional rights. See Maine v. Thiboutot, 448 U.S. 1, 6-8 (1980).
B. Complaint's Claim Under Section 1983 for Violations of Statutory Rights
The complaint refers to violations of statutory rights created by the DPPA. The State Defendants seek dismissal of the § 1983 claims for violation of statutory rights on the ground that the DPPA precludes a § 1983 remedy. A determination of the availability of a cause of action under § 1983 involves a two-step process. Golden State Transit Corp. v. City of Los Angeles, 493 U.S. 103, 106 (1989).
The complaint also refers to violation of Plaintiffs' rights created by the laws of the State of Minnesota. (Compl. ¶¶ 56, 107.) A § 1983 action is clearly unavailable for enforcement of any state laws. See Thiboutot, 448 U.S. at 4-8 (discussing availability of § 1983 for federal statutory and constitutional laws).
First, the plaintiff must successfully assert that a federal statute creates an individual right. See id. In other words, to seek redress for deprivation of a statutory right through § 1983, a plaintiff must assert "violation of a federal right, not merely violation of federal law." Blessing v. Freestone, 520 U.S. 329, 340 (1997). Moreover, the question is not whether a statutory scheme in general creates enforceable rights, but whether particular provisions create specifically articulable rights. See id. at 341-43 (finding it "incumbent upon the [requesters] to identify with particularity the rights they claimed").
To determine whether a particular statutory provision creates a federal right, courts consider three factors: (1) Congress must have intended the provision at issue to benefit the plaintiff; (2) the plaintiff must demonstrate that the asserted right is not so vague and amorphous that its enforcement would strain judicial competence; and (3) the statute must unambiguously impose a binding obligation on the states. Id. at 340-41; Ctr. for Special Needs Trust Admin., Inc. v. Olson, 676 F.3d 688, 699-700 (8th Cir. 2012) (referring to and applying the three part "Blessing test").
Second, even if a plaintiff demonstrates that a federal statute creates an individual right, only a rebuttable presumption is created that the right is enforceable via § 1983. Blessing, 520 at 341; Golden State, 493 U.S. at 106-107. Because congressional intent is key, dismissal of the § 1983 claim is proper if Congress specifically foreclosed a remedy under § 1983. Blessing, 520 at 341. Congress may foreclose such a remedy explicitly in the statute or implicitly, "by creating a comprehensive enforcement scheme that is incompatible with individual enforcement under § 1983." Id. The defendant bears the burden of showing that Congress foreclosed a § 1983 remedy. Golden State, 493 U.S. at 107.
1. Does the complaint allege deprivation of a right created by the DPPA?
Plaintiffs' complaint alleges that the "DPPA creates an individual right to privacy in a person's driver's license information" and prohibits "unauthorized accessing of" such information. (Compl. ¶ 108.) Although they do not do so explicitly, Plaintiffs seem to take the position that, at a minimum, the proscriptions of 18 U.S.C. §§ 2721(a) and 2722(a) create a federally protected right. Plaintiffs rely on the determination of the court in Collier v. Dickinson, 477 F.3d 1306, 1310-11 (11th Cir. 2007), that the DPPA creates a federally protected right. (Pl. Opp. Br. (Dkt. 61) at 38-40.)
In Collier, the Eleventh Circuit broadly concluded that the DPPA is enforceable under § 1983. 477 F.3d at 1310 ("We have no hesitancy in finding that the plain language of the DPPA clearly satisfies all three conditions to make it enforceable under Section 1983."). The opinion generally referred to the "enforcement provisions," finding that they "unambiguously focus on benefiting individuals." Id. at 1310. Similarly, it found the DPPA's "protections" not so "vague and amorphous" that their enforcement would strain judicial competence. Id. But the court specifically only discussed the provisions relevant to the case before it. See id. at 1310-11 (citing the civil action provision of 18 U.S.C. § 2724(a) and the exception subsections of 18 U.S.C. § 2721(b)(11)-(13)). Consequently, it is unclear how far the determination in Collier of the first part of the inquiry into availability of a § 1983 remedy extends. For example, it is unlikely that the court intended to include the enforcement provision of 18 U.S.C. § 2723(b) that provides for penalties against state DMVs that have "a policy or practice of substantial noncompliance."
The other cases cited by the parties on the subject of enforcement of DPPA rights under § 1983 do not discuss the first prong in detail. See Kraege v. Busalacchi, 687 F. Supp. 2d 834, 839-40 (W.D. Wis. 2009) (focusing on and finding that the private remedies under the DPPA are narrower than those available in a § 1983 action without discussing the issue of whether the statute creates a federal right); Arrington v. Richardson, 660 F. Supp. 2d 1024, 1031-32 (N.D. Iowa 2009) (stating that the "[d]efendants do not contest, based on these three factors, that the DPPA creates a [sic] an individual right to privacy" and citing to Collier to conclude that "therefore, the court finds that the DPPA asserts a federal right"); Roberts v. Source for Pub. Data, 606 F. Supp. 2d 1042, 1045-46 (W.D. Mo. 2008) (analyzing only whether the remedial scheme of the DPPA indicates an intent to preclude a § 1983 claim, where the defendant had argued it was dispositive).
For purposes of this motion, the Court assumes, but does not decide, that the DPPA creates a federally protected right. Neither does the Court decide the contours of such a right. Nonetheless, the Court finds that the DPPA precludes a § 1983 action for enforceability of any such right, based on the second prong of the applicable inquiry.
2. The DPPA reflects congressional intent to preclude a § 1983 remedy
Congress foreclosed a § 1983 remedy for violations of any rights created by the DPPA because the DPPA explicitly provides for a comparatively restrictive private cause of action as part of a comprehensive enforcement scheme. To determine whether a statute precludes the enforcement of a federal right under § 1983, the nature and extent of the statute's remedial scheme must be considered. Fitzgerald v. Barnstable Sch. Comm., 555 U.S. 246, 253 (2009). Congressional intent to preclude a § 1983 remedy may be inferred from "a comprehensive enforcement scheme that is incompatible with individual enforcement under § 1983." Id. at 252 (quoting City of Rancho Palos Verdes v. Abrams, 544 U.S. 113, 120 (2005)).
Moreover, the inclusion of "an express, private means of redress in the statute itself is ordinarily an indication that Congress did not intend to leave open a more expansive remedy under § 1983." Rancho Palos Verdes, 544 U.S. at 121. Thus, when the Supreme Court has found that a statute does not preclude a § 1983 remedy, the statute at issue generally has not included an explicit private right of action. See, e.g., Fitzgerald, 555 U.S. at 256; see also Rancho Palos Verdes, 544 U.S. at 121 ("Moreover, in all of the cases in which we have held that § 1983 is available for violation of a federal statute, we have emphasized that the statute at issue, in contrast to those in [two cases finding unavailability] did not provide a private judicial remedy (or, in most of the cases, even a private administrative remedy) for the rights violated." (emphasis in original)).
The Supreme Court has, however, made clear that even when a statute explicitly provides for a private cause of action, it may also allow for a § 1983 claim by signaling that the statute's remedy is merely intended to complement rather than supplant § 1983. Rancho Palos Verdes, 544 U.S. at 122 (declining to find that "availability of a private judicial remedy is not merely indicative of, but conclusively establishes, a congressional intent to preclude § 1983 relief"). The Court identified "the existence of a more restrictive private remedy for statutory violations" as the "dividing line" between cases in which an action under § 1983 would lie and ones in which it would not. Id. at 121. A more restrictive private statutory remedy compared to the § 1983 remedy signals congressional intent to preclude a § 1983 cause of action. See id.
The DPPA provides, overall, for a comprehensive enforcement scheme. The DPPA's remedial mechanisms are comparable to those that the Supreme Court flagged as evidence of the comprehensive remedial schemes of the statutes at issue in Middlesex County Sewerage Authority v. National Sea Clammers Association, 453 U.S. 1, 13-14 (1981). In discussing the Federal Water Pollution Control Act ("FWPCA"), the Court in Sea Clammers noted that the FWPCA included provisions for (1) the EPA Administrator to respond to violations with compliance orders and civil suits; (2) the Administrator to seek a civil penalty up to $ 10,000 per day; (3) criminal penalties; (4) conditions that states desiring to administer their own permit programs had to meet; (5) judicial review of appeals of certain actions of the Administrator by any "interested person"; and (6) express authority for a private right of action to sue for an injunction enforcing the statute. Id. The Court found that the second statute at issue, the Marine Protection, Research, and Sanctuaries Act, had analogous provisions. Id. at 14.
The DPPA scheme provides for the same general types of remedies as the FWPCA in Sea Clammers. Analogous to the penalties that the EPA Administrator could seek, the Attorney General can impose a fine of up to $ 5,000 a day on a state DMV for substantial noncompliance with the DPPA. See 18 U.S.C. § 2723(b). As with the FWPCA, criminal penalties are available under the DPPA. See id. § 2723(a). The FWPCA provided for a private action for injunctive relief, while the DPPA allows for "equitable relief" as one of the remedies available in a private action. See id. § 2724(b). Additionally, the DPPA also provides a private right of action for damages, which the FWPCA in Sea Clammers did not. Id. This range of remedies available under the DPPA supports a finding that the DPPA does not leave open the door for a § 1983 action. See Roberts, 606 F. Supp. 2d at 1046. But see Collier, 477 F.3d at 1311.
The express provision for a private cause of action in the DPPA's remedial scheme carries significant weight in the analysis. See Rancho Palos Verdes, 544 U.S. at 121. A consideration of the DPPA's explicit private remedy under 18 U.S.C. § 2724 confirms that enforcement under § 1983 would be inconsistent with it. The DPPA's civil action provision allows for actual damages, punitive damages, attorneys' fees, litigation costs, and equitable relief. 18 U.S.C. § 2724(b). All these remedies are also potentially available for a § 1983 claim. See Arrington, 660 F. Supp. 2d at 1032-33 (citing authority for each of the categories of relief available in a § 1983 action). But a § 1983 action also allows for prospective, injunctive relief against a state actor in his or her official capacity. See Will v. Michigan Dept. of State Police, 491 U.S. 58, 71 n.10 (1989) (noting that "[o]f course a state official in his or her official capacity, when sued for injunctive relief, would be a [suable] person under § 1983"). The DPPA, however, excludes states and state agencies from the category of persons who can be sued in a private action. Consequently, it precludes an action against a state official in his or her official capacity for damages or injunctive relief. See id. at 71 (finding that "a suit against a state official in his or her official capacity is not a suit against the official but rather is a suit against the official's office" and "[a]s such, it is no different from a suit against the State itself").
A concurrent § 1983 action would thus allow access to an additional remedy that Congress did not intend. See Rancho Palos Verdes, 544 U.S. at 124 ("[L]imitations upon the remedy contained in the statute are deliberate and are not to be evaded through § 1983."); Smith v. Robinson, 468 U.S. 992, 1003 (1984) ("[W]hen a statute creates a comprehensive remedial scheme, intentional 'omissions' from that scheme should not be supplanted by the remedial apparatus of § 1983."); cf. Fitzgerald, 555 U.S. at 255-56 (allowing a § 1983 action where "parallel and concurrent § 1983 claims will neither circumvent required procedures nor allow access to new remedies" (emphasis added)); see also Kraege, 687 F. Supp. 2d at 840 (concluding that the DPPA provides a more restrictive private remedy). But see Arrington, 660 F. Supp. 2d at 1032-33.
Plaintiffs correctly observe that the Eleventh Circuit in Collier and the District Court for the Northern District of Iowa in Arrington reached a contrary conclusion. In Collier, the opinion focused on the overall remedial scheme of the DPPA. 477 F.3d at 1311. The opinion did not, however, cite the Supreme Court's guidance in Rancho Palos Verdes that an explicit private remedy in a statute should be the key consideration of the analysis. See id. Neither did the opinion address whether or not the DPPA's private remedy is more restrictive than that available under § 1983. See id.
The opinion in Arrington did compare the nature of the private remedies under the DPPA and § 1983. It found that "the DPPA's remedies mirror § 1983's remedies in some respects, and are broader in other respects." Arrington, 660 F. Supp. at 1035. More specifically, it found an "equally extensive" list of parties that can be sued and confirmed the availability of compensatory damages, punitive damages, equitable relief, attorneys' fees, and litigation costs under both the DPPA and § 1983. Id. at 1032-33. The opinion observed, however, that the DPPA does not refer to a statute of limitations, nor does it require plaintiffs to comply with any preconditions for filing suit. Id. at 1032, 1035. But neither would preconditions exist for filing a § 1983 action to enforce a right created by the DPPA. Also, while the DPPA does not have an explicit statute of limitations, 28 U.S.C. § 1658 provides for a default limitation. See Smythe v. City of Onamia, No. 12-3149, 2013 WL 2443849, *6 n.3 (D. Minn. June 5, 2013) (finding that the default four-year limit applies to the DPPA).
Moreover, the opinion in Arrington does not discuss the DPPA's carve-out of states and state agencies from the definition of persons against whom a private suit may be brought, as compared to the permissibility of a § 1983 action against state officials in their official capacity for purposes of prospective relief. This limitation of the DPPA is significant, especially in light of the statute's overall comprehensive remedial scheme that designates the Attorney General to take action against state DMVs. Consequently, the Court respectfully disagrees with the Collier and Arrington opinions on the issue and finds that the DPPA precludes a § 1983 action.
C. Complaint's Claim Under Section 1983 for Violations of Constitutional Rights
The State Defendants seek dismissal of Plaintiffs' claims of violation of a constitutional right under 42 U.S.C. § 1983 on the grounds that no constitutional right to privacy of motor vehicle record data exists. Plaintiffs assert that a constitutional right to privacy exists and that the complaint states a violation of it. (Pl. Opp. Br. (Dkt. 61) at 19.) Plaintiffs do not, however, cite any cases that have found a constitutional right to privacy in the type of information protected by the DPPA.
It is well established that "not every disclosure of personal information will implicate the constitutional right to privacy" and the "personal rights found in the guarantee of personal privacy must be limited to those which are fundamental or implicit within the concept of ordered liberty." Cooksey v. Boyer, 289 F.3d 513, 515-16 (8th Cir. 2002) (internal quotation marks omitted). The Eighth Circuit has "consistently held that to violate the constitutional right of privacy the information disclosed must be either a shocking degradation or an egregious humiliation to further some specific state interest, or a flagrant breach of a pledge of confidentiality which was instrumental in obtaining the personal information." Id. at 516 (internal quotation marks omitted). The complaint does not allege such a violation as to any individual Plaintiff.
The complaint acknowledges that Plaintiffs voluntarily provided their personal information for the purpose of obtaining and maintaining a Minnesota State driver's license. (Compl. ¶¶ 33, 67.) The complaint alleges that the information provided includes their "address, color photograph, date of birth, weight, height and eye color, and in some instances, their medical and/or disability information." (Compl. ¶ 67.) None of that data qualifies as so extremely personal as to trigger constitutional—as opposed to statutory—privacy protection. Not even statutory protection existed for it until 1994, when Congress passed the DPPA.
Moreover, at least two appellate courts have found no constitutional right to privacy in the information protected by the DPPA. See Pryor v. Reno, 171 F.3d 1281, 1288 n.10 (11th Cir. 1999); Condon v. Reno, 155 F.3d 453, 464-65 (4th Cir. 1998). Those decisions considered a constitutional challenge to the DPPA and preceded the Supreme Court's decision in Reno v. Condon, 528 U.S. 141 (2000), that found constitutional permissibility for the DPPA under the Commerce Clause. In the appeals before the Fourth and Eleventh Circuits, the courts considered and rejected an argument by the United States that the DPPA was lawfully enacted pursuant to Congress' power under § 5 of the Fourteenth Amendment. Condon, 155 F.3d at 463-65; Pryor, 171 F.3d at 1288 n.10. The Fourth Circuit found "no constitutional right to privacy in the information contained in motor vehicle records" as it is "not the sort of information to which individuals have a reasonable expectation of privacy." Condon, 155 F.3d at 465. Similarly, the Eleventh Circuit found that it had "acknowledged a constitutional right to privacy only for intimate personal information given to a state official in confidence" and "information in motor vehicle records is not this sort of information." Pryor, 171 F.3d at 1288 n.10 (emphasis in original).
In the appeal of the Fourth Circuit case to the Supreme Court, the government abandoned its argument under the Fourteenth Amendment and the Supreme Court did not address it. Reno, 528 U.S. at 149 n.2.
The Eighth Circuit has noted that some "highly personal" medical information may implicate a constitutional right to privacy. See Alexander v. Peffer, 993 F.2d 1348, 1350-51 (8th Cir. 1993). However, no blanket constitutional privacy protection exists for medical information. See Cooksey, 289 F.3d at 517 ("[A]ll mental health information is not created equal and should not be treated categorically under a privacy rights analysis."). The complaint fails to allege facts that indicate that any Plaintiff provided any "highly personal" medical information to the DPS.
Additionally, the complaint only alleges unauthorized accesses of their personal information by Defendant Hunt. The complaint does not state that any of the information was subsequently used in any manner or disclosed by Defendant Hunt to anyone else. As discussed above, the complaint does not contend that the State Defendants should not have given Hunt access to the relevant databases for purposes of his job. Under such circumstances, the complaint fails to state a violation of any constitutional right to privacy against the State Defendants.
CONCLUSION
Based on the files, records, and proceedings herein, and for the reasons stated above, IT IS ORDERED THAT:
1. Defendants Tom Landwehr, Ramona Dohman, Mark Holsten, Michael Campion, Keith Parker, Robert Maki, Steve Lime, Charlie Regnier, Stan Gruska, and Sheila Deyo's Motion [Docket No. 56] is GRANTED.
2. The Consolidated Amended Complaint against them and John and Jane Does at the DPS and DNR is DISMISSED.Dated: September 20, 2013
s/Joan N. Ericksen
JOAN N. ERICKSEN
United States District Judge