From Casetext: Smarter Legal Research

Welch v. Theodorides-Bustle

United States District Court, N.D. Florida, Tallahassee Division
Jul 1, 2010
CASE NO. 4:09cv302-RH/WCS (N.D. Fla. Jul. 1, 2010)

Opinion

CASE NO. 4:09cv302-RH/WCS.

July 1, 2010


ORDER DENYING SUMMARY-JUDGMENT MOTIONS


This case arises under the Driver's Privacy Protection Act, 18 U.S.C. §§ 2721- 25. The plaintiff asserts that the defendants — employees of the Florida Department of Highway Safety and Motor Vehicles — violated the Act by unlawfully disclosing personal information of Florida drivers in bulk. The parties have filed cross-motions for summary judgment. This order denies the motions.

The Driver's Privacy Protection Act (sometimes referred to in this order as "the Act") prohibits the disclosure of "personal information" obtained by a state department of motor vehicles. Id. § 2721(a). "Personal information" means

information that identifies an individual, including an individual's photograph, social security number, driver identification number, name, address (but not the 5-digit zip code), telephone number, and medical or disability information, but does not include information on vehicular accidents, driving violations, and driver's status.
Id. § 2725(3).

There are, however, "permissible" disclosures of "personal information." One is a disclosure for "use by any government agency . . . in carrying out its functions, or any private person or entity acting on behalf of [an] agency in carrying out its functions." Id. § 2721(b)(1). Another is disclosure for "use in the normal course of business by a legitimate business," but only "to verify the accuracy of personal information submitted by [an] individual to the business" or "to obtain the correct information" if the information provided by the individual is incorrect. Id. § 2721(b)(3).

The defendants worked for the Florida Department of Highway Safety and Motor Vehicles. They had a role in disclosing personal information of Florida drivers in bulk to a private corporation, Shadowsoft, Inc. Shadowsoft disclosed the information to another entity, The Source for Public Data, which in turn made the information available over the internet.

At least insofar as shown by this record, neither the disclosure to Shadowsoft nor the later disclosure to The Source for Public Data was a permissible use of the personal information.

The Act explicitly creates a private right of action against a "person who knowingly obtains, discloses or uses personal information" other than for a permissible "purpose." Id. § 2724(a)(1) (emphasis added). Violations of the Act also are actionable under 42 U.S.C. § 1983. See Collier v. Dickinson, 477 F.3d 1306, 1310-11 (11th Cir. 2007).

As this language makes clear, a defendant who had a role in improperly disclosing a plaintiff's personal information is not necessarily liable to the plaintiff. The Act imposes liability only on a defendant who "knowingly" discloses information for an impermissible "purpose." So liability turns on what a defendant knows and on the defendant's purpose.

The same words are not used in § 1983, but § 1983 ordinarily does require that a defendant act intentionally or with deliberate indifference. So a defendant's knowledge remains part of the analysis.

Moreover, under both the Driver's Privacy Protection Act and § 1983, a defendant who is a public employee may invoke the defense of qualified immunity. Qualified immunity applies to damages claims against public employees and protects "all but the plainly incompetent or those who knowingly violate the law." Malley v. Briggs, 475 U.S. 335, 341, 106 S. Ct. 1092, 1096, 89 L. Ed. 2d 271 (1986); see generally Hope v. Pelzer, 536 U.S. 730, 122 S. Ct. 2508, 153 L. Ed. 2d 666 (2002); Harlow v. Fitzgerald, 457 U.S. 800, 102 S. Ct. 2727, 73 L. Ed. 2d 396 (1982). Thus a public employee may be held individually liable only if, on the facts known or reasonably believed by the employee, the employee's conduct violates clearly established law.

The defendants assert that they did not act with the requisite knowledge because Shadowsoft said it would only use the information for a permissible purpose. Indeed, the contract so required. But the contract did not articulate a permissible purpose for disclosing the information. Nor would an ostensible purpose — even one set out in a contract — necessarily establish the parties' actual purpose. See, e.g., Dixon County v. Field, 111 U.S. 83, 92, 4 S. Ct. 315, 28 L. Ed. 360 (1884) (stating that a recital in bonds under which they would conform to the law, when in fact they do not, "will not make them so"); United States v. Leonard, 529 F.3d 83, 90 (2d Cir. 2008) (collecting Supreme Court cases that rely on the substance of a transaction over contract formalisms in determining what constitutes a "security"); Daughtrey v. Honeywell, Inc., 3 F.3d 1488, 1492 (11th Cir. 1993) ("The employment status of an individual for the purposes of ERISA is not determined by the label used in the contract between the parties."); Spirides v. Reinhardt, 613 F.2d 826, 832-33 (D.C. Cir. 1979) ("Courts generally look to the substance of a contract rather than its form, and, although contract language may be indicative to some degree of the intention of the parties, it is not necessarily controlling.").

The record does not establish beyond dispute that the defendants lacked the required knowledge. They are not entitled to summary judgment.

For his part, the plaintiff asserts that the defendants acted knowingly because they participated in the disclosure of personal information with no grounds to believe it was for a permissible purpose. Perhaps. But the record does not establish beyond factual dispute what any defendant knew or the defendant's purpose for the disclosure.

A defendant will not be liable if two things are both true. First, when participating in the disclosure of the information to Shadowsoft, the defendant understood that Shadowsoft would hold the information and disclose it only for a permissible purpose, for example, to a legitimate business wishing "to verify the accuracy of personal information submitted by [an] individual to the business" or "to obtain the correct information" if the information provided by the individual is incorrect. 18 U.S.C. § 2721(b)(3). And second, when participating in the disclosure of the information to Shadowsoft, the defendant believed that in making any downstream disclosure for a permissible purpose, Shadowsoft would be acting "on behalf of [the Department of Highway Safety and Motor Vehicles] in carrying out its functions." Id. § 2721(b)(1). The same analysis — with an additional layer — would apply to any intentional disclosure to The Source for Public Data.

In determining whether Shadowsoft was acting on behalf of the Department, it is relevant that the Department and Shadowsoft did not go through the steps that ordinarily attend the privatization of a government function. But it is not dispositive. The Act plainly recognizes an agency's ability to contract out the governmental function of responding to requests for the disclosure of driver's-license information. Nothing in the Act suggests that an agency cannot contract out the function to more than one entity, or that the agency cannot continue to perform the function itself while also contracting out the function to one or more private entities. If an agency finds a private company who is willing to perform the function for no pay — indeed, who is willing to pay the agency for the opportunity to perform the function — so much the better.

What actually happened is that Shadowsoft disclosed the information in bulk to The Source for Public Data, which made it available over the internet to anyone willing to claim a permissible purpose. Perhaps the defendants knew what would happen. Perhaps they knew that neither Shadowsoft nor The Source for Public Data would perform a government function on the Department's behalf. But the record does not establish this fact beyond dispute.

In short, the record does not establish beyond dispute that any defendant acted with the required knowledge. The plaintiff is not entitled to summary judgment.

For these reasons,

IT IS ORDERED:

The summary-judgment motions (documents 38 and 45) are DENIED.

SO ORDERED on June 21, 2010.


Summaries of

Welch v. Theodorides-Bustle

United States District Court, N.D. Florida, Tallahassee Division
Jul 1, 2010
CASE NO. 4:09cv302-RH/WCS (N.D. Fla. Jul. 1, 2010)
Case details for

Welch v. Theodorides-Bustle

Case Details

Full title:MICHAEL WELCH, Plaintiff, v. ELECTRA THEODORIDES-BUSTLE et al., Defendants

Court:United States District Court, N.D. Florida, Tallahassee Division

Date published: Jul 1, 2010

Citations

CASE NO. 4:09cv302-RH/WCS (N.D. Fla. Jul. 1, 2010)