Suspicious Access by Specific Personnel May Trigger Plausible Action Under the DPPA: Eighth Circuit | Practical Law

Suspicious Access by Specific Personnel May Trigger Plausible Action Under the DPPA: Eighth Circuit | Practical Law

In McDonough v. Anoka County, the US Court of Appeals for the Eighth Circuit affirmed in part and reversed and remanded in part the district court's dismissal of several plaintiff-drivers' claims alleging violations of the Driver's Privacy Protection Act (DPPA) by numerous government entities and personnel.

Suspicious Access by Specific Personnel May Trigger Plausible Action Under the DPPA: Eighth Circuit

by Practical Law Intellectual Property & Technology
Published on 27 Aug 2015USA (National/Federal)
In McDonough v. Anoka County, the US Court of Appeals for the Eighth Circuit affirmed in part and reversed and remanded in part the district court's dismissal of several plaintiff-drivers' claims alleging violations of the Driver's Privacy Protection Act (DPPA) by numerous government entities and personnel.
On August 20, 2015, in McDonough v. Anoka County, the US Court of Appeals for the Eighth Circuit affirmed in part and reversed and remanded in part the US District Court for the District of Minnesota's dismissal of plaintiff-drivers' claims alleging violations of the Driver's Privacy Protection Act (DPPA) ( (8th Cir. Aug. 20, 2015)). In its holding, the court interpreted several specific terms used in the DPPA, such as what it means to "use" or "obtain" records, and analyzed in detail whether the defendants' conduct inferred an impermissible purpose.
This case was a consolidated appeal of several suits brought by plaintiff-drivers against numerous government entities and personnel for violating the DPPA (18 U.S.C. §§ 2721-2725). The defendants included:
  • Cities, counties and other government entities, known and unknown (collectively, Local Entities).
  • Unknown law enforcement or other government personnel and supervisors, officers, deputies, staff, investigators, employees or agents of Local Entities or other government entities in Minnesota (collectively, Law Enforcement Does).
  • Current and former Commissioners of the Minnesota Department of Public Safety (DPS) Ramona Dohman and Michael Campion (collectively, Commissioners).
  • Unknown officers, supervisors, staff, employees, independent contractors and agents of DPS (collectively, DPS Does).
The DPPA prohibits state DMVs from disclosing drivers' personal information in a motor vehicle record except for uses explicitly enumerated in section 2721 of the statute. The plaintiffs alleged that the defendants had accessed or disclosed the plaintiffs' personal information from motor vehicle records multiple times for uses prohibited by the statute.
The district court:
  • Dismissed the complaints, holding that the plaintiffs had failed to state a claim.
  • Held that the statute of limitations began to run at the time of each alleged obtainment or disclosure of personal information and not at the time the plaintiffs became aware of the alleged violations.
  • Dismissed all DPPA claims against Local Entities because plaintiffs' allegations were too conclusory or too speculative to show that the purpose for accessing the personal information was impermissible.
  • In three of the cases, held that the allegations were insufficient to state a claim against the Commissioners because the plaintiffs had not shown that the Commissioners themselves had disclosed the plaintiffs' personal information for an impermissible purpose.
On appeal, the Eighth Circuit affirmed the district court's statute of limitations-based dismissals of claims based on alleged violations that had occurred more than four years before the complaints were filed. The court determined that:
  • Since the DPPA did not have a statute of limitations provision, the catch-all 28 U.S.C. § 1658(a) statute of limitations of four years would apply.
  • Based on policy considerations and the interpretation of section 1658, the statute of limitations is deemed to start running when the alleged violations occurred and not when the plaintiffs received notice of them.
With respect to the DPPA allegations against Local Entities and Law Enforcement Does, the Eighth Circuit affirmed some of the dismissals and reversed and remanded others back to the district court. The Eighth Circuit held that:
  • A violation of the DPPA requires that the defendants:
    • knowingly;
    • obtained, disclosed, or used personal information;
    • from a motor vehicle record; and
    • for a purpose not permitted.
  • Under the DPPA, to obtain personal information means simply to access or observe the data and does not require physical possession of the information.
  • The obtained information need not be subsequently used for an improper purpose for the obtainment itself to be a violation of the DPPA.
  • In assessing whether the allegations regarding the impermissible-purpose element meet the Rule 8(a) pleading standard:
    • claims that simply recite the impermissible-purpose element are conclusory and insufficient;
    • although impermissible obtainment can be inferred from the fact that a plaintiff's motor vehicle record was accessed hundreds of times within a few years, with no reason to believe the Law Enforcement Does had any special interest in the plaintiff, this is not sufficient on its own to tie the conduct to specific Legal Entities or Law Enforcement Does;
    • the presumption of regularity, under which courts presume that public officers have properly discharged their official duties, was rebutted in this instance by the alleged high volumes and suspicious timing of the information access and a legislative auditor's report finding that at least half of Minnesota law enforcement officers were misusing personal information in the database; and
    • evidence including the existence of a professional relationship between the plaintiff and law enforcement, multiple accesses to a plaintiff's information on the same day or within a span of few hours, multiple late-night accesses to the information when employees are less subject to supervision, and a history of suspicious patterns of access without obvious alternative explanations may raise the claims to a level of plausibility when the conduct is tied to specific defendants.
With respect to the Commissioners and DPS Does, the Eighth Circuit affirmed the district court's dismissal, holding that:
  • The DPPA's mental state requirement, that a defendant act knowingly, was not met by the Commissioners or DPS Does because although these defendants granted password-protected access to the motor vehicle records database to Law Enforcement Does:
    • this access was granted in connection with these employee's jobs;
    • training about the proper use of the database was provided; and
    • the website used to log into the database contained the statement "[a]ccess to this service is for authorized personnel only conducting official business...."
  • The plaintiffs' allegations that the Commissioners and DPS Does knew of the widespread misuse of the system and failed to safeguard and monitor the database at most rises to the level of negligence or recklessness.
The court's detailed analysis may prove useful in interpreting other data privacy statutes where similar statutory terms are at issue or where inferences must be drawn about defendants' conduct with respect to personal information.