COMMENTARY: State Sale of Driver’s License Data Sparks Debate over Federal Privacy Law (pdf)

Article PDF cannot be displayed. You can download it here:

https://digitalcommons.law.yale.edu/cgi/viewcontent.cgi?article=1073&context=yjolt

COMMENTARY: State Sale of Driver’s License Data Sparks Debate over Federal Privacy Law

Yale Journal of Law and Technology Volume 1 Issue 1 Yale Journal of Law and Technology Article 5 1999 COMMENTARY: State Sale of Driver’s License Data Sparks Debate over Federal Privacy Law Steven C. Carlson Follow this and additional works at: https://digitalcommons.law.yale.edu/yjolt Part of the Computer Law Commons, Intellectual Property Law Commons, and the Science and Technology Law Commons Recommended Citation Steven C. Carlson, COMMENTARY: State Sale of Driver’s License Data Sparks Debate over Federal Privacy Law, 1 Yale J.L. & Tech (1999). Available at: https://digitalcommons.law.yale.edu/yjolt/vol1/iss1/5 This Article is brought to you for free and open access by Yale Law School Legal Scholarship Repository. It has been accepted for inclusion in Yale Journal of Law and Technology by an authorized editor of Yale Law School Legal Scholarship Repository. For more information, please contact . Carlson: State Sale of Driver’s License Data Sparks Debate over Federal Privacy Law COMMENTARY: State Sale of Driver’s License Data Sparks Debate over Federal Privacy Law Steven C. Carlson* I. INTRODUCTION The proliferation of computerized databases of personal information has brought renewed attention to federal privacy law. While privacy rights under the Constitution have traditionally been limited to intimate details of personal lives, recent disputes have raised the question as to whether notions of substantive due process also extend to personal data. The focus of recent disputes has been the practice that thirty-four state motor vehicle departments have of selling the personal data of registered drivers to direct marketing companies and to other firms and individuals.1 These state agency practices came to light in the wake of serious crimes facilitated by state disclosure of personal data. In 1989, actress Rebecca Schaeffer was murdered when a lunatic fan acquired her address through the motor vehicle records held by the State of California, and shot her.2 A federal law, the Driver’s Privacy Protection Act (DPPA), was enacted in 1994 to prevent the perceived abuses of state management of driver’s license data.3 The Act created a general prohibition on the disclosure of the data,4 with enumerated exceptions.5 The Act sparked controversy between the federal and state governments upon assertions that Congress lacked constitutional authority for its enactment.6 Data privacy law is ripe for review by federal courts. Recent case law, however, has withheld pronouncements on federal privacy rights in favor of resolving disputes according to more traditional doctrines of federalism. Three federal circuit courts of appeals have heard challenges to the DPPA. The cases, bringing to the bench novel issues of privacy law, have been resolved largely under the Commerce Clause. The cases leave open the question of how broadly in scope federal constitutional protection applies to personal data. * J.D., Yale Law School, 1999; B.A., Chemistry, Reed College, 1993. 1 See Condon v. Reno, 155 F.3d 453, 456 (4th Cir. 1998).Wisconsin, for example, collected approximately $ 8 million in annual revenues from the sale of driver’s license data. See Travis v. Reno, 163 F.3d 1000, 1002 (7th Cir. 1998). 2 See W. Kent Davis, Drivers’ Licenses: Comply with the Provisions of the Federal Driver’s Privacy Protection Act; Provide Strict Guidelines for the Release of Personal Information from Drivers’ Licenses and Other Records of the Department of Public Safety, 14 GA. ST. U. L. REV. 196, 196 (1997). 3 18 U.S.C. § 2721 (1994). 4 See18 U.S.C. § 2721(a) (1994) (“Except as provided in subsection (b), a State department of motor vehicles, and any officer, employee, or contractor, thereof, shall not knowingly disclose or otherwise make available to any person or entity personal information about any individual obtained by the department in connection with a motor vehicle record.”). 5 See18 U.S.C. § 2721(b) (1994) (exempting from the prohibitions of the DPPA disclosures of driver’s license data to parties such as: other governmental agencies and law enforcement officials; those involved with motor vehicle safety and theft; businesses for attempting to verify data originally submitted by the individual; and bulk marketers who permit individuals to opt out of inclusion). 6 See Condon, 155 F.3d at 453; Travis, 163 F.3d at 1000; Oklahoma Department of Public Safety v. United States, 161 F.3d 1266, 1272-73 (10th Cir. 1998). Published by Yale Law School Legal Scholarship Repository, 1999 1 Yale Journal of Law and Technology, Vol. 1 [1999], Iss. 1, Art. 5 Circuit courts have split on the constitutionality of the DPPA. In September 1998, the Fourth Circuit struck down the DPPA as unconstitutional, ruling that Congress lacked authority for its passage under either the Commerce Clause or the Fourteenth Amendment.7 In December 1998, the Seventh8 and Tenth Circuits9 upheld the DPPA, finding that Congress had authority under the Commerce Clause to pass it. These courts did not reach the question as to whether Congress had authority to enact the DPPA pursuant to the Fourteenth Amendment. ISSUES OF FEDERALISM The debate over the constitutionality of the DPPA has focused primarily on issues of federalism. Courts have split on the question of whether Congress has power under the Commerce Clause to enact the DPPA.10 In Condon v. Reno, the Fourth Circuit struck down the DPPA and held that Congress improperly regulated the states when it enacted the DPPA. The court based its argument on the premise that Congress is forbidden from regulating “States as States.”11 The Fourth Circuit reasoned that Congress is limited to regulating the activities of states through “legislation that is also applicable to private parties,”12 repeatedly citing Garcia v. San Antonio Metropolitan Transit Authority13 to assert that “Congress may only ‘subject state governments to generally applicable laws.’”14 The Fourth Circuit noted that the DPPA targeted only the practices of state agencies, and had no application to private parties. The court concluded that the DPPA bore unconstitutionally on state governments.15 The Seventh and Tenth Circuits roundly criticized Condon. Congress is free, the courts argued, to regulate the activities of the states, so long as Congress does not attempt to commander the legislative processes of the states.16 Congress is not limited, the courts continued, to regulating the states only through generally applicable laws, as the Fourth Circuit had urged. Laws may be enacted that fall exclusively on the states, especially when similar laws already regulate the conduct of private parties. Privacy law is a prime example. A litany of laws has long regulated private handling of data.17 Although the DPPA bears solely on states, it is merely a continuation of an existing scheme of regulation that applies to private and public entities alike.18 Nor does the DPPA commandeer the administrative processes of the states, the c (...truncated)