No. 98-1464
In the Supreme Court of the United States
JANET RENO, ATTORNEY GENERAL, ET AL.,
PETITIONERS
v.
CHARLIE CONDON, ATTORNEY GENERAL
OF SOUTH CAROLINA, ET AL.
ON WRIT OF CERTIORARI
TO THE UNITED STATES COURT OF APPEALS
FOR THE FOURTH CIRCUIT
BRIEF FOR THE PETITIONERS
SETH P. WAXMAN
Solicitor General
Counsel of Record
DAVID W. OGDEN
Acting Assistant Attorney General
EDWIN S. KNEEDLER
Deputy Solicitor General
PAUL R.Q. WOLFSON
Assistant to the Solicitor
General
MARK B. STERN
ALISA B. KLEIN
DANIEL L. KAPLAN
Attorneys
Department of Justice
Washington, D.C. 20530-0001
(202) 514-2217
QUESTION PRESENTED
Whether the Driver's Privacy Protection Act of 1994, 18 U.S.C. 2721-2725
(1994 & Supp. III 1997), contravenes constitutional principles of federalism.
In the Supreme Court of the United States
No. 98-1464
JANET RENO, ATTORNEY GENERAL, ET AL.,
PETITIONERS
v.
CHARLIE CONDON, ATTORNEY GENERAL
OF SOUTH CAROLINA, ET AL.
ON WRIT OF CERTIORARI
TO THE UNITED STATES COURT OF APPEALS
FOR THE FOURTH CIRCUIT
BRIEF FOR THE PETITIONERS
OPINIONS BELOW
The opinion of the court of appeals (Pet. App. 1a-37a) is reported at 155
F.3d 453. The opinion of the district court (Pet. App. 38a-72a) is reported
at 972 F. Supp. 977.
JURISDICTION
The judgment of the court of appeals was entered on September 3, 1998. A
petition for rehearing was denied on December 22, 1998. Pet. App. 73a-74a.
The petition for a writ of certiorari was filed on March 15, 1999, and was
granted on May 17, 1999. J.A. 19. The jurisdiction of this Court rests on
28 U.S.C. 1254(1).
CONSTITUTIONAL AND STATUTORY
PROVISIONS INVOLVED
1. The Commerce Clause of the United States Constitution, Article I, Section
8, Clause 3, provides: "The Congress shall have Power * * * To regulate
Commerce * * * among the several States."
2 The Tenth Amendment to the United States Constitution provides: "The
powers not delegated to the United States by the Constitution, nor prohibited
by it to the States, are reserved to the States respectively, or to the
people."
3. The Driver's Privacy Protection Act of 1994, 18 U.S.C. 2721-2725 (1994
& Supp. III 1997), is reprinted in an appendix to this brief (App.,
infra, 1a-7a).
STATEMENT
1. This case presents a constitutional challenge to the Driver's Privacy
Protection Act of 1994 (DPPA or Act), 18 U.S.C. 2721-2725 (1994 & Supp.
III 1997). The DPPA regulates the disclosure of personal information contained
in the records of state motor vehicle departments (DMVs). The Act also regulates
the further resale and disclosure of such information by persons to whom
it is disclosed by a state DMV.1
A resident of a State who wishes to operate a motor vehicle in that State
is generally required to obtain a driver's license from his State's DMV.
As a condition of obtaining a driver's license, an individual is usually
required to provide the DMV with personal information, such as the driver's
name, address, telephone number, and in some cases medical information that
may bear on the driver's ability to operate a motor vehicle. In some States,
the DMV also requires a driver to provide his social security number and
takes a photograph of the driver. An individual who wishes to register a
motor vehicle is also usually required by the state DMV to provide personal
information, including his name and address, and information identifying
his vehicle, such as the make, model, and year of manufacture. See, e.g.,
S.C. Code Ann. §§ 56-1-20 (driver's license required), 56-1-80,
56-1-90 (requirements of license application, identification requirement),
56-1-130 (medical information), 56-3-110 (vehicles required to be licensed
and registered), 56-3-220 (certificate of title required), 56-3-240 (requirements
of vehicle registration application) (Law. Co-op. 1977 & West Supp.
1998).
State DMVs, in turn, frequently sell this personal information to individuals
and businesses.2 Although DMVs usually charge only a small fee for each
particular sale of information, aggregate revenues are substantial. For
example, New York's motor vehicle department earned $17 million in one year
from individuals and businesses that used that State's computers to examine
motor vehicle records. See 1994 WL 212813 (Feb. 3, 1994) (statement of Janlori
Goldman, American Civil Liberties Union). The Wisconsin Department of Transportation
receives about $8 million each year from its sale of motor vehicle information.
See Travis v. Reno, 163 F.3d 1000, 1002 (7th Cir. 1998), petition for cert.
pending, No. 98-1818.
Testimony before Congress established that the personal information contained
in state DMV records has considerable commercial value. In particular, the
personal information sold by state DMVs is used extensively to support the
direct-marketing efforts of businesses. See 1994 WL 212836 (Feb. 3, 1994)
(statement of Richard A. Barton, Direct Marketing Association) ("The
names and addresses of vehicle owners, in combination with information about
the vehicles they own, are absolutely essential to the marketing efforts
of the nation's automotive industry."). Personal information in DMV
records "is combined with information from other sources and used to
create lists for selective marketing use by businesses, charities, and political
candidates." Ibid. See also 1994 WL 212834 (Feb. 3, 1994) (statement
of Prof. Mary J. Culnan, Georgetown University) (describing commercial uses
of personal information in DMV records by database compilers and direct
marketers); 140 Cong. Rec. H2522 (daily ed. Apr. 20, 1994) (statement of
Rep. Moran) ("Marketers use DMV lists to do targeted mailings and other
types of marketing.").
Congressional testimony highlighted potential threats to privacy and personal
safety from disclosure of personal information held in state DMV records.
One highly publicized example involved the murder of actress Rebecca Schaeffer,
who had taken pains to ensure that her address and phone number were not
publicly listed. Despite those precautions, a stalker was able to obtain
Schaeffer's home address in her state motor vehicle records. See 140 Cong.
Rec. H2522 (daily ed. Apr. 20, 1994) (statement of Rep. Moran). Congress
was informed of numerous similar instances in which stalkers, robbers, and
assailants had used state motor vehicle records to locate, threaten, and
harm their victims.3
More generally, Congress received evidence that the commercial use of personal
information in state DMV records for purposes wholly unrelated to the regulatory
reasons for which the information was initially obtained created serious
privacy concerns. Professor Mary Culnan testified that privacy concerns
about the use of information "are especially likely to arise when the
reuse is not compatible with the original purpose for collecting the information,"
since in such circumstances "the prospect of misinterpretation or crass
exploitation usually follows." 1994 WL 212834 (Feb. 3, 1994) (citation
omitted). Professor Culnan further explained:
DMV information is not collected voluntarily. Few people can survive without
a driver[']s license or an automobile, and a condition of having either
is to register with the state. By providing this information to marketers
without providing an opt-out to its citizens, the state is essentially requiring
people to participate in direct marketing absent any compelling public safety
argument. This is in direct contrast to most of the other mailing lists
based on private sector data, such as a list of subscribers to a particular
magazine. The people on these lists have indicated an interest in participating
in direct marketing because they have "raised their hands" in
the marketplace by voluntarily responding to a commercial offer of some
type. No such claim may be made for all licensed drivers and registered
automobile owner[s].
Ibid.
2. Because unregulated dissemination of personal information in state DMV
records raised concerns about privacy and personal safety, Congress enacted
the DPPA to restrict the disclosure of personal information in motor vehicle
records without the consent of the individual to whom the information pertains,
and to restrict the resale and redisclosure of such personal information
once it has been disclosed by a DMV for a permissible purpose. The overarching
theory of the DPPA is that, except in certain circumstances in which Congress
has found an important public interest warranting disclosure, the permissibility
of dissemination of personal information in state DMV records should turn
on the consent of the individual to whom the information pertains. The DPPA
therefore permits disclosure of individuals' personal information only for
specific purposes, unless a DMV adopts an alternative procedure to permit
drivers to block unrestricted disclosure of their personal information.
If a DMV does adopt such an alternative "opt-out" procedure, then
it may release more broadly the records of those individuals who do not
invoke their right to block unrestricted disclosure.
a. The DPPA generally prohibits any state DMV, or officer or employee thereof,
from "knowingly disclos[ing] or otherwise mak[ing] available to any
person or entity personal information about any individual obtained by the
department in connection with a motor vehicle record." 18 U.S.C. 2721(a).
The DPPA defines "personal information" as any information "that
identifies an individual, including an individual's photograph, social security
number, driver identification number, name, address (but not the 5-digit
zip code), telephone number, and medical or disability information,"
but not including "information on vehicular accidents, driving violations,
and driver's status." 18 U.S.C. 2725(3). A "motor vehicle record"
is defined as "any record that pertains to a motor vehicle operator's
permit, motor vehicle title, motor vehicle registration, or identification
card issued by a department of motor vehicles." 18 U.S.C. 2725(1).
As noted above, the DPPA bars only nonconsensual disclosures. Thus, DMVs
may release personal information for any use, if they provide individuals
with an opportunity to opt out from such general disclosure when they receive
or renew their licenses. 18 U.S.C. 2721(b)(11). In addition, a DMV may release
personal information if the DMV obtains consent on a case-by-case basis
from the individual to whom the information pertains. 18 U.S.C. 2721(d).
A DMV also may disclose information about an individual if the requester
has that individual's written consent. 18 U.S.C. 2721(b)(13).
The prohibition on nonconsensual disclosures is not absolute. The Act permits
DMVs to disclose personal information from motor vehicle records in circumstances
in which Congress found that the public interest in disclosure for a particular
use outweighs concerns about invasion of privacy. Accordingly, the DPPA
expressly permits DMVs to disclose personal information from motor vehicle
records for use "by any government agency," including a court,
or by "any private person or entity acting on behalf of a Federal,
State, or local agency in carrying out its functions." 18 U.S.C. 2721(b)(1).
The Act also allows DMVs to disclose personal information for any state-authorized
purpose relating to the operation of a motor vehicle or public safety. 18
U.S.C. 2721(b)(14). Thus, the DPPA expressly accommodates safety and law
enforcement needs of public authorities.
The DPPA also authorizes disclosure of personal information to private entities
for other specific purposes. The Act allows DMVs to disclose information
for use in connection with car safety, prevention of car theft, driver safety,
and other motor-vehicle-related matters, 18 U.S.C. 2721(b)(2); for use by
a business to verify the accuracy of personal information submitted to that
business, and to prevent fraud or to pursue legal remedies if the information
the individual submitted to the business is revealed to have been inaccurate,
18 U.S.C. 2721(b)(3); for use in connection with court, agency, or self-regulatory
body proceedings, 18 U.S.C. 2721(b)(4); for research purposes, if the personal
information is not further disclosed or used to contact the individuals,
18 U.S.C. 2721(b)(5); by insurers in connection with claims investigations,
anti-fraud activities, rating, or underwriting, 18 U.S.C. 2721(b)(6); to
notify owners of towed or impounded vehicles, 18 U.S.C. 2721(b)(7); by licensed
private investigative agencies or security services for permitted purposes,
18 U.S.C. 2721(b)(8); for use by employers to verify information relating
to a holder of a commercial driver's license, 18 U.S.C. 2721(b)(9) (1994
& Supp. III 1997); and for use in connection with private tollways,
18 U.S.C. 2721(b)(10).
In addition, personal information in motor vehicle records may be disclosed
in certain circumstances for bulk distribution for surveys, marketing, or
solicitation, but only if individuals are provided an opportunity, in a
clear and conspicuous manner, to block such use of information pertaining
to them. 18 U.S.C. 2721(b)(12). Thus, disclosure of motor vehicle information
about an individual for direct-marketing purposes is prohibited unless (a)
the individual is provided the opportunity, under Section 2721(b)(11), to
block general disclosure of his personal information, and declines that
opportunity, or (b) the individual is given the opportunity to block use
of his personal information for direct marketing specifically, and declines
that opportunity.4
b. The DPPA also regulates the resale and redisclosure of motor vehicle
information by private persons who have obtained that information from a
DMV. See 18 U.S.C. 2721(c) (1994 & Supp. III 1997). The DPPA's restrictions
on resale and redisclosure by private persons turn in large part on whether
the DMV from which the information was obtained has adopted opt-out procedures
under Section 2721(b)(11) to permit individuals to object to general disclosure
of their personal information. If the DMV has not adopted such opt-out procedures,
then a private person who obtained the information for one of the permissible
purposes specified in Section 2721(b)(1)-(10) may further disclose DMV information
only for one of those purposes; he may not further disclose information
either for direct-marketing purposes, or more generally. See 18 U.S.C. 2721(c)
(first sentence) (1994 & Supp. III 1997). If the DMV has adopted opt-out
procedures to permit individuals to object to general disclosure, then an
authorized recipient who has obtained motor vehicle information pursuant
to a policy of general disclosure may disclose the information for any purpose.
See ibid. (second sentence). In addition, a recipient who has obtained motor
vehicle information specifically for direct-marketing purposes may resell
that information for other direct-marketing uses, but not otherwise. See
ibid. (third sentence) (permitting redisclosure "pursuant to"
18 U.S.C. 2721(b)(12)); 18 U.S.C. 2721(b)(12)(B) (permitting disclosure
for direct marketing only if "the information will be used, rented,
or sold solely for bulk distribution for surveys, marketing, and solicitations").
Finally, any person who receives personal information from a DMV and resells
or further discloses that information must, for five years, maintain records
identifying each person or entity to whom a further resale or redisclosure
was made, and the permitted purpose for such resale or redisclosure. See
18 U.S.C. 2721(c) (fourth sentence) (1994 & Supp. III 1997).
c. The DPPA makes it unlawful for any "person" knowingly to obtain
or disclose any record for a use not permitted by the Act, 18 U.S.C. 2722(a),
or to make a false representation in order to obtain personal information
from a motor vehicle record, 18 U.S.C. 2722(b). "Person" is defined
to exclude any State or state agency. See 18 U.S.C. 2725(2). The Act also
sets forth penalties and civil remedies for knowing violations. Any "person"
who knowingly violates the DPPA may be subject to a criminal fine. 18 U.S.C.
2723(a), 2725(2). A state agency that maintains "a policy or practice
of substantial noncompliance" with the DPPA may be subject to a civil
penalty imposed by the Attorney General of not more than $5000 per day for
each day of substantial noncompliance. 18 U.S.C. 2723(b). Any "person"
who knowingly obtains, discloses, or uses information from a state motor
vehicle record for a use not permitted by the DPPA may be subject to liability
in a civil action brought by the person to whom the information pertains.
18 U.S.C. 2724. The responsibility for enforcement of the Act's criminal
and civil penalty provisions lies entirely with the Attorney General of
the United States. The DPPA does not impose on the States any obligation
to pursue legal remedies against any requester who obtains, uses, or discloses
information in violation of the Act, or any employee who wrongfully discloses
information.
3. South Carolina law provides that the Motor Vehicle Division of the State's
Department of Public Safety will release information contained in its motor
vehicle records to anyone, provided that the requester fills out a form
listing his name and address and stating that the information will not be
used for telephone solicitation. S.C. Code Ann. §§ 56-3-510 to
56-3-540 (West Supp. 1998). The Department of Public Safety is authorized
to charge a fee for the release of requested information. Id. § 56-3-530
(West Supp. 1998).
Respondents, the Attorney General of South Carolina and the State of South
Carolina, brought this action in federal district court, alleging that the
DPPA violates the Tenth Amendment, and seeking an injunction against enforcement
of the DPPA. J.A. 9-14. The district court granted summary judgment for
respondents and entered a permanent injunction against the Act's enforcement.
Pet. App. 38a-40a. The district court ruled that this case is controlled
by New York v. United States, 505 U.S. 144 (1992), and Printz v. United
States, 521 U.S. 898 (1997). The court stated that the DPPA has the same
defect as the statutes invalidated in New York and Printz because, "[i]n
enacting the DPPA, Congress has chosen not to assume responsibility directly
for the dissemination and use of these motor vehicle records. Instead, Congress
has commanded the States to implement federal policy by requiring them to
regulate the dissemination and use of these records." Pet. App. 53a.
4. a. A divided panel of the court of appeals affirmed. Pet. App. 1a-37a.
The court expressed no doubt that the DPPA regulates "commerce"
within the scope of Congress's Commerce Clause power. The court observed,
however, that Congress "is constrained in the exercise of that [commerce]
power by the Tenth Amendment. Thus, the question * * * is not whether the
DPPA regulates commerce, but whether it is consistent with the system of
dual sovereignty established by the Constitution." Id. at 8a.
The court acknowledged that "the DPPA is different in several respects
from the statutes struck down in New York and Printz." Pet. App. 14a.
"Unlike the federal statute in New York, the DPPA does not commandeer
the state legislative process. In particular, the DPPA does not require
the States to enact legislation regulating the disclosure of personal information
contained in their motor vehicle records." Ibid. Further, "unlike
the federal statute in Printz, the DPPA does not conscript state officers
to enforce the regulations established by Congress. Indeed, the DPPA does
not require that state officials report or arrest violators of the DPPA."
Ibid.
The court nonetheless reasoned that state officials must "administer"
the DPPA, and that the Act is unconstitutional for that reason. Pet. App.
14a. In the court's view, New York and Printz made "perfectly clear
that the Federal Government may not require State officials to administer
a federal regulatory program." Ibid. The court rejected the government's
contention that "the holdings in Printz and New York apply only when
the [federal] law in question requires a State to regulate the behavior
of its citizens," and do not condemn a statute that, like the DPPA,
"simply regulates a state activity." Id. at 15a.
The court also found the DPPA unconstitutional even on the assumption that
the federal government's understanding of New York and Printz is correct.
The majority rejected the argument that the DPPA should be sustained under
cases such as Garcia v. San Antonio Metropolitan Transit Authority, 469
U.S. 528 (1985), and South Carolina v. Baker, 485 U.S. 505 (1988), which
upheld federal regulation of state activities affecting commerce. The majority
believed that Garcia established a broad limit on Congress's power to regulate
state activity: "Under Garcia and its progeny, Congress may only 'subject
state governments to generally applicable laws.'" Pet. App. 15a (quoting
New York, 505 U.S. at 160). In the court's view, Garcia and its progeny
do not govern this case because the DPPA's restrictions apply only to state
agencies:
[T]he DPPA exclusively regulates the disclosure of information contained
in state motor vehicle records. Of course, there is no private counterpart
to a state Department of Motor Vehicles. Private parties simply do not issue
drivers' licenses or prohibit the use of unregistered motor vehicles. Thus,
rather than enacting a law of general applicability that incidentally applies
to the States, Congress enacted a law that, for all intents and purposes,
applies only to the States.
Pet. App. 17a.
The court recognized that, in other federal statutes, Congress has restricted
the disclosure of personal information by private parties, and that the
DPPA thus subjects the States to the same kind of regulation that governs
private parties. Pet. App. 18a. The court dismissed that point as irrelevant,
however, because Congress had not regulated information disclosure by private
and state entities in a single, general statute:
Under Garcia, a statute is constitutional only if it is generally applicable.
A law is not generally applicable simply because it could be generally applicable.
That Congress could subject private parties to the same type of regulation
is irrelevant to the Tenth Amendment. Congress may invade the sovereignty
of the States only when it actually enacts a law of general applicability.
Nothing short of that will pass constitutional muster.
Ibid.
b. Judge Phillips dissented. Pet. App. 27a-37a. He concluded that the DPPA
is valid Commerce Clause legislation that does not contravene any Tenth
Amendment limitation on congressional power. Judge Phillips stressed that
"the end object of the Act is the direct regulation of state conduct,"
not "the indirect regulation of private conduct" accomplished
"by forcing the states directly to regulate that conduct." Id.
at 29a. He concluded that the Act's "direct regulation of the State
activity * * * distinguishes the DPPA, in the most fundamental of ways,
from the federal legislation struck down respectively in New York and Printz."
Id. at 30a.
Judge Phillips also contested the majority's view that Garcia limited Congress
to regulating state activity only through laws of general applicability.
Pet. App. 31a-32a. Although Judge Phillips noted that the statutes upheld
in Garcia and EEOC v. Wyoming, 460 U.S. 226 (1983), imposed duties on both
state and private actors, he explained that those laws were upheld "not
so much--if at all--because they applied equally to state and private actors
as because they directly regulated state activities rather than using the
'States as implements of regulation' of third parties." Pet. App. 32a
(quoting New York, 505 U.S. at 161). Judge Phillips also urged that "[s]urely
it is no basis for invalidating such regulations that no private equivalent
could be found in the particular area of regulation." Id. at 37a. To
the contrary, he concluded, "[t]o assume that Congress could only regulate
the states' conduct directly if it also equally regulated comparable private
conduct (even where none in fact exists)" bears "no relationship
to any concept of federalism implicit in the Tenth Amendment as interpreted
by the Supreme Court." Id. at 34a.
c. The panel denied the government's petition for rehearing, and the full
court denied the government's suggestion of rehearing en banc by a vote
of seven to six. Pet. App. 73a-74a.5
SUMMARY OF ARGUMENT
A. In an age of advancing information technology, the threat to privacy
from the nonconsensual dissemination of personal information has become
a matter of increasing public concern and regulatory attention. Congress
has thus far addressed privacy concerns arising out of the nonconsensual
disclosure of personal information in statutes that regulate particular
sectors of the private economy, such as video stores, cable television companies,
financial institutions, credit bureaus, and electronic communications services.
In addition, other federal statutes restrict the circumstances in which
the federal government may disclose personal information about private citizens
that federal agencies gather in the course of their official duties. In
each of those focused statutes, Congress has prohibited many kinds of disclosures
but has permitted personal information to be released in circumstances where
it has found an important countervailing interest warranting disclosure
or access.
The Driver's Privacy Protection Act of 1994 (DPPA or Act), 18 U.S.C. 2721-2725
(1994 & Supp. III 1997), extends this balanced regulatory approach to
restrict certain nonconsensual disclosures of personal information held
by state motor vehicle departments. Congress addressed disclosure of personal
information held in state DMV records after receiving evidence of threats
to personal privacy and safety resulting from unrestricted disclosure. Evidence
before Congress established that the States earn substantial revenues from
sales of personal information in DMV records, and that such personal information
is central to the direct-marketing operations of commercial enterprises.
Personal information obtained from state DMV files is therefore subject
to federal regulation under Congress's Commerce Clause power because such
information is itself in interstate commerce, and because disclosure of
such information substantially affects interstate commerce.
B. This Court's decisions articulating the constitutional principles of
federalism reflected in the Tenth Amendment interpose no obstacle to the
DPPA. In New York v. United States, 505 U.S. 144 (1992), and Printz v. United
States, 521 U.S. 898 (1997), the Court explained that, although Congress
may directly regulate state activity in or affecting commerce, it may not
commandeer a State's legislative process by requiring it to adopt legislation
to implement a federal regulatory scheme, and it may not conscript state
officials in the application of federal law to private parties. The DPPA,
however, does not have either of these defects. The DPPA does not direct
the States to adopt legislation or regulations, nor does it require state
officers to enforce its provisions against dissemination by private persons.
Enforcement of the law against violators is the responsibility of the Attorney
General of the United States. The States' obligation is simply to comply
with the Act's prohibition against disclosure of personal information from
DMV records. A congressional prohibition against state action does not commandeer
state officers or entities into regulating or enforcing federal law.
Such an obligation to comply with the substantive terms of a federal statute
is not equivalent to a duty to implement a federal regulatory scheme. Even
if a duty to comply with the substantive requirements of a federal regulatory
statute has the effect of causing a State to modify its internal administrative
procedures, that does not transform substantive federal regulation into
impermissible commandeering of the State's executive branch. As the Court
made clear in South Carolina v. Baker, 485 U.S. 505 (1988), Congress may,
consistent with the Tenth Amendment, require States to comply with federal
law, even if the States find it necessary or practically useful to revise
their administrative practices or legislation in response to the federal
legislation.
The DPPA, moreover, is respectful of state regulatory prerogatives. It does
not interfere with the States' ability to license and regulate driving within
their borders, or to collect information from individuals who apply for
driver's licenses and motor vehicle registration. Thus, the DPPA does not
interfere with the States' ability to regulate their citizens' primary conduct.
C. The DPPA is not constitutionally infirm because it applies only to state
entities, and is not a "generally applicable" law. No constitutional
rule requires Congress to regulate state activity in or affecting commerce
only through statutes that also regulate similar private activity. Congress
may exercise its Commerce Clause power to address problems as they make
themselves manifest, and it is not required to legislate for the entire
economy as a precondition to regulating state activity that presents an
immediately pressing concern warranting federal attention.
A rule requiring a generally applicable law as a precondition to federal
regulation of state activity in or affecting commerce would be inconsistent
with the plenary grants to Congress of the power to regulate interstate
commerce by making "all Laws," not merely generally applicable
ones, that are necessary and proper for doing so. U.S. Const. Art. I, §
8, Cls. 3 and 18. Those Clauses confirm that Congress retains the flexibility
ordinarily possessed by legislative bodies to tailor their laws to the problems
at hand and to choose between laws of general or more particular applicability.
The need for that flexibility is particularly evident here, for Congress
reasonably could decide not to address in a single act all privacy concerns
raised across the economy by dissemination of personal information from
a wide variety of private and public databases.
The rigid rule adopted by the court of appeals also finds no support in
the constitutional structure of federalism insofar as it protects the sovereign
powers of the States. The Tenth Amendment provides: "The powers not
delegated to the United States by the Constitution, nor prohibited by it
to the States, are reserved to the States respectively, or to the people."
If particular state activity affecting commerce may be brought within the
reach of a regulatory law of the United States when it is generally applicable,
then the power to address that particular state activity necessarily does
lie within the powers "delegated to the United States" by the
Constitution. Nothing in the Tenth Amendment divests Congress of that power
if it seeks to act through a law directed only to the state activity. Nor
does the absolute rule adopted by the court of appeals bear any relation
to whether a federal law impermissibly intrudes on the exercise of the sovereign
powers of the States, or to the diffusion of power and protection of liberty
that the constitutional structure of federalism was designed to secure.
ARGUMENT
THE DRIVER'S PRIVACY PROTECTION ACT OF 1994 IS CONSISTENT WITH CONSTITUTIONAL
PRINCIPLES OF FEDERALISM
A. Personal Information Held In State Motor Vehicle Records Is Subject To
Congress's Commerce Clause Power
In several sectors, Congress has identified concerns arising out of the
dissemination of, and commerce in, personal information without the consent
of the individual to whom the information pertains, and has acted to restrict
and regulate such disclosure and commerce. In the context of personal information
in the records of private enterprises, Congress has enacted statutes that
restrict nonconsensual disclosures of personal information by credit bureaus,
educational institutions, banks, cable television companies, electronic
communications services, video stores, and, in some circumstances, employers.6
Congress has also restricted the disclosure of personal information held
by the federal government.7 In these statutes, Congress has balanced individuals'
privacy interests with countervailing public interests in disclosure by
prohibiting certain forms of disclosure of personal information and permitting
others. Each of these statutes accommodates those considerations differently.
The Driver's Privacy Protection Act of 1994 (DPPA or Act), 18 U.S.C. 2721-2725
(1994 & Supp. III 1997), added another panel to this quilt of federal
privacy protections by regulating the dissemination of personal information
originally collected from individuals by state motor vehicle agencies.8
The DPPA authorizes disclosure for certain purposes, and prohibits disclosure
for others; it also permits disclosure for any purpose if individuals are
afforded the opportunity to opt out from such general disclosure. These
rules regulate disclosure as an initial matter by a state DMV, and also
govern private persons' resale of personal information obtained from a DMV.
See pp. 6-11, supra.
There can be no doubt that the subject matter of the DPPA, the disclosure
of and commerce in personal information held by state DMVs, is a proper
object of regulation under Congress's Commerce Clause powers. (Indeed, the
court of appeals did not suggest otherwise, and respondents did not allege
or argue below that the subject of the DPPA, dissemination of personal information
held in state DMV records, is beyond the reach of Congress's Commerce Clause
power.9) The activity licensed by state DMVs and in connection with which
individuals must submit personal information to the DMV-the operation of
motor vehicles-is itself integrally related to interstate commerce. Further,
Congress learned that state DMVs frequently sell the personal information
held in their records, and that States collect substantial sums from such
sales. See pp. 3-4, supra. The record before Congress also established that
personal information obtained from DMVs is central to the direct-marketing
efforts of many companies, as well as to database compilers.10 And the DPPA
regulates the resale and redisclosure of personal information from DMV records
once it has passed into private hands, as well as the initial disclosure
from a state DMV. Such personal information is therefore legitimately subject
to congressional regulation because the States place the private information
into commerce, and because dissemination of the information is an activity
"having a substantial relation to interstate commerce." See United
States v. Lopez, 514 U.S. 549, 558-559 (1995); see also Garcia v. San Antonio
Metro. Transit Auth., 469 U.S. 528, 538 (1985); EEOC v. Wyoming, 460 U.S.
226, 235-236 (1983); FERC v. Mississippi, 456 U.S. 742, 753-758 (1982);
id. at 775 (O'Connor, J., concurring in the judgment in part and dissenting
in part).
Without questioning that the dissemination of personal information in state
DMV records falls within Congress's power to regulate commerce, the court
of appeals ruled the DPPA is nonetheless unconstitutional, for two reasons.
First, although the court acknowledged (Pet. App. 14a) that the DPPA neither
"commandeer[s] the state legislative process" nor "conscript[s]
state officers to enforce the regulations established by Congress,"
it concluded (id. at 14a-15a) that the DPPA requires state agencies to "administer"
the Act. Therefore, it held, the DPPA contravenes "our system of 'dual
sovereignty,'" as explicated in this Court's decisions in New York
v. United States, 505 U.S. 144 (1992), and Printz v. United States, 521
U.S. 898 (1997).
Second, the court rejected the contention that the DPPA is constitutional
under cases such as Garcia, supra, which sustained the application of federal
statutes regulating commercial activity to state entities. The court concluded
that, unlike the federal statutes upheld in cases like Garcia, the DPPA
is not a law "generally applicable" to both private and state
activity. Further, the court regarded as irrelevant the fact that the DPPA
is similar to other federal legislation that regulates disclosure of personal
information by private enterprises. "Under Garcia," the court
held (Pet. App. 18a), "a statute is constitutional only if it is generally
applicable. * * * That Congress could subject private parties to the same
type of regulation is irrelevant to the Tenth Amendment. Congress may invade
the sovereignty of the States only when it actually enacts a law of general
applicability. Nothing short of that will pass constitutional muster."
As we now explain, both reasons given by the court of appeals for invalidating
the DPPA are without substance.11
B. The DPPA Does Not Commandeer Or Conscript States Into Applying Federal
Law; Rather, It Requires State Entities To Comply With Substantive Federal
Regulation, And Prohibits Contrary State Practices
1. In New York v. United States, the Court sustained a constitutional challenge
to provisions of the Low-Level Radioactive Waste Policy Amendments Act of
1985, 42 U.S.C. 2021b et seq. (1988), that required the States either to
regulate the disposal of certain radioactive waste generated within their
borders, or to take title to such waste. See 505 U.S. at 169-170, 174-177.
The Court framed the constitutional question before it as whether "Congress
may use the States as implements of regulation; that is, whether Congress
may direct or otherwise motivate the States to regulate in a particular
field or in a particular way." Id. at 161. Emphasizing that, "even
where Congress has the authority under the Constitution to pass laws requiring
or prohibiting certain acts, it lacks the power directly to compel the States
to require or prohibit those acts," id. at 166, the Court held that
"[t]he Federal Government may not compel the States to enact or administer
a federal regulatory program," id. at 188. The Court concluded that
the challenged provisions were inconsistent with "the Constitution's
division of authority between federal and state governments," id. at
175, because they "commandeer[ed] the legislative processes of the
States by directly compelling them to enact and enforce a federal regulatory
program," id. at 176 (citation omitted).
In Printz v. United States, the Court found a similar constitutional flaw
in a provision of the Brady Handgun Violence Prevention Act, 18 U.S.C. 922(s)
(1994), that required local chief law enforcement officers to make a reasonable
effort to determine whether a proposed transfer of a handgun would violate
the law. The Court found it "apparent that the Brady Act purports to
direct state law enforcement officers to participate * * * in the administration
of a federally enacted regulatory scheme." 521 U.S. at 904. The Court
reemphasized that Congress "cannot compel the States to enact or enforce
a federal regulatory program," and held also that Congress "cannot
circumvent that prohibition by conscripting the States' officers directly"
in the administration of federal law. Id. at 935. The Brady Act's "conscript[ion]"
of local law enforcement officials also violated the Constitution's division
of authority between federal and state governments, the Court held, because
"[t]he Federal Government may neither issue directives requiring the
States to address particular problems, nor command the States' officers,
or those of their political subdivisions, to administer or enforce a federal
regulatory program." Ibid. See also Alden v. Maine, No. 98-436 (June
23, 1999), slip op. 3-4 (States are "not relegated to the role of mere
provinces or political corporations" of the national government).
The court of appeals in this case recognized that the DPPA does not present
the constitutional flaw present in either New York or Printz:
Unlike the federal statute in New York, the DPPA does not commandeer the
state legislative process. In particular, the DPPA does not require the
States to enact legislation regulating the disclosure of personal information
contained in their motor vehicle records. Instead, Congress enacted the
regulations limiting the dissemination of information from those records.
Moreover, unlike the federal statute in Printz, the DPPA does not conscript
state officers to enforce the regulations established by Congress. Indeed,
the DPPA does not require that state officials report or arrest violators
of the DPPA. Instead, the DPPA is enforced through civil penalties imposed
by the United States Attorney General against the States and permits criminal
fines and civil causes of action against individuals.
Pet. App. 14a.
The court of appeals' conclusion that the DPPA does not conscript state
governments into federal service is plainly correct. Unlike the statutes
examined in New York and Printz, the DPPA does not require state governments
or officers to regulate the primary activities of private parties or to
participate in the enforcement of federal law against private actors. The
DPPA therefore does not "conscript state governments" as "agents"
of federal regulatory power. See New York, 505 U.S. at 178; see also FERC,
456 U.S. at 792 (O'Connor, J., concurring in part and dissenting in part)
("the Framers concluded that government by one sovereign through the
agency of a second cannot be satisfactory"). Rather, the DPPA directly
regulates the dissemination of personal information in state DMV files,
and requires DMVs to comply with that substantive regulation. Moreover,
unlike the statute invalidated in Printz, see 521 U.S. at 904-905, the DPPA's
restrictions on disclosure do not operate as means to effectuate private
parties' compliance with federal law. Nor did Congress obligate the States
to enforce the DPPA's proscriptions against violators. Enforcement of the
DPPA's substantive restrictions on dissemination against violators is the
responsibility of federal officials. The DPPA therefore does not effect
"the indirect regulation of private conduct" through a state apparatus,
Pet. App. 29a (Phillips, J., dissenting), and does not "impress the
state executive into [federal] service," Printz, 521 U.S. at 907.
Our point that the DPPA does not conscript state governments into federal
service is underscored by the fact that the DPPA's disclosure restrictions
impose no affirmative obligations on the States to implement federal law;
rather, they impose substantive prohibitions on state activity. In Printz
and New York, in which this Court found federal statutes to contravene the
Constitution's structure of federalism, Congress had required active state
participation in the enforcement of federal law against private parties.
See also Alden, slip op. 40 (Congress may not "commandeer the entire
political machinery of the State against its will"). The DPPA's disclosure
restrictions, however, require no active state participation. Instead, they
simply forbid DMVs from taking action (dissemination of information) that
contravenes the substantive restrictions on disclosure put in place by the
federal law to protect personal privacy.12
The distinction between laws that impose affirmative obligations on States
and those that prevent States from taking action is well reflected in this
Court's preemption jurisprudence. Although New York and Printz hold that
Congress may not require the States to pass legislation or participate in
the execution of a federal regulatory program, it is well established that
Congress may prohibit the States from regulating in a particular field,
as long as regulation of the field lies within reach of Congress's enumerated
powers.13 Such federal prohibitions against state action have an extensive
pedigree: federal law has often said to the States, "Don't do any of
these things." See FERC, 456 U.S. at 793 n.30 (O'Connor, J., concurring
in part and dissenting in part) (quoting Henry M. Hart, Jr., The Relations
Between State and Federal Law, 54 Colum. L. Rev. 489, 515 (1954)). Thus,
even in the context (unlike here) in which the anti-commandeering rule does
apply-where the federal government attempts to dictate how the States regulate
private conduct-the Constitution permits federal laws that prohibit the
States from regulating that conduct at all, in order to prevent interference
with federal interests and protections afforded by federal law. Similarly
here, the anti-commandeering rule of New York and Printz does not cloud
Congress's authority to prevent the States from taking action in a field
of legitimate federal concern.
2. Even though the court of appeals recognized that the DPPA does not have
the same defect as the statutes at issue in New York and Printz, it nonetheless
concluded that state officials must "administer" the DPPA, and
that the Act runs afoul of the Constitution for that reason. The panel's
conception of the manner in which state officials must "administer"
the DPPA is not entirely clear, but it appears to have believed that the
DPPA is unconstitutional because state officials must, as a practical matter,
take affirmative steps to comply with the details of the substantive dictates
of the DPPA's disclosure prohibitions. That conclusion, however, is directly
contrary to this Court's decision in South Carolina v. Baker, 485 U.S. 505
(1988).
In South Carolina v. Baker, the Court rejected a Tenth Amendment challenge
to a federal statute that, in effect, prohibited States from issuing bearer
bonds, and required that state debt instruments be issued in the form of
registered bonds. See 485 U.S. at 511. The law was challenged on the ground
that it allegedly "commandeer[ed] the state legislative and administrative
process by coercing States into enacting legislation authorizing bond registration
and into administering the registration scheme." Id. at 513. The Court
found no such defect in the challenged statute, however, because the law
"regulate[d] state activities; it [did] not * * * seek to control or
influence the manner in which States regulate private parties." Id.
at 514. Further, in turning aside the argument that the challenged provision
was unconstitutional because "state officials had to devote substantial
effort to determine how best to implement a registered bond system,"
the Court explained:
Such "commandeering" is, however, an inevitable consequence of
regulating a state activity. Any federal regulation demands compliance.
That a State wishing to engage in certain activity must take administrative
and sometimes legislative action to comply with federal standards regulating
that activity is a commonplace that presents no constitutional defect.
Id. at 514-515; see also FERC, 456 U.S. at 762 (observing that Court has
"upheld federal statutory structures that in effect directed state
decisionmakers to take or to refrain from taking certain actions").
To be sure, a state DMV may find it appropriate to institute procedures
to ensure that it complies with the requirements of the DPPA. For example,
a state agency may determine that it should train its employees so that
they are aware of the limitations on permissible disclosure under the Act,
and that they can make informed judgments as to whether a request for disclosure
is covered by Act's provisions for permissible disclosure. Such training,
however, would not itself be required by federal law; it would merely be
an incidental effect of a requirement to comply with a federal prohibition
on disclosure, which does not itself involve any commandeering of state
governments.
Moreover, in many situations in which a federal statute permissibly regulates
state activity, a state agency may find it appropriate to institute procedures
and train its employees to ensure compliance with the federal law. The Fair
Labor Standards Act of 1938 (FLSA), for example, imposes maximum hours on
employment by state agencies, and requires state agencies either to pay
overtime pay or to provide compensatory time off for work in excess of those
maximum hours. See 29 U.S.C. 207(a) and (o) (1994 & Supp. III 1997).
The maximum-hours provisions of the FLSA, however, do not apply to "any
employee employed in a bona fide executive, administrative, or professional
capacity." 29 U.S.C. 213(a)(1). Thus, a state entity subject to the
FLSA will have to make judgments as to whether particular employees are
employed in executive, administrative, or professional capacities, including
making responses to individual employees' requests for overtime pay or compensatory
time off. Cf. Auer v. Robbins, 519 U.S. 452 (1997) (examining whether public-sector
employees were professional employees under FLSA). For those employees who
are covered by the FLSA, state entities may need to institute procedures
to ensure that such employees receive either overtime pay or compensatory
time off when they are required to work overtime. The incidental burden
of making such decisions and ensuring such compliance, however, has never
been held to constitute a Tenth Amendment violation.
3. In Garcia, this Court abandoned the effort, begun in National League
of Cities v. Usery, 426 U.S. 833 (1976), to expound "affirmative limits
on the Commerce Clause power in terms of core governmental functions and
fundamental attributes of state sovereignty." 469 U.S. at 556; see
id. at 547-548. It bears note, however, that the DPPA is particularly respectful
of state prerogatives. The DPPA does not prevent state and local governments
from using the information contained in DMV records for governmental purposes.
To the contrary, the Act expressly permits DMVs to disclose personal information
in their records for use "by any government agency, including any court
or law enforcement agency, in carrying out its functions, or any private
person or entity acting on behalf of a Federal, State, or local agency in
carrying out its functions." 18 U.S.C. 2721(b)(1). The Act also permits
disclosure for use "in connection with any civil, criminal, administrative,
or arbitral proceeding in any Federal, State, or local court or agency."
18 U.S.C. 2721(b)(4). And it permits disclosure of information for any use
"related to the operation of a motor vehicle or public safety."
18 U.S.C. 2721(b)(14).
The DPPA therefore does not inhibit the States' authority to license drivers,
register vehicles, or remove dangerous drivers and vehicles from the roads.
Nor does it restrict the authority of state DMVs to collect information
from persons wishing to be licensed to drive or to register their motor
vehicles. In sum, the DPPA does not impede the States' authority or ability
to regulate the primary conduct of their citizens. Accordingly, nothing
in the DPPA contravenes the proposition that "our federalism requires
that Congress treat the States in a manner consistent with their status
as residuary sovereigns and joint participants in the governance of the
Nation." Alden, slip op. 39.14
C. The DPPA Permissibly Regulates State Activity Even If It Does Not Regulate
Similar Private Activity
1. The court of appeals also held that the restrictions on information disclosure
imposed by the DPPA could not be validly applied to state DMVs because the
DPPA is not a "generally applicable" law. Pet. App. 18a. This
Court has, of course, upheld the application of numerous federal statutes
to state activity where those statutes also applied to similar private activity.
Contrary to the court of appeals' view, however, no constitutional principle
of federalism imposes a rule that state activities in or affecting commerce,
and hence otherwise within the scope of Congress's power, may be subject
to federal regulation only if Congress also imposes identical or closely
similar regulation on similar activities of private enterprises in the same
statute.15 Rather, this Court's decisions establish that, although Congress
may not commandeer the States in the implementation of a federal regulatory
program by requiring them to enact legislation (as in New York) or by conscripting
state officials to participate in the enforcement of federal law against,
or application of federal law to, third parties (as in Printz), Congress
may directly regulate state activity in or affecting commerce. That is so
whether or not it also regulates similar private activity. Because the state
activity in this case is unquestionably subject to Congress's Commerce Clause
power (see pp. 21-23, supra), the DPPA is constitutional.
In several cases in which this Court rejected Tenth Amendment challenges
to the application of federal regulatory statutes to state entities, the
Court observed that such application merely brought state activities within
the reach of a law that was also applicable to private entities. See EEOC
v. Wyoming, 460 U.S. at 233; United Transp. Union v. Long Island R.R., 455
U.S. 678, 686- 690 (1982); Fry v. United States, 421 U.S. 542, 548 (1975);
Maryland v. Wirtz, 392 U.S. 183, 196-199 (1968).16 This Court did not, however,
uphold the application of those statutes merely because as a formal matter
they applied to the activities of private enterprises as well as state entities.
Rather, a federal statute that applies equally (or similarly) to private
and state activities in or affecting commerce is inherently a regulatory
act of the federal government only, and does not commandeer or conscript
state governments in their own regulatory role. As Judge Phillips observed
in dissent below, those statutes were held "immune to Tenth Amendment
challenge not so much-if at all-because they applied equally to state and
private actors as because they directly regulated state activities rather
than using the States as implements of regulation of third parties."
Pet. App. 32a (internal quotation marks omitted).
Thus, in New York v. United States, the Court distinguished cases such as
Garcia, "in which Congress has subjected a State to the same legislation
applicable to private parties," 505 U.S. at 160, from the litigation
before it, which "concern[ed] the circumstances under which Congress
may use the States as implements of regulation; that is, whether Congress
may direct or otherwise motivate the States to regulate in a particular
field or a particular way," id. at 161. Although that distinction is
an important one, the court of appeals erred in extrapolating from it the
principle that "Congress may only 'subject state governments to generally
applicable laws.'" Pet. App. 15a (emphasis added).17 This Court's reasoning
supports no such rigid constitutional rule. Rather, when this Court in New
York distinguished federal regulatory requirements, with which state entities
must comply, from requirements that state entities exercise their own power
to regulate private persons, it recognized that statutes of general applicability
do not contravene the anti-commandeering principle because generally applicable
laws, by their nature, do not require the States to participate in the regulation
of private persons. The Court did not suggest that all other statutes applicable
to state entities run afoul of the Tenth Amendment, whether or not they
violate the proscription against commandeering. In fact, the Court's decision
in New York echoed its decision in South Carolina v. Baker, where it sustained
the federal restriction against bearer bonds and observed that the challenged
law "regulate[d] state activities [and did not] seek to control or
influence the manner in which States regulate private parties," and
thus did not present "a commandeering of state regulatory machinery."
485 U.S. at 514.
The DPPA, therefore, is not constitutionally infirm on the ground that it
regulates only information held in state DMV records and not also similar
information held in private databases. As was true of the statute upheld
in South Carolina v. Baker, the DPPA "regulates state activities";
it does not "seek to control or influence the manner in which States
regulate private parties." 485 U.S. at 514. The DPPA regulates how
state DMVs may disseminate their own data; it does not require the States
to impose any restrictions on private dissemination or to pursue any remedies
or to assure compliance by taking action against or with respect to anyone
outside state government. Further, the DPPA applies to private persons'
redisclosure of information from state DMV records as well as the initial
disclosure by the state DMV. And the federal government, not the States,
is responsible for prosecuting violators. See p. 11, supra.
The court of appeals' rule is also difficult to square with this Court's
preemption jurisprudence. Congressional preemption of state regulatory authority,
by definition, applies only to the States, since there is no analogous private
regulation. Yet, as we have explained (see pp. 29-30, supra), federal preemption
of state law has long been understood to present no constitutional difficulty,
and preemption certainly has never been thought constitutionally problematic
merely because it applies only to the States.18 To the contrary, federal
preemption is constitutional even though "such congressional enactments
obviously curtail or prohibit the States' prerogatives to make legislative
choices respecting subjects the States may consider important." Hodel
v. Virginia Surface Mining & Reclamation Ass'n, 452 U.S. 264, 290 (1981).19
2. Not only is the rule articulated by the panel majority without support
in this Court's precedents; it also is inconsistent with the structure of
the Constitution, which vests in Congress the power to fashion laws in the
manner it believes most appropriate to respond to the problems affecting
commerce-and which imposes no obligation on Congress to act only through
laws of general applicability when it seeks to respond to such problems
resulting from the activities of the States.
a. This Court has consistently recognized that a legislature is not required
to "strike at all evils at the same time," Semler v. Oregon State
Bd. of Dental Exam'rs, 294 U.S. 608, 610 (1935), and that "reform may
take one step at a time, addressing itself to the phase of the problem which
seems most acute to the legislative mind." Williamson v. Lee Optical,
Inc., 348 U.S. 483, 489 (1955). That point has been markedly true in the
privacy area, for Congress has perceived that privacy concerns raised by
the dissemination of personal information do not readily lend themselves
to regulation that must, like Procrustes' bed, fit all. Congress has thus
far proceeded cautiously in regulating disclosure of personal information,
and has addressed privacy issues on a sector-by-sector basis.20 Rather than
adopting across-the-board privacy regulations for all databases in or affecting
commerce, Congress has enacted privacy protections targeted at problems
arising in specific commercial fields.21 Each of these provisions is quite
involved, for each attempts to accommodate both privacy concerns and countervailing
interests in disclosure. Also, each responds to different privacy concerns;
problems raised by unrestricted disclosure of personal financial information
to government authorities are manifestly not the same as those raised by
unrestricted dissemination of the results of medical examinations or polygraph
tests. The DPPA is in line with this "long-standing tradition"
of "address[ing] privacy issues affecting the private sector on a sectoral
basis." 1994 WL 212834 (Feb. 3, 1994) (Prof. Mary J. Culnan, Georgetown
University).22
Congress should be free to respond to privacy (and other) concerns as they
become apparent, without being restricted by an artificial constraint requiring
legislation affecting States to be "generally applicable," in
the sense suggested by the court of appeals. A constitutional rule precluding
Congress from regulating state activity in or affecting commerce unless
and until it enacts a law covering similar private activity would deprive
Congress of the much-needed ability to experiment in addressing regulatory
concerns in complex fields such as this one, and could have highly undesirable
results. As the Seventh Circuit observed, such a restriction on Congress's
authority to regulate the field of information disclosure would hardly be
salutary: "A statute covering all databases would rival the Internal
Revenue Code for complexity without offering states any real defense from
the cost and inconvenience of regulation. * * * Brobdignagian legislation
is not the Constitution's objective, even when consolidation is feasible."
Travis v. Reno, 163 F.3d 1000, 1006 (1998), petition for cert. pending,
No. 98-1818; cf. Nixon v. Administrator of Gen. Servs., 433 U.S. 425, 471
(1977) (Constitution does not put Congress "to the choice of legislating
for the universe * * * or not legislating at all").
Under the constitutional rule adopted by the court of appeals-requiring
Congress to address privacy concerns in all private and public records in
a single statute-the result would be legislation that was unmanageably complex
(if Congress perceived a need to accommodate countervailing interests in
disclosure individually for each type of database), or excessively rigid
(if it decided that all databases should be governed by a uniform rule,
which would have to be either the least or the most restrictive rule appropriate
to any database in the economy), or framed at an extraordinarily high level
of generality, requiring extensive administrative development of its application
to particular sectors (which would undermine the "general applicability"
of the law).23 Or, the result might be no legislation protecting privacy
at all.
The Constitution should not be read to preclude Congress from addressing
regulatory concerns within the scope of its enumerated powers that arise
only, or first, or most especially, from activity undertaken by state entities.
Indeed, in some situations, Congress may perceive a need to regulate state
activity that simply has no private analogue. For example, the federal government
may issue security and safety directives to govern the operation of the
nation's major airports. The validity of such directives would not turn
on whether state and local governments happened to control all of those
airports. Similarly, Congress unquestionably has the constitutional authority
to prohibit state and local officials from questioning or prosecuting foreign
nationals and diplomats. Such restrictions could not be unconstitutional
merely because, by their nature, they could apply only to officers of state
and local governments.
The Constitution grants Congress the power "To make all Laws which
shall be necessary and proper for carrying into Execution" its enumerated
powers, Art. I, § 8, Cl. 18 (emphasis added), including, of course,
the power to regulate commerce, id. Cl. 3. Nothing in those plenary grants
of power suggests that Congress may only enact some laws-those of general
applicability-when it acts in matters affecting the States, or that only
laws of general applicability are "proper" in that setting. To
the contrary, the breadth of the Clause confirms that it vests in Congress
the inherent discretion normally possessed by legislative bodies to adapt
their laws to the problems they confront, including the flexibility to choose
between laws of general and particular applicability.
b. In addition to conflicting with the affirmative grants of powers to Congress
in Article I of the Constitution, the rigid rule adopted by the court of
appeals finds no support in the constitutional structure of federalism insofar
as this structure protects the sovereign powers of the States. The Tenth
Amendment provides: "The powers not delegated to the United States
by the Constitution, nor prohibited by it to the States, are reserved to
the States respectively, or to the people." If particular state activity
in or affecting commerce may, consistent with the Constitution, be brought
within the reach of a regulatory law of the United States when that law
is generally applicable, then the power to address that particular state
activity necessarily does lie within the powers "delegated to the United
States by the Constitution." Nothing in the text of the Tenth Amendment
suggests that Congress is automatically divested of that power if it seeks
to act through a law directed only to that state activity rather than through
a law of broader applicability.
Nor do the principles of federalism underlying the Tenth Amendment support
the rule announced by the court of appeals. As this Court explained in Printz,
after adoption of the Constitution, the States "retained 'a residuary
and inviolable sovereignty.'" 521 U.S. at 919 (quoting The Federalist
No. 39, at 245 (James Madison) (Clinton Rossiter ed., 1961)). It is well
established, however, that that principle preserves in Congress the power
to "legislate[] in matters affecting the States." Alden, slip
op. 49. The question here, then, is whether the particular legislation that
respondents challenge-the DPPA-impermissibly interferes with the "residuary
and inviolable sovereignty" of the States. The answer to that question
turns on an assessment of the law as it affects the powers of the States
themselves. It is irrelevant to that inquiry whether private parties are
also subject to the same legislation.24 Accordingly, if (as the court of
appeals appeared to acknowledge) the protections of personal privacy provided
for in the DPPA would not impermissibly intrude upon the exercise of the
sovereign powers of the States if those protections were contained in a
law that also applied to private parties, then they do not do so in a law
that applies only to the States.
As the Court further explained in Printz, the Framers' experience under
the Articles of Confederation persuaded them to reject a constitutional
structure under which Congress would "us[e] the States as instruments
of federal governance." 521 U.S. at 919. Instead, the Framers separated
the powers of the United States and the States. "The separation of
the two spheres is one of the Constitution's structural protections of liberty."
Id. at 921. "'In the compound republic of America, the power surrendered
by the people is first divided between two distinct governments, and then
the portion allotted to each subdivided among distinct and separate departments.
Hence a double security arises to the rights of the people. The different
governments will control each other, at the same time that each will be
controlled by itself.'" Id. at 922 (quoting The Federalist No. 51,
supra, at 323 (James Madison)). A constitutional absolute requiring that
a federal statute that applies to state activity also address private conduct
bears no relation to those important values of diffusion of power and protection
of personal liberty. That is especially so here, where Congress perceived
a distinct threat to personal privacy resulting from state activities integrally
related to commerce, and acted within its sphere of power to afford "security
* * * to the rights of the people" by preventing the States from releasing
personal information that they require individuals to submit as a condition
of engaging in activity-owning and operating a motor vehicle-that is integrally
related to commerce generally and also to personal autonomy and economic
well-being.
3. It is thus irrelevant to the Constitution that Congress decided to address
the particular threats to privacy raised by dissemination of and commerce
in information held in state motor vehicle records in a single, focused
statute, rather than in a statute addressing analogous issues in other databases,
private and public, as well. Rather, federal regulation of state activity
in or affecting commerce does not disturb the "balance between the
supremacy of federal law and the separate sovereignty of the States"
(Alden, slip op. 48) if that regulation does not coerce the States into
performing as instruments of federal governance. The DPPA does not conscript
the States in the enforcement or execution of federal law. Accordingly,
the DPPA is constitutional.
CONCLUSION
The judgment of the court of appeals should be reversed.
Respectfully submitted.
SETH P. WAXMAN
Solicitor General
DAVID W. OGDEN
Acting Assistant Attorney General
EDWIN S. KNEEDLER
Deputy Solicitor General
PAUL R.Q. WOLFSON
Assistant to the Solicitor
General
MARK B. STERN
ALISA B. KLEIN
DANIEL L. KAPLAN
Attorneys
JULY 1999
1 The DPPA was enacted as part of an omnibus crime control law, the Violent
Crime Control and Law Enforcement Act of 1994, Pub. L. No. 103-322, Tit.
XXX, § 300002, 108 Stat. 2099. The Subcommittee on Civil and Constitutional
Rights of the House Judiciary Committee held hearings on the DPPA on February
3 and 4, 1994. Those hearings were never printed, and we are informed by
the Clerk of the Judiciary Committee that the Committee no longer has documents
or transcripts relating to the DPPA hearings. The principal prepared submissions
to the Subcommittee are available on WESTLAW. See Protecting Driver Privacy:
Hearings on H.R. 3365 Before the Subcomm. on Civil and Constitutional Rights
of the House Comm. on the Judiciary, 103d Cong., 2d Sess., available at
1994 WL 212813, 212822, 212833, 212834, 212835, 212836, 212696, 212698,
212701, 212712, 212720 (Feb. 3-4, 1994).
2 Representative Moran, a sponsor of the DPPA, observed: "Currently,
in 34 States across the country anyone can walk into a DMV office with your
tag number, pay a small fee, and get your name, address, phone number and
other personal information-no questions asked." 140 Cong. Rec. H2522
(daily ed. Apr. 20, 1994); see also 139 Cong. Rec. 29,466 (1993) (statement
of Sen. Boxer); id. at 29,468 (statement of Sen. Warner); id. at 29,469
(statement of Sen. Robb); 1994 WL 212834 (Feb. 3, 1994) (statement of Prof.
Mary J. Culnan, Georgetown University); 1994 WL 212813 (Feb. 3, 1994) (statement
of Janlori Goldman, American Civil Liberties Union).
3 See 1994 WL 212698 (Feb. 4, 1994) (statement of Rep. Moran); 1994 WL 212822
(Feb. 3, 1994) (statement of David Beatty, National Victim Center); 1994
WL 212833 (Feb. 3, 1994) (statement of Donald L. Cahill, Fraternal Order
of Police); 139 Cong. Rec. 29,469 (1993) (statement of Sen. Robb); id. at
29,470 (statement of Sen. Harkin).
4 The DPPA also provides that personal information in motor vehicle records
"shall be disclosed" for certain specific purposes pursuant to
other federal statutes. 18 U.S.C. 2721(b) (1994 & Supp. III 1997). As
we explain below (pp. 28-29 n.12, infra), that provision does not impose
any new disclosure requirements, but rather makes clear that the DPPA does
not bar disclosures otherwise required by federal law.
5 Since the panel's decision was issued, panels of the Seventh and Tenth
Circuits have upheld the DPPA against similar Tenth Amendment challenges,
while an Eleventh Circuit panel has held that the DPPA contravenes the Tenth
Amendment. See Travis v. Reno, 163 F.3d 1000 (7th Cir. 1998), petition for
cert. pending, No. 98-1818; Oklahoma v. United States, 161 F.3d 1266 (10th
Cir. 1998), petition for cert. pending, No. 98-1760; Pryor v. Reno, 171
F.3d 1281 (11th Cir. 1999), petition for cert. pending, No. 99-61.
6 See Fair Credit Reporting Act, 15 U.S.C. 1681b (1994 & Supp. III 1997);
Family Educational Rights and Privacy Act of 1974, 20 U.S.C. 1232g(b); Right
to Financial Privacy Act of 1978, 12 U.S.C. 3401-3422; Cable Communications
Policy Act of 1984, 47 U.S.C. 551; Electronic Communications Privacy Act
of 1986, 18 U.S.C. 2702; Video Privacy Protection Act of 1988, 18 U.S.C.
2710; Employee Polygraph Protection Act of 1988, 29 U.S.C. 2008; Americans
with Disabilities Act of 1990, 42 U.S.C. 12112(d)(3); see also pp. 40-41,
infra.
7 See Privacy Act of 1974, 5 U.S.C. 552a (1994 & Supp. III 1997); 26
U.S.C. 6103 (1994 & Supp. III 1997) (confidentiality of tax returns);
13 U.S.C. 9 (1994 & Supp. III 1997) (confidentiality of census data).
8 The DPPA's provisions for allowing individuals to provide consent to disclosure
of their personal information were taken directly from the Video Privacy
Protection Act of 1988. See 1994 WL 212698 (Feb. 4, 1994) (Rep. Moran);
see also 1994 WL 212834 (Feb. 3, 1994) (Prof. Mary J. Culnan, Georgetown
University) (noting that approach used in Video Privacy Protection Act "has
become the model" for direct marketing).
9 See Pet. App. 8a ("Thus, the question before this Court is not whether
the DPPA regulates commerce, but whether it is consistent with the system
of dual sovereignty established by the Constitution."). Respondents'
complaint raised only Tenth and Eleventh Amendment challenges to the DPPA;
it did not challenge the DPPA on the ground that personal information in
DMV records is not subject to Congress's regulatory power under the Commerce
Clause. See J.A. 9, 12-13. In their court of appeals brief, respondents
cited the Commerce Clause case of United States v. Lopez, 514 U.S. 549 (1995),
only once and in a footnote, where they stated obliquely that it was "doubtful"
that the DPPA is a valid exercise of Congress's Commerce Clause power. See
Resp. C.A. Br. 8 n.3; see also Pls.' Mem. in Opp. to Mot. to Dismiss 10
n.4 (similar footnote).
10 See, e.g., 1994 WL 212836 (Feb. 3, 1994) (Richard A. Barton, Direct Marketing
Association) ("The names and addresses of vehicle owners, in combination
with information about the vehicles they own, are absolutely essential to
the marketing efforts of the nation's automotive industry."); 1994
WL 212834 (Feb. 3, 1994) (Prof. Mary J. Culnan, Georgetown University) (explaining
how motor vehicle information is used by commercial database compilers,
direct-marketing companies, and fundraisers to develop targeted mailing
lists).
11 It is not entirely clear whether the court of appeals considered the
fact that the DPPA is not "generally applicable" to be an independent
ground for the DPPA's asserted unconstitutionality, or rather a reason why,
in its view, cases like Garcia did not answer the constitutional concerns
raised by the fact that the DPPA supposedly requires state entities to "administer"
the Act. As we explain below (pp. 34-47, infra), the fact that the DPPA
may not be "generally applicable" is in any event not determinative
of the constitutionality of the DPPA. Although this Court has held that,
if a federal statute is generally applicable to state and private activity
in or affecting commerce, that fact is sufficient to overcome arguments
that the statute impermissibly commandeers the States into participating
in the enforcement of federal law, the Court has never held that a federal
statute must be generally applicable to be constitutional.
12 The DPPA also provides that personal information from motor vehicle records
"shall" be disclosed to carry out the purposes of other federal
statutes, including the Anti Car Theft Act of 1992, Pub. L. No. 102-519,
106 Stat. 3384; the Automobile Information Disclosure Act, 15 U.S.C. 1231
et seq.; the Clean Air Act, 42 U.S.C. 7401 et seq.; and certain provisions
in Title 49 relating to motor vehicle safety and regulation, 49 U.S.C. 30101-30169,
30501-30505, 32101-33118 (1994 & Supp. III 1997). See 18 U.S.C. 2721(b)
(1994 & Supp. III 1997). That provision, however, does not impose any
new reporting requirements on the States. Rather, it makes plain that the
DPPA does not qualify any obligation to disclose motor vehicle information
that might exist under other provisions of federal law. Respondents have
not challenged this aspect of the DPPA or any other reporting requirements,
and any such reporting requirements could not in any event provide a basis
for a challenge to the DPPA's restrictions on information disclosure. Further,
as the Court recognized in Printz, reporting requirements imposed on state
entities do not involve the same issues as those raised by "the forced
participation of the States' executive in the actual administration of a
federal program." 521 U.S. at 918; see id. at 936 (O'Connor, J., concurring)
("the Court appropriately refrains from deciding whether other purely
ministerial reporting requirements imposed by Congress on state and local
authorities pursuant to its Commerce Clause powers are similarly invalid").
13 The latter principle derives directly from the Supremacy Clause of the
Constitution, Art. VI, Cl. 2, and this Court's preemption precedents. See
Printz, 521 U.S. at 913 (noting that, under the Supremacy Clause, "all
state officials" have a duty "to enact, enforce, and interpret
state law in such fashion as not to obstruct the operation of federal law,"
and "the attendant reality" is that "all state actions constituting
such obstruction, even legislative acts, are ipso facto invalid");
Hodel v. Virginia Surface Mining & Reclamation Ass'n, 452 U.S. 264,
290 (1981) ("[I]t is clear that the Commerce Clause empowers Congress
to prohibit all-and not just inconsistent-state regulation of such activities
[i.e., private activity affecting commerce]."); see also New York,
505 U.S. at 167; FERC, 456 U.S. at 764.
14 Indeed, the Seventh Circuit observed in Travis v. Reno, 163 F.3d 1000,
1003 (1998), petition for cert. pending, No. 98-1818, that the DPPA would
pass constitutional muster even under the analysis that was applied under
National League of Cities, before that decision was overruled by Garcia.
Under National League of Cities, federal regulation of state activity was
impermissible only if it "directly impair[ed]" the State's ability
to "structure integral operations in areas of traditional governmental
functions." See EEOC v. Wyoming, 460 U.S. at 239; South Carolina v.
Baker, 485 U.S. at 529 (Rehnquist, C.J., concurring in the judgment). Because
the DPPA accommodates the needs of state and local government in using the
information held in DMV files, it cannot be said to "portend[] * *
* [a] wide-ranging and profound threat to the structure of state governance."
EEOC v. Wyoming, 460 U.S. at 240. In fact, the district court observed that
respondents had offered "no specific interest (other than historical)
to justify its need to allow its motor vehicle records to be publicly disseminated"
on an unqualified basis. Pet. App. 67a.
15 Although the DPPA is constitutional even if it is not a "generally
applicable" law, it is questionable whether the court of appeals correctly
concluded that the DPPA is not generally applicable. It is true that the
DPPA does not regulate the dissemination of personal information such as
names, addresses, and social security numbers across the economy from wherever
such information may be stored (be it in private or public files). The DPPA
does generally apply, however, to regulate the sale and disclosure of personal
information originally collected by state DMVs, even after that information
has been disseminated to private persons. As we have explained, if a state
DMV does not adopt an alternative, opt-out procedure under Section 2721(b)(11)
to permit individuals to object to unrestricted disclosure of their personal
information, then the DMV may disclose information only for particular purposes,
and anyone-even a private entity-who receives the information for such purposes
may resell or redisclose it only for similar, specified permissible purposes.
See pp. 9-10, supra. The DPPA's civil remedy and criminal fine provisions,
moreover, would apply to a private person who made a redisclosure that was
not authorized by the Act.
16 Maryland v. Wirtz was overruled by National League of Cities, 426 U.S.
at 853-855, but National League of Cities was in turn overruled by Garcia,
469 U.S. at 557.
17 As the Seventh Circuit noted in Travis, 163 F.3d at 1006, the word "only"
in the court of appeals' opinion quoted in the text "comes from the
[F]ourth [C]ircuit rather than the Supreme Court."
18 This point is perhaps most clearly demonstrated by federal statutes,
such as the Airline Deregulation Act of 1978, Pub. L. No. 95-504, 92 Stat.
1705, that prohibit state regulation of a commercial area but do not replace
it with federal regulation covering the same area. See 49 U.S.C. 41713(b)(1)
(preempting state law related to any price, route, or service of an air
carrier); Morales v. Trans World Airlines, Inc., 504 U.S. 374 (1992). Such
express preemption of state regulatory authority cannot be meaningfully
described as a generally applicable law, and yet under this Court's preemption
jurisprudence, it is unquestionably constitutional.
19 Similarly, this Court has held that Congress may direct the States to
"op[en] [the] doors" of their quasi-adjudicative machinery to
claimants seeking reliance on federal law in a field that Congress could
have preempted, and to apply substantive federal law in disputes before
their administrative agencies, even though such a directive by definition
applies only to the States, and not to private parties. See FERC, 456 U.S.
at 760-761.
20 That "sectoral" approach strongly influenced Congress's decision,
when it enacted the Privacy Act of 1974, 5 U.S.C. 552a (1994 & Supp.
III 1997), not to regulate personal information in the private sector at
that time, but rather to confine the Privacy Act's reach to information
held by the federal government, and to establish a Privacy Protection Study
Commission to address broader privacy issues concerning personal information.
See S. Rep. No. 1183, 93d Cong., 2d Sess. 19-20, 23-24 (1974). The Commission's
study, in turn, took a sectoral approach to privacy questions, separately
addressing (for example) privacy issues in insurance, employment, and medical
care contexts. See U.S. Privacy Protection Study Comm'n, Personal Privacy
in an Information Society 155-317 (1977). The sectoral tradition of privacy
regulation in the United States is well recognized by commentators, including
those who favor more comprehensive regulation. See, e.g., Colin J. Bennett,
Regulating Privacy: Data Protection and Public Policy in Europe and the
United States 114 (1992); David H. Flaherty, Protecting Privacy in Surveillance
Societies 306 (1989); Joel R. Reideberg, Setting Standards for Fair Information
Practice in the U.S. Private Sector, 80 Iowa L. Rev. 497, 500-501, 508 (1995);
The EC Privacy Directive and the Future of U.S. Business in Europe: A Panel
Discussion, 80 Iowa L. Rev. 669, 670 (1995) (comments of Marc Rotenberg).
21 The Fair Credit Reporting Act, Pub. L. No. 91-508, Tit. VI, § 601,
84 Stat. 1129, restricts the circumstances in which credit agencies may
disseminate consumer credit reports, see 15 U.S.C. 1681b (1994 & Supp.
III 1997). The Family Educational Rights and Privacy Act of 1974, Pub. L.
No. 93-380, Tit. V, § 513, 88 Stat. 571, restricts the release of education
records, without the consent of a student's parents and except under specific
circumstances, from educational institutions receiving federal financial
assistance, see 20 U.S.C. 1232g(b). The Right to Financial Privacy Act of
1978, Pub. L. No. 95-630, Tit. XI, 92 Stat. 3697, restricts the circumstances
under which financial institutions may disclose information to government
authorities, see 12 U.S.C. 3401-3422. The Cable Communications Policy Act
of 1984, Pub. L. No. 98-549, § 2(c), 98 Stat. 2794, restricts the circumstances
in which a cable television provider may disclose information about subscribers,
see 47 U.S.C. 551(c). The Electronic Communications Privacy Act of 1986,
Pub. L. No. 99-508, 100 Stat. 1848, restricts disclosure of stored electronic
communications, see 18 U.S.C. 2511(3). The Video Privacy Protection Act
of 1988, Pub. L. No. 100-618, 102 Stat. 3195, restricts the disclosure of
video tape rental and sale records, see 18 U.S.C. 2710. The Employee Polygraph
Protection Act of 1988, Pub. L. No. 100-347, § 9, 102 Stat. 652, restricts
disclosure of the results of polygraph tests administered to employees,
see 29 U.S.C. 2008. And the Americans with Disabilities Act of 1990, Pub.
L. No. 101-336, Tit. I, § 102, 104 Stat. 331, restricts the disclosure
of the results of medical examinations administered to applicants for employment,
see 42 U.S.C. 12112(d)(3).
22 Indeed, when Congress enacted the DPPA, it paid particular attention
to differences between motor vehicle records and other public records containing
similar information, which it decided not to regulate. One concern that
motivated enactment of the DPPA was that personal information in motor vehicle
records, including names and addresses, is keyed to license plate numbers,
which drivers must display to the general public. "Unlike with license
plate numbers, people concerned about privacy can usually take reasonable
steps to withhold their names and address[es] from strangers, and thus limit
their access to personally identifiable information" in other records.
140 Cong. Rec. H2523 (daily ed. Apr. 20, 1994) (statement of Rep. Edwards);
ibid. (statement of Rep. Moran). Further, even if individuals' names and
addresses can be searched in other public records, such as voter registration
records and land records, that information is not necessarily so readily
accessible as information in motor vehicle records. Indeed, "[t]here
was no evidence before the subcommittee that other public records are vulnerable
to abuse in the same way that DMV records have been abused." Ibid.
(Rep. Edwards). That is not to say that abuses of other kinds of public
records could never occur, but Congress is not required to anticipate every
potential or speculative abuse in advance as a condition to addressing already
well-documented abuses.
23 The European Union has adopted a Directive on the privacy of personal
data that applies to all sectors of the economy. See Council Directive 95/46/EC
on the Protection of Individuals With Regard to the Processing of Personal
Data and on the Free Movement of Such Data, 1995 O.J. (L 281) 31. The EU
Directive, however, sets forth general minimum standards for the protection
of personal data, and requires member countries to address the details of
implementation in national law. See id. art. 5 ("Member States shall,
within the limits of the provisions of this Chapter, determine more precisely
the conditions under which the processing of personal data is lawful.").
Moreover, the approach taken by the EU Directive--an instruction to member
states to enact statutes or regulations in conformity with the Directive,
see id. arts. 1(1), 32-is precisely the approach that Congress cannot adopt
under this country's system of dual sovereignty, as explicated in New York
v. United States.
24 Thus, as the Seventh Circuit observed in Travis, 163 F.3d at 1004, if
a State operated a video rental store, it would be subject to the restrictions
on disclosure of personal information in the Video Privacy Protection Act
of 1988, 18 U.S.C. 2710, and the application of that statute (which happens
to be "generally applicable") to the State's activity would present
no Tenth Amendment difficulty. But if the federal regulation of the state
activity of renting videos would present no constitutional difficulty when
effected pursuant to a generally applicable law, it is difficult to see
why the same regulation of the same activity would be constitutionally questionable
if framed in a statute addressed specifically to state commercial activity,
and similar private activity were addressed in a separate statute.
APPENDIX
The Driver's Privacy Protection Act of 1994, 18 U.S.C. 2721-2725 (1994 &
Supp. III 1997), provides:
§ 2721. Prohibition on release and use of certain personal information
from State motor vehicle records
(a) IN GENERAL.-Except as provided in subsection (b), a State department
of motor vehicles, and any officer, employee, or contractor, thereof, shall
not knowingly disclose or otherwise make available to any person or entity
personal information about any individual obtained by the department in
connection with a motor vehicle record.
(b) PERMISSIBLE USES.-Personal information referred to in subsection (a)
shall be disclosed for use in connection with matters of motor vehicle or
driver safety and theft, motor vehicle emissions, motor vehicle product
alterations, recalls, or advisories, performance monitoring of motor vehicles
and dealers by motor vehicle manufacturers, and removal of non-owner records
from the original owner records of motor vehicle manufacturers to carry
out the purposes of titles I and IV of the Anti Car Theft Act of 1992, the
Automobile Information Disclosure Act (15 U.S.C. 1231 et seq.), the Clean
Air Act (42 U.S.C. 7401 et seq.), and chapters 301, 305, and 321-331 of
title 49, and may be disclosed as follows:
(1) For use by any government agency, including any court or law enforcement
agency, in carrying out its functions, or any private person or entity acting
on behalf of a Federal, State, or local agency in carrying out its functions.
(2) For use in connection with matters of motor vehicle or driver safety
and theft; motor vehicle emissions; motor vehicle product alterations, recalls,
or advisories; performance monitoring of motor vehicles, motor vehicle parts
and dealers; motor vehicle market research activities, including survey
research; and removal of non-owner records from the original owner records
of motor vehicle manufacturers.
(3) For use in the normal course of business by a legitimate business or
its agents, employees, or contractors, but only-
(A) to verify the accuracy of personal information submitted by the individual
to the business or its agents, employees, or contractors; and
(B) if such information as so submitted is not correct or is no longer correct,
to obtain the correct information, but only for the purposes of preventing
fraud by, pursuing legal remedies against, or recovering on a debt or security
interest against, the individual.
(4) For use in connection with any civil, criminal, administrative, or arbitral
proceeding in any Federal, State, or local court or agency or before any
self-regulatory body, including the service of process, investigation in
anticipation of litigation, and the execution or enforcement of judgments
and orders, or pursuant to an order of a Federal, State, or local court.
(5) For use in research activities, and for use in producing statistical
reports, so long as the personal information is not published, redisclosed,
or used to contact individuals.
(6) For use by any insurer or insurance support organization, or by a self-insured
entity, or its agents, employees, or contractors, in connection with claims
investigation activities, antifraud activities, rating or underwriting.
(7) For use in providing notice to the owners of towed or impounded vehicles.
(8) For use by any licensed private investigative agency or licensed security
service for any purpose permitted under this subsection.
(9) For use by an employer or its agent or insurer to obtain or verify information
relating to a holder of a commercial driver's license that is required under
chapter 313 of title 49.
(10) For use in connection with the operation of private toll transportation
facilities.
(11) For any other use in response to requests for individual motor vehicle
records if the motor vehicle department has provided in a clear and conspicuous
manner on forms for issuance or renewal of operator's permits, titles, registrations,
or identification cards, notice that personal information collected by the
department may be disclosed to any business or person, and has provided
in a clear and conspicuous manner on such forms an opportunity to prohibit
such disclosures.
(12) For bulk distribution for surveys, marketing or solicitations if the
motor vehicle department has implemented methods and procedures to ensure
that-
(A) individuals are provided an opportunity, in a clear and conspicuous
manner, to prohibit such uses; and
(B) the information will be used, rented, or sold solely for bulk distribution
for surveys, marketing, and solicitations, and that surveys, marketing,
and solicitations will not be directed at those individuals who have requested
in a timely fashion that they not be directed at them.
(13) For use by any requester, if the requester demonstrates it has obtained
the written consent of the individual to whom the information pertains.
(14) For any other use specifically authorized under the law of the State
that holds the record, if such use is related to the operation of a motor
vehicle or public safety.
(c) RESALE OR REDISCLOSURE.-An authorized recipient of personal information
(except a recipient under subsection (b)(11) or (12)) may resell or redisclose
the information only for a use permitted under subsection (b) (but not for
uses under subsection (b) (11) or (12)). An authorized recipient under subsection
(b)(11) may resell or redisclose personal information for any purpose. An
authorized recipient under subsection (b)(12) may resell or redisclose personal
information pursuant to subsection (b)(12). Any authorized recipient (except
a recipient under subsection (b) (11)) that resells or rediscloses personal
information covered by this chapter must keep for a period of 5 years records
identifying each person or entity that receives information and the permitted
purpose for which the information will be used and must make such records
available to the motor vehicle department upon request.
(d) WAIVER PROCEDURES.-A State motor vehicle department may establish and
carry out procedures under which the department or its agents, upon receiving
a request for personal information that does not fall within one of the
exceptions in subsection (b), may mail a copy of the request to the individual
about whom the information was requested, informing such individual of the
request, together with a statement to the effect that the information will
not be released unless the individual waives such individual's right to
privacy under this section.
§ 2722. Additional unlawful acts
(a) PROCUREMENT FOR UNLAWFUL PURPOSE.-It shall be unlawful for any person
knowingly to obtain or disclose personal information, from a motor vehicle
record, for any use not permitted under section 2721(b) of this title.
(b) FALSE REPRESENTATION.-It shall be unlawful for any person to make false
representation to obtain any personal information from an individual's motor
vehicle record.
§ 2723. Penalties
(a) CRIMINAL FINE.-A person who knowingly violates this chapter shall be
fined under this title.
(b) VIOLATIONS BY STATE DEPARTMENT OF MOTOR VEHICLES.-Any State department
of motor vehicles that has a policy or practice of substantial noncompliance
with this chapter shall be subject to a civil penalty imposed by the Attorney
General of not more than $5,000 a day for each day of substantial noncompliance.
§ 2724. Civil action
(a) CAUSE OF ACTION.-A person who knowingly obtains, discloses or uses personal
information, from a motor vehicle record, for a purpose not permitted under
this chapter shall be liable to the individual to whom the information pertains,
who may bring a civil action in a United States district court.
(b) REMEDIES.-The court may award-
(1) actual damages, but not less than liquidated damages in the amount of
$2,500;
(2) punitive damages upon proof of willful or reckless disregard of the
law;
(3) reasonable attorneys' fees and other litigation costs reasonably incurred;
and
(4) such other preliminary and equitable relief as the court determines
to be appropriate.
§ 2725. Definitions
In this chapter-
(1) "motor vehicle record" means any record that pertains to a
motor vehicle operator's permit, motor vehicle title, motor vehicle registration,
or identification card issued by a department of motor vehicles;
(2) "person" means an individual, organization or entity, but
does not include a State or agency thereof; and
(3) "personal information" means information that identifies an
individual, including an individual's photograph, social security number,
driver identification number, name, address (but not the 5-digit zip code),
telephone number, and medical or disability information, but does not include
information on vehicular accidents, driving violations, and driver's status.