Below is the uncorrected machine-read text of this chapter, intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text of each book. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.
3LIABILITY OF TRANSPORTATION ENTITY FOR THE UNINTENTIONAL RELEASE OF SECURE DATA OR THE INTENTIONAL RELEASE OF MONITORING DATA ON MOVEMENTS OR ACTIVITIES OF THE PUBLIC By Larry W. Thomas, The Thomas Law Firm, Washington, DC INTRODUCTION Transportation agencies are taking advantage of ever more rapid advances in Intelligent Transporta- tion Systems (ITS) and other technology. However, collecting personal data on members of the public has privacy implications; moreover, individualsâ data may be accessed by unauthorized persons or used for purposes unrelated to transportation agen- ciesâ reasons for collecting data.1 The term ITS includes any technology used by transportation agencies to collect data.2 ITS may be used to â[i]ntegrate vehicles and surface transporta- tion infrastructure with information, communica- tion, and sensory technologies to improve the safety, efficiency, security, service, accessibility, environ- mental responsibility, and reliability of the trans- portation system. The term ITS covers a broad range of transport-related activitiesâ¦.â3 Because transportation agencies collect, use, dis- close, and/or maintain personal and locational data, the digest focuses on two issues: whether a state transportation agency may be liable for the unintentional release of secure data (secure data) or for the intentional release of data collected by moni- toring the movements and activities of the traveling public (monitoring data).4 Transportation agencies are not the only ones to find the collection of data to be useful. The collection and retention of data by the agencies and the associ- ated privacy issues should be considered in the context of the ongoing, widespread collection and retention of personal data, including photographs, dates of birth, and other personally identifiable information (PII). For example, New York Universityâs Center for Urban Science and Progress is developing the coun- tryâs first âQuantified Communityâ that involves â[m]easuring, modeling, and predicting pedestrian flows through traffic and transit points, open spaces, and retail space.â5 Personal data is being collected on individuals via the Internet or because of indi- vidualsâ willingness to disclose personal information on social media.6 Facebook has been said to have more data than most government bodies. Seventeen transportation agencies responded to a survey conducted for the digest regarding their 4 See also Phillips and Kohm, supra note 1, at 2; Dorothy J. Glancy, Privacy on the Open Road, 30 OhiO N.U. L. Rev. 295, 296 (2004) [hereinafter Glancy]; Jeremy Kahn, High Technology in the Transportation Industry: Is the New Data We Gather Worth All the Costs?, 28 TRaNsp. L.J. 89, 91, 92, 103 (2000) [hereinafter Kahn]; Joshua D. Prok, Intelli- gent Transportation Systems: From Hometown Solutions to World Leadership, 35 TRaNsp. L.J. 293, 294, 300, 302 (2008); Scassa, Chandler, and Judge, supra note 1, at 118â20. 5 Center for Urban Science + Progress, New York Univer- sity, NYU CURP, Related Companies and Oxford Properties Group Team Up to Create âFirst Qualified Communityâ in the United States at Hudson Yards, available at http://cusp. nyu.edu/press-release/nyu-cusp-related-companies-oxford- properties-group-team-create-first-quantified-community- united-states-hudson-yards/ (last accessed Oct. 12, 2015). 6 Lothar Determann, Social Media Privacy: A Dozen Myths and Facts, haRv. J.L. & Tech. 3 (2012) (stating that âit is rarely the social media company that invades your privacy. What haunts people is typically user-generated content, i.e., information that people themselves, their friends, and other social media users uploadâ); Corey Ciocchetti, Just Click Sub- mit: The Collection, Dissemination, and Tagging of Personally Identifying Information, 10 vaNd. J. eNT. & Tech. L. 553, 556â 58 (2008); and James P. Nehf, Recognizing the Society Value in Information Privacy, 78 Wash. L. Rev. 1, 2â7 (2003). 1 James D. Phillips and Katharine E. Kohm, Current and Emerging Transportation Technology: Final Nails in the Coffin of the Dying Right of Privacy, 18 Rich. J.L. & Tech. 1, 2â3 (2011) [hereinafter Phillips and Kohm]; Teresa Scassa, Jennifer A. Chandler, and Elizabeth F. Judge, Pri- vacy by the Wayside: The New Information Superhighway, Data Privacy, and the Deployment of Intelligent Transpor- tation Systems, 74 sask. L. Rev. 117, 120 (2011) [herein- after Scassa, Chandler, and Judge]. See also G.S. Hans, Privacy Policies, Terms of Service, and FTC Enforcement: Broadening Unfairness Regulations for a New Era, 19 Mich. TeLecOMMM. Tech. L. Rev. 163, 183â84 (2012). 2 Thomas Garry, Frank Douma, and Stephen Simon, Intelligent Transportation Systems: Personal Data Needs and Privacy Law, 39 TRaNsp. L. J. 97, 101 (2012), [hereinaf- ter Garry, Douma, and Simon]. See also UNiTed sTaTes depaRTMeNT Of TRaNspORTaTiON, ReseaRch aNd iNNOvaTive TechNOLOgy adMiNisTRaTiON [hereinafter RITA], Frequently Asked Questions, available at: http://www.its.dot.gov/faqs. htm (last accessed Oct. 12, 2015). See Frank Douma and Jordan Deckenbach, The Challenge of ITS for the Law of Privacy, 2009 U. iLL. J.L. Tech & pOLây 295 (2009) [herein- after Douma and Deckenbach]. 3 Scassa, Chandler, and Judge, supra note 1, at 118 (foot- note omitted).
4collection of secure data and monitoring data. The survey was not intended for use as an empirical study, but rather as an aid to gather information from transportation agencies on their data practices and policies. The survey questions are included with the digest as Appendix A.7 The agenciesâ responses are discussed throughout the digest and summa- rized in Appendix B.8 Section I of the digest discusses transportation agenciesâ use of ITS and other technology to collect secure data and monitoring data; what is meant by the terms âsecure dataâ and âmonitoring dataâ; and the kinds of data that the agencies are collecting, using, disclosing, and/or retaining. Section II reviews the legal authority for using ITS, the establishment of state traffic monitoring systems (TMS), and the collection of data by elec- tronic tolling and other facilities. Section III analyzes whether under the U.S. Constitution there is a right to privacy in personal and locational data, and whether there is an implied claim or a claim under 42 U.S.C. § 1983 for a violation of a constitutional right to privacy for the disclosure of secure data or monitoring data. However, as the digest explains, the U.S. Supreme Court has not recognized a constitutional right to privacy in personal data or locational data. Section IV discusses relevant federal statutes that are applicable to personal and locational data, including the Privacy Act of 1974 and the Driverâs Privacy Protection Act (DPPA). The digest also dis- cusses proposed federal legislation that would restrict or prohibit the use of certain technology or restrict or prohibit the use of certain personal or locational data. Section V analyzes the right to privacy under state constitutions that may apply to an agencyâs collection of secure data or monitoring data and whether in some states an implied cause of action is recognized for a violation of a state constitutional right to privacy. Nevertheless, no cases were located for the digest, and the transportation agencies did not report any cases arising under a stateâs constitu- tion against an agency for a violation of privacy in connection with a disclosure of secure data or moni- toring data. Section VI analyzes state statutes that estab- lish an individualâs right to privacy and whether under any of the privacy statutes an individual has a right of action to claim damages against a transportation agency for a violation of the statute. No case, however, was located for the digest, nor did a transportation agency report a claim against an agency for violating a state privacy statute because of a disclosure of secure data or monitoring data. Also discussed are privacy policies that some states require state agencies to develop and to make available to the public. Section VI also reviews state laws banning or restricting the use of certain technology, as well as the status as of June 30, 2015, of proposed legislation in some states that would limit or prohibit the use of certain technol- ogy or limit or prohibit the collection or use of cer- tain personal or locational data. Section VII discusses data-breach notification laws that virtually all states have enacted, whether the statutes apply to government agencies, and whether the statutes that apply to government agencies authorize an assessment of civil penalties or allow a claim for damages for a breach of the applicable statute. Section VIII discusses whether a claim may exist against a transportation agency for violating a privacy right under a stateâs common law for the unintentional disclosure of secure data or the inten- tional disclosure of monitoring data. Section IX analyzes whether a privacy claim against a transportation agency would be barred by sovereign immunity or by a state tort claims act and discusses privacy claims that have been made against transportation agencies for disclosure of personal data. Although some privacy cases were located that are relevant to the digest, the trans- portation agencies responding to the survey reported that they had not had any claims against them for disclosing either secure data or monitor- ing data. Section X examines whether secure data and monitoring data may be obtained through a request made pursuant to a Freedom of Information Act (FOIA) or other state public records disclosure law. Moreover, the digest discusses whether both FOIA and discovery requests and subpoenas may be used in a case against a transportation agency to obtain data from the agency. As stated, Appendix B summarizes the transpor- tation agenciesâ responses to the survey, in which they describe the kinds of secure data and monitor- ing data that they are collecting; their regulations, policies, and procedures for doing so; and contracts that they have with private entities to collect data. Appendix C provides copies of or links to the agen- ciesâ regulations, policies, procedures, and contracts concerning their collection of secure data or moni- toring data. 7 Although transportation agencies reported having other kinds of secure data, with some exceptions, the digest does not discuss health care or employment law. 8 See Appendix D for a list of the transportation agencies that responded.
