Below is the uncorrected machine-read text of this chapter, intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text of each book. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.
TCRP LRD 59 23 1.â InformationâandâDataâSubjectâtoâFOIA In 1996, Congress amended the FOIA to include a definition of the term ârecords,â160 defining it as including âany informa- tion that would be an agency record ⦠when maintained by an agency in any format, including an electronic format.â161 FOIA contains no definition of âagency records,â that is, whether the record belongs to the agency for the purposes of FOIA. In U.S. Depât of Justice v. Tax Analysts, the U.S. Supreme Court articu- lated a two-part test for determining when a ârecordâ consti- tutes an âagency recordâ under the FOIA: (1) the records must be either created or obtained by an agency, and (2) the records must be under agency control at the time of the FOIA request.162 Courts have identified four factors to consider when evaluating agency âcontrolâ of a record:163 (1) the intent of the documentâs creator to retain or relinquish control over the record[ ]; (2) the ability of the agency to use and dispose of the record as it sees fit; (3) the extent to which agency personnel have read or relied upon the document; and (4) the degree to which the document was integrated into the agencyâs record systems or files. Records generated or maintained by a government contrac- tor are âagency recordsâ under the FOIA if the agency has âcon- trolâ over them. The FOIA definition of ârecordâ provides that the term includes information that qualifies as a record under the FOIA and âis maintained for an agency by an entity under Gov- ernment contract, for the purposes of records management.â164 In Am. Small Bus. League v. U.S. Small Bus. Admin., the Ninth Circuit held that records of a third-party government contractor providing wireless services, not records-management services, were not agency ârecordsâ because they were not âmaintained for an agency by an entity under Government contract, for the purposes of records management.â165 In Forsham v. Harris, the U.S. Supreme Court considered a case involving a request for raw data that formed the basis of a study conducted by a private medical research organization.166 Although the study had been funded through federal agency grants, the data never passed into the hands of the agencies that provided the funding, but instead was produced and possessed at all times by the private organization. The Court concluded that âdata generated by a privately controlled organization which has 160 Electronic Freedom of Information Act Amendments of 1996, Pub. L. No. 104-231, 110 Stat. 3048. 161 5 U.S.C. § 552(f)(2)(A). 162 U.S. Depât of Justice v. Tax Analysts, 492 U.S. 136, 144-145, 109 S. Ct. 2841, 2847â48, 106 L. Ed. 2d 112 (1989). 163 Burka v. U.S. Dept. of Health and Human Services, 87 F.3d 508, 515 (D.C. Cir. 1996). 164 5 U.S.C. § 552(f)(2)(B); see, e.g. Am. Small Bus. League v. U.S. Small Bus. Admin., 623 F.3d 1052, 1053 (9th Cir. 2010) (holding that records of a third-party government contractor providing wireless ser- vices, not records-management services, were not agency ârecordsâ because they were not ââmaintained for an agency by an entity under Government contract, for the purposes of records managementââ (quot- ing 5 U.S.C. § 552(f)(2)(B)). 165 Id. 166 Forsham v. Harris, 445 U.S. 169, 100 S.Ct. 977, 63 L.Ed.2d 293 (1980). the companyâs own privacy and security requirements; and should obtain express permission from consumers as to the specific entity or purpose for which such data will be used. ⢠In case of data breach, the company must comply with all applicable data breach notification laws. In addition, notifi cation of data breaches should be promptly sent to all affected users and to the government agency. 157 Companies should obtain periodic assessments of their pri- vacy and security practices by independent, third-party audi- tors, in order to insure compliance with the aforementioned requirements. Audit reports should be submitted to the govern- ment entity. III. DISCLOSURE OF DATA UNDER THE FEDERAL FOIA OR STATE OPEN GOVERNMENT LAWS This section explains the federal FOIA of 1966 and state free- dom of information laws generally in the context of disclosing and withholding data and information in government records. Public agencies should consult their legal counsel, and state and local public agencies should review existing state legislation to ensure compliance with applicable laws governing disclosing and withholding information in response to public requests. Government transit agencies are increasingly collecting, generating, and maintaining information from data and tech- nology. It is common for businesses to submit records, in- cluding data, to agencies that in the context of either seeking government benefitsâsuch as applying for grants, responding to a government request for contract proposals or bids, or as a requirement to operateâor responding to government over- sight, such as an audit. As part of the procurement process, companies may be required to submit confidential information about the product. In the private sector, this information would be protected by bidding laws or nondisclosure agreements. In the public sector, it may be vulnerable to disclosure under open records laws. A. Freedom of Information Act The federal FOIA of 1966 mandates public disclosure of certain agency records and information by federal agencies.158 FOIA creates a strong presumption of public access to agency records, including electronic data and information stored in government databases. There are nine exemptions in FOIA. Unless an exemption applies, the records are subject to disclo- sure. In Chrysler Corp. v. Brown, the Supreme Court held that the FOIA is âexclusively a disclosure statute and affords peti- tioner no private right of action to enjoin agency disclosure.â159 157 See Matthew W. Daus, Transportation Network Companies: Pas- senger Data Security and Privacy Issues, Sharing Economy 300:100, Thomson Reuters (2020). 158 5 U.S.C. § 552. 159 Chrysler Corp. v. Brown, 441 U.S. 281, 282, 99 S. Ct. 1705, 1707, 60 L. Ed. 2d 208 (1979).
24 TCRP LRD 59 two distinct categories of information shielded from disclo- sure under Exemption 4, both of which arise in the context of emerging technology: (i) trade secrets; and (ii) information that is (a) commercial or financial, and (b) obtained from a person, and (c) privileged or confidential. The FOIA does not define the term âtrade secret.â In Pub- lic Citizen Health Research Group v. FDA, the Court of Appeals for the District of Columbia Circuit adopted a âcommon lawâ definition of the term, defining âtrade secretâ as âa secret, com- mercially valuable plan, formula, process, or device that is used for the making, preparing, compounding, or processing of trade commodities and that can be said to be the end product of either innovation or substantial effort.â178 This narrow definition has been adopted by the Tenth Circuit.179 Trade secret protection has been recognized for product manufacturing and design information,180 but it has been de- nied for general information concerning a productâs physical or performance characteristics or a product formula when re- lease would not reveal the actual formula itself. The D.C. Cir- cuit found that airbag characteristics relating âonly to the end productâwhat features an airbag has and how it performsâ rather than to the production processâ do not qualify as trade secrets.181 Most Exemption 4 cases focus on whether the information falls within the second category of protected information: com- mercial or financial information obtained from a person that is privileged or confidential.182 The FOIA does not provide a definition for confidential. On June 24, 2019, the U.S. Supreme Court issued its decision in Food Marketing Institute v. Argus Leader Media and resolved the differing opinions among the circuit courts about âwhen does information provided to a fed- eral agency qualify as âconfidentialââ under Exemption 4.183 The U.S. Supreme Court found that term âconfidentialâ should be given its ordinary meaning as of the time of FOIAâs enactment and that âterm âconfidentialâ meant then, as it does now, âprivateâ or âsecretââ184 Under Argus, an entity seeking shelter under the other governmental interestsâinterests that may include providing pri- vate parties with sufficient assurances about the treatment of their pro- prietary information so they will cooperate in federal programs and supply the government with information vital to its workâ). 178 Public Citizen Health Research Group v. Food and Drug Admin., 704 F.2d 1280, 1284 n.7, 1288 (D.C. Cir. 1983). 179 See Anderson v. Depât of Health and Human Services, 907 F.2d 936, 944 (10th Cir. 1990). 180 See, e.g., Ctr. for Auto Safety v. Natâl Highway Traffic Safety Admin., 93 F. Supp. 2d 1, 15 (D.D.C. 2000) (Automobile air bag infor- mation, voluntarily disclosed to government agency by manufacturers, came within Freedom of Information Act exemption for confidential information; information, though dated, was commercially valuable and was not of type customarily disclosed to public); Rozema v. HHS, 167 F. Supp. 3d 324 (N.D.N.Y. 2016 Tex. Govât). 181 Ctr. for Auto Safety v. Natâl Highway Traffic Safety Admin., 244 F.3d 144, 151 (D.C. Cir. 2001). 182 5 U.S.C. § 552(b)(4). 183 Food Marketing Inst. v. Argus Leader Media, 139 S. Ct. 2356, 2360 (2019). 184 Id. received grant funds from an agency (hereafter a grantee) but which data has not at any time been obtained by the agency, are not âagency recordsâ accessible under the FOIA.â167 The fact that a study was financially supported by a FOIA-covered agency did not transform the source material into âagency recordsâ nor did âthe agenciesâ right of access to the materials under federal regulations change this resultâ168 because âthe FOIA applies to records which have been in fact obtained, and not to records which merely could have been obtained.â169 2.â UnwarrantedâInvasionsâofâPersonalâPrivacy FOIA Exemption 6 protects information about indi viduals in âpersonnel and medical files and similar filesâ when the disclosure of such information âwould constitute a clearly un- warranted invasion of personal privacy.â170 Exemption 6 is ârou- tinely used to block the release of certain information that might identify particular individuals.â171 In United States Department of State v. Washington Post Co., the U.S. Supreme Court held that, based upon a review of the legislative history of FOIA, Con- gress intended the term âsimilar filesâ to be interpreted broadly, rather than narrowly.172 The Court stated that the protection of an individualâs privacy âsurely was not intended to turn upon the label of the file which contains the damaging information,â173 instead all information that âapplies to a particular individualâ meets the threshold requirement for Exemption 6 protection.174 Heightened vigilance is appropriate in FOIA cases involving computerized databases.175 3.â TradeâSecretsâandâPrivilegedâorâConfidentialâ Information Exemption 4 of the FOIA protects âtrade secrets and com- mercial or financial information obtained from a person [that is] privileged or confidential.â176 This exemption is intended to protect the interests of both the government and private businesses that submit information to federal agencies, the re- lease of which could have negative consequences.177 There are 167 Id. at 178. 168 U.S. Depât of Justice v. Tax Analysts, 492 U.S. 136 at 144 (discuss- ing Forsham v. Harris). 169 Forsham v. Harris, 445 U.S. 169, 186. 170 5 U.S.C. § 552(b)(6). 171 110 Am. Jur. Trials 367 § 22. 172 U.S. Depât of State v. Washington Post Co., 456 U.S. 595, 599-603 (1982). 173 Id. at 601. 174 Id. at 602. 175 See Long v. Office of Personnel Management, 692 F.3d 185 (2d Cir. 2012), citing U.S. Depât of Justice v. Reporters Comm. for Freedom of Press, 489 U.S. 749, 766â67, 109 S.Ct. 1468, 103 L.Ed.2d 774 (1989) (citing the Privacy Act of 1974 for the proposition that âCongressâ basic policy concern regarding the implications of computerized data banks for personal privacy is certainly relevantâ). 176 5 U.S.C. § 552(b)(4). 177 See Food Marketing Institute v. Argus Leader Media, 139 S. Ct. 2356, 2366, 204 L. Ed. 2d 742 (2019) (opining that âwhen Congress enacted FOIA it sought a âworkable balanceâ between disclosure and
TCRP LRD 59 25 ileged or confidential in addition to record- or agency-specific restrictions. Laws and exemptions vary by jurisdiction. These laws apply to government information, which typically includes data in electronic form.190 State law must be consulted whenever a technology or system that collects and stores data, records, or other information is implemented. In addition, public agency records custodians must be knowledgeable about what the law in their jurisdiction requires. 1.â InformationâandâDataâSubjectâtoâStateâFreedomâofâ InformationâLaws For information or data to be subject to a stateâs public records law, it must be a public record. In addition to docu- ments, papers, and other physical records, records typically in- clude electronic data and other records regardless of physical form or characteristics.191 Electronic records are generally con- sidered records for the purposes of state open government laws. To avoid any doubt about the application of the Texas Open Government law to electronic communication, the statute pro- vides that the definition of âpublic informationâ âapplies to and includes any electronic communication created, transmitted, re- ceived, or maintained on any device if the communication is in connection with the transaction of official business.â192 190 Ira Bloom, Freedom of Information Laws in the Digital Age: The Death Knell of Informational Privacy, 12 Rich. J. L. & Tech. 9, text at notes 277â81 (2006). 191 See, e.g., Conn. Gen. Stat. §1-200(5) (ââPublic records or filesâ means any recorded data or information relating to the conduct of the publicâs business prepared, owned, used, received or retained by a pub- lic agency, or to which a public agency is entitled to receive a copy by law or contract under section 1-218, whether such data or information be handwritten, typed, tape-recorded, printed, photostatted, photo- graphed or recorded by any other method.â); 29 Del. C. § 10002(g) (âPublic recordâ is defined as âinformation of any kind, owned, made, used, retained, received, produced, composed, drafted or otherwise compiled or collected, by any public body, relating in any way to public business, or in any way of public interest, or in any way related to public purposes, regardless of the physical form or characteristic by which such information is stored, recorded or reproduced.â); 5 ILCS 140/2(c) (public records include âall records, reports, forms, writings, letters, memoranda, books, papers, maps, photographs, microfilms, cards, tapes, recordings, electronic data processing records, recorded informa- tion and all other documentary materials, regardless of physical form or characteristics, having been prepared, or having been or being used, received, possessed or under the control of any public bodyâ); N.C. Gen. Stat. Ann. § 132-1(a) (âPublic recordâ or âpublic recordsâ shall mean âall documents, papers, letters, maps, books, photographs, films, sound recordings, magnetic or other tapes, electronic data-processing records, artifacts, or other documentary material, regardless of physical form or characteristics, made or received pursuant to law or ordinance in connection with the transaction of public business by any agency of North Carolina government or its subdivisions.â). 192 Tex. Govât Code Ann. § 552.002(a-2) (Information is âin con- nection with the transaction of official businessâ if the information is either âcreated by, transmitted to, received by, or maintained byâ either an officer or employee of the governmental body or âa person or entity performing official business or a governmental function on behalf of a governmental body, and pertains to official business of the governmen- tal body.â). FOIAâs confidentiality exemption need only show that (i) the commercial or financial information is âcustomarily kept pri- vate, or at least closely held, by the person imparting itâ and (ii) the information was provided to the government under an assurance of privacy. The decision creates a more accommodat- ing framework for entities seeking to protect information as confidential under FOIA Exemption 4. However, courts require more than a conclusory statement that a given record is confi- dential to shield it from disclosure under the FOIA.185 Promises by officials to maintain confidentiality are without legal effect unless the records fall within one of the statutory exemptions.186 To protect confidential information, trade secrets, and pro- prietary information, federal government agencies must treat the information as confidential. They can do this by limiting in- ternal availability to only critical employees; disclose confiden- tial or proprietary information only when necessary/required by the government; request assurance of confidentiality when submitting information; and follow mandated labeling guide- lines and clearly mark sensitive information as âconfidential and proprietary.â187 The trade secret and confidential information protections under the FOIA harmonizes with the Trade Secrets Act, 18 U.S.C. § 1905, which is a criminal statute that prohibits federal employees from disclosing âpractically any commercial or finan- cial data collected by any federal employee from any source.â188 B. State Freedom of Information Laws All fifty states and the District of Columbia have enacted statutes modeled on the FOIA, often referred to as open gov- ernment laws, freedom of information laws (FOIL), or sunshine laws.189 These laws were created to increase transparency in gov- ernment by allowing the public to have access to government records. Most of these laws were enacted in the 1950s or 1960s and predate large-scale data collection. Generally, these laws presume that government records are public and should be re- leased to the public unless specifically exempted for privacy or other compelling reasons. The exemptions in state open govern- ment laws shield information from disclosure for public policy reasons. Often, they protect PII, cybersecurity strategies, and trade secrets or other commercial or financial information that is priv- 185 See, e.g., Prof âl Standards Review Council of Am. v. N.Y. State Dept. of Health, 597 N.Y.S.2d 829 (N.Y.A.D. 3 Dept. 1993). 186 See, e.g., Washington Post Co. v. New York State Ins. Depât, 61 N.Y.2d 557, 463 N.E.2d 604, 607 (1984). 187 See Christian L. Hawthorne, Tips for Protecting Your Trade Secrets When Dealing with the Government, American Bar Association, Aug. 30, 2018, www.americanbar.org/groups/litigation/ committees/business- torts-unfair-competition/practice/2018/tips-for- protecting-your-trade- secrets-when-dealing-with-the-government/. 188 CNA Fin. Corp. v. Donovan, 830 F.2d 1132, 1140 (D.C. Cir. 1987). 189 Emily Dowd, Open Government Laws and Critical Energy Infra- structure, Natâl Conference of State Legislatures, Jan. 30, 2018, www.ncsl.org/research/energy/open-government-laws-and-critical- energy-infrastructure.aspx.
26 TCRP LRD 59 Michigan similarly excludes computer software from the definition of public record, a public record is âa writing pre- pared, owned used, in the possession of, or retained by a public body in the performance of an official function, from the time it is created.â201 Under Michigan law, software is defined as âa set of statements or instructions that when incorporated in a machine usable medium is capable of causing a machine or device hav- ing information processing capabilities to indicate, perform, or achieve a particular function, task or result. . . ,â but it is not âcomputer-stored information or data, or a field name if disclo- sure of that field name does not violate a software license.â202 The Minnesota Government Data Practices Act explicitly protects patented computer software: â[i]n the event that a gov- ernment entity acquires a patent to a computer software pro- gram or component of a program, the data shall be treated as trade secret information.â203 3. Data Held by Vendors and Partners Data transmitted to a public agency by third parties may constitute public records that the agency must hold to the same public records disclosure standards as other data that the agency creates and maintains. The data collected through partnerships with private entities could be considered public information subject to disclosure, and it should not be assumed that data is not subject to disclosure simply because it is held by a third party. Some states make explicit that records in the possession of third parties may be considered public records. For example, under Illinois law, âA public record that is not in the possession of a public body but is in the possession of a party with whom the agency has contracted to perform a governmental function on behalf of the public body, and that directly relates to the gov- ernmental function and is not otherwise exempt under this Act, shall be considered a public record of the public body, for pur- poses of this Act.â204 4.â ExemptionsâforâPersonalâInformationâandâ UnwarrantedâInvasionsâofâPersonalâPrivacy State freedom of information laws typically exempt disclo- sure of records that would constitute an unwarranted invasion of personal privacy. More than half of the states have general prohibitions on disclosing PII in public agency records. For example, in New York, records are exempt if disclosure âwould constitute an unwarranted invasion of personal privacy.â205 The most frequently discussed exemption in the Michigan FOIA provides an exemption for: â[i]nformation of a personal nature where the public disclosure of the information would constitute a clearly unwarranted invasion of an individualâs privacy.â206 201 Mich. Comp. Laws Ann. § 15.232(e). 202 Mich. Comp. Laws Ann. § 15.232(f). 203 Minn. Stat. Ann. § 13.03. 204 Ill. Comp. Stat. 140/7(2). 205 See, e.g., N.Y. Pub. Off. Law § 86(4). 206 Mich. Freedom of Information Act § 13(1)(a); Mich. Comp. Laws Ann. § 15.243(1)(a). Generally, something is a public record if a state or local gov- ernment entity either created or obtained the information and is in possession or control of it. Some states and the District of Columbia have adopted a âcontrol standardâ instead of a âpos- session standardâ to determine the definition of what constitutes public records when the records were not created by an agen- cy.193 Unlike the FOIA194 and other state statutes that require actual possession, the Texas Open Government law includes information where the public agency simply âhas a right of ac- cess to the informationâ or âspends or contributes public money for the purpose of writing, producing, collecting, assembling, or maintaining the information.â195 In contrast, other states, such as Michigan, have found that access available to a public body does not mean that production is required.196 2. Computer Software In some states, software acquired or developed by the state or local government agencies is not subject to disclosure under the public records law. Under New York law, software acquired by the state is presumptively a trade secret, and reverse engi- neering is prohibited.197 Other states exclude computer software from the definition of public records. In California, computer softwareâwhich includes computer mapping systems, com- puter programs, and computer graphics systemsâdeveloped by a state or local agency is not itself a public record under the law and an agency may sell, lease, or license the software for com- mercial or noncommercial use.198 This law does create an im- plied warranty on the part of the State of California or any local agency for errors, omissions, or other defects in any computer software as provided pursuant to this law.199 Additionally, this provision does not affect the public record status of informa- tion merely because it is stored in a computer and public records stored in a computer must be disclosed as required by this law.200 193 See D.C. Code Ann. § 2-502(18) (Public records include âall books, papers, maps, photographs, cards, tapes, recordings or other documentary materials regardless of physical form or characteristics prepared, owned or used in the possession of, or retained by a public bodyâ); Belth v. Depât of Consumer & Regulatory Affairs, 115 Daily Washington Legal Rptr. 2281 (D.C. Super. Ct. 1987) (holding that records created by the National Association of Insurance Commission- ers and used by the Department of Consumer & Regulatory Affairs were covered by the D.C. Act because the documents were in the agencyâs physical and legal control, and used by the agency to regulate insurers). 194 Forsham v. Harris, 445 U.S. 169, 100 S. Ct. 977, 63 L. Ed. 2d 293 (1980); N. L. R. B. v. Sears, Roebuck & Co., 421 U.S. 132, 95 S. Ct. 1504 (1975). 195 Tex. Govât Code Ann. § 552.002(a). 196 See Hoffman v. Bay City School Dist., 137 Mich. App. 333, 357 N.W.2d 686, 21 Ed. Law Rep. 317 (1984) (âthe fact that the attorney was paid by a governmental body, the school board, and conducted his investigation at its request, does not transform his report into a record subject to disclosure under the FOIAâ). 197 Id. at ¶ 78(h)â(i). 198 Cal. Govât Code §§ 6254.9(aâb). 199 Cal. Govât Code § 6254.9(d). 200 Cal. Govât Code § 6254.9(d).
TCRP LRD 59 27 Secrets Act, Title 30, chapter 14, part 4, MCA.â213 Uniform Trade Secrets Act (UTSA) is a model law that codifies the basic prin- ciples of common law trade secret protection.214 All of the states (except New York), the District of Columbia, and the U.S. Vir- gin Islands have adopted the UTSA in modified or unmodified form. Some states use the same definition of âtrade secretâ that in the UTSA for the purposes of the stateâs open government law. Under UTSA, a âtrade secretâ is defined as: [I]nformation, including a formula, pattern, compilation, program, device, method, technique, or process that: (i) derives independent economic value, actual or potential, from not being generally known to, and not being readily ascertainable by proper means by, other persons who can obtain economic value from its disclosure or use, and (ii) is the subject of efforts that are reasonable under the circumstanc- es to maintain its secrecy. Under the Minnesota Government Data Practices Act, âtrade secret informationâ means: [G]overnment data, including a formula, pattern, compilation, pro- gram, device, method, technique or process (1) that was supplied by the affected individual or organization, (2) that is the subject of efforts by the individual or organization that are reasonable under the cir- cumstances to maintain its secrecy, and (3) that derives independent economic value, actual or potential, from not being generally known to, and not being readily ascertainable by proper means by, other per- sons who can obtain economic value from its disclosure or use. 215 For the purposes of protecting such data from disclosure under the Minnesota Government Data Practices Act, trade secret data is classified as private data with regard to data on indi viduals and as nonpublic data with regard to all other data.216 In Washington, records containing trade secrets are not cate- gorically excluded from public disclosure under the Washington Public Records Act (PRA).217 Under the PRA, public records may be withheld only if the record falls within a specific PRA exemp- tion or âother statute which exempts or prohibits disclosure of specific information or records.â218 The âother statutesâ exemp- tion âincorporates into the Act other statutes which exempt or prohibit disclosure of specific information or records. In other words, if such other statutes mesh with the Act, they operate 213 Mont. Admin. R. 17.20.302. 214 Uniform Law Commission, Uniform Trade Secrets Act With 1985 Amendments, The National Conference of Commissioners on Uniform State Laws (approved Feb. 11, 1986), https://www. uniformlaws.org/HigherLogic/System/DownloadDocumentFile. ashx?DocumentFileKey=e19b2528-e0b1-0054-23c4-8069701a4b62& forceDialog=0. 215 Minn. Stat. Ann. § 13.37. See also Ind. Code Ann. § 5-14-3-2(t) (âTrade secretâ has the meaning set forth in the Indiana Uniform Trade Secrets Act, Ind. Code Ann. § 24-2-3-1). 216 Minn. Stat. Ann. § 13.37. 217 See Lyft, Inc. v. City of Seattle, 190 Wash. 2d 769, 780, 418 P.3d 102, 104 (2018) (âIt is undisputed that no provision of the PRA exempts trade secrets from disclosure, so any exemption would need to be pur- suant to an âother statute.ââ). 218 See Wash. Rev. Code Ann. § 42.56.070. Under Californiaâs Electronically Collected Personal Infor- mation law, electronically collected personal information is exempt from requests made pursuant to the California Public Records Act.207 âElectronically collected personal informationâ is defined as: [A]ny information that is maintained by an agency that identifies or describes an individual user, including, but not limited to, his or her name, social security number, physical description, home address, home telephone number, education, financial matters, medical or employment history, password, electronic mail address, and informa- tion that reveals any network location or identity, but excludes any information manually submitted to a state agency by a user, whether electronically or in written form, and information on or relating to individuals who are users serving in a business capacity, including, but not limited to, business owners, officers, or principals of that business. 208 Some state open records laws allow PII to be disclosed only with written consent. For example, Washington law allows ac- cess to âan individually identifiable personal record for research purposes if informed written consent for the disclosureâ has been obtained.209 Public agencies should be able to avoid disclosure of sensi- tive information contained in data using the exemption for PII. Those that wish to disclose PII collected from new and emerg- ing technologies for research purposes may be able to do so by first obtaining written consent for such disclosure. 5.â ExemptionsâforâTradeâSecretesâandâPrivilegedâorâ ConfidentialâInformationâ Many states model their public disclosure laws after the FOIA and protect trade secrets and privileged or confidential information from public disclosure.210 These exemptions and their applications to specific types of information vary by state. For example, the New York FOIL contains an exception for in- formation and data that âare trade secrets or are submitted to an agency by a commercial enterprise or derived from information obtained from a commercial enterprise and which if disclosed would cause substantial injury to the competitive position of the subject enterprise.â211 New Yorkâs General Specifications for gov- ernment procurement further allow properly-marked materials to be maintained confidentially and exempt from disclosure under the state FOIL.212 Montana law provides that â[a]ny records, materials, or other information furnished pursuant to the Act or these rules are a matter of public record and are open to public inspection, unless they are entitled to protection under the Uniform Trade 207 Cal. Govât Code § 11015.5(a)(7). 208 Cal. Govât Code § 11015.5(d)(1). 209 Rev. Code Wash. (ARCW) § 42.48.020. 210 See e.g., Tex. Govât Code § 552.110 (exempting information âif it is demonstrated based on specific factual evidence that the informa- tion is a trade secretâ or âthat disclosure would cause substantial com- petitive harm to the person from whom the information was obtainedâ). 211 N.Y. Pub. Off. Law §§ 84-90. 212 See N.Y. Office of General Services, Procurement Guide- lines, Appendix BâGeneral Specifications, ¶ 15 (July 2006), www. ogs.state.ny.us/purchase/BidTemplate/AppendixB.doc.
28 TCRP LRD 59 from public records requests.225 TriMet informed lawmakers of the risks to personal privacy and safety of disclosing individual trip data that would be generated from this system,226 and law- makers exempted data âcollected as part of an electronic fare collection system of a mass transit systemâ from disclosure by including it in the definition of PII.227 The law permits disclo- sure of âpublic records that have attributes of anonymity that are sufficient, or that are aggregated into groupings that are broad enough, to ensure that persons cannot be identified by disclosure of the public records.â228 Similarly, the Dallas Area Rapid Tran- sit (DART) in Texas persuaded State legislators to exempt toll customer travel data and transit app/ticketing transaction data from public disclosure.229 According to the Shared Use Mobility Center, âthe updates to the public records legislation were un- controversial and were easily passed in their legislatures.â230 C. TNC Data Some state and local regulators require ridesourcing service providers, such as Uber and Lyft, also known as TNCs, to re- port information about their operations, including passenger and driver data. The New York City TLC231 and the California Public Utilities Commission (CPUC)232 are examples of two such regulatory agencies. Regulatorsâ interest in collecting such data typically conflicts with TNCsâ interest in keeping such data confidential. 225 Shared Use Mobility Center (SUMC), Objective-Driven Data Sharing for Transit Agencies in Mobility Partnerships (July 2019), https://sharedusemobilitycenter.org/wp-content/uploads/2020/04/ SUMC_IKA_DataSharingforTransitAgencies.pdf. 226 Tri-County Metropolitan Transportation District, Legislative Infor- mation for House Bill 4086 Protect the Privacy of Public Transit Riders, https://olis.oregonlegislature.gov/liz/2014R1/Measures/ Testimony/ HB4086. 227 Or. Rev. Stats., Ch.192, Sec. 192.345(38). 228 Id. 229 Tex. Transp. Code § 451.061. 230 Shared Use Mobility Center (SUMC), Objective-Driven Data Sharing for Transit Agencies in Mobility Partnerships (July 2019), https://sharedusemobilitycenter.org/wp-content/uploads/2020/04/ SUMC_IKA_DataSharingforTransitAgencies.pdf. 231 See N.Y.C. Admin. Code § 19-548 (requiring TNCs to report the following trip and revenue data: the TLC driver license number; the TLC vehicle license number; the location from which each passenger is picked up and dropped off; the total number of passengers picked up and dropped off; the date and time such passenger is picked up and dropped off; the total trip mileage; the date and time such trip request was made by a passenger; the itemized fare for each trip including the amount of the fare, any toll, surcharge, commission rate, other deduc- tion and any gratuity and a breakdown of the amount such passenger paid for the trip; and the payment that each driver received for each trip or the hourly rate paid; the total amount of time a vehicle is connected to the TNCâs electronic platform each day; the amount of time spent each day by each vehicle transporting passengers for hire, as well as the time spent each day by such vehicle on the way to a passenger, and time spent by such vehicle between trips but not on the way to a passenger; and other information as required by the TLC). 232 See Cal. Pub. Utilities Commân Decisions 13-09-045 and D.16- 04-041. to supplement it.â219 If there is a conflict between the PRA and other statutes, then the provisions of the PRA govern.220 In Lyft, Inc. v. City of Seattle, the Supreme Court of Washington con- sidered a question regarding the PRA injunction statute, Wash. Rev. Code § 42.56.540, and held that, while the UTSA is prop- erly regarded as an applicable âother statuteâ in the PRA context, status as âtrade secretsâ under the UTSA does not categorically exempt records from disclosure. âEven if the party seeking an injunction proves that it possesses a trade secret under an âother statute,â it still must âprove the requirements for an injunction under [Wash. Rev. Code] 42.56.540.â221 That is, the party seeking to enjoin disclosure must show âthat disclosure is clearly not in the public interest, and would result in substantial and irrepa- rable harm to any person or vital government interest.â222 The court remanded the case back to the trial court to make such determination. Separate from trade secrets, many states protect certain con- fidential information from disclosure under a public records request. However, information cannot be shielded from disclo- sure by agreeing that the information will be considered confi- dential. For example, in Florida, all records received by a public agency are open to public inspection, regardless of the expecta- tions of the source of the material, unless exempted by statute or constitutional provisions.223 6.â ExemptionsâbyâOtherâStatutes Some data may be exempt from such disclosure by law. For example, as is discussed below, many state TNC laws contain exemptions for data that is required to be collected by such companies for regulatory purposes. Another example is the California Streets and Highways Code, which provides that in- formation that identifies or describes a person who subscribes to an electronic toll or electronic transit fare collection system, including travel pattern data, is PII and prohibits transportation agencies from disclosing such information to third parties.224 Transit agencies have influenced legislatures to update and modernize state public records laws to protect sensitive travel data from public disclosure. For example, TriMet, in the Portland, Oregon area, was developing an electronic fare collec- tion system that would generate travel pattern data, but there were no statutory protections against disclosure of such data 219 See Progressive Animal Welfare Socây v. Univ. of Wash., 125 Wash.2d 243, 261-62, 884 P.2d 592 (1994) (plurality opinion). 220 Wash. Rev. Code Ann. § 42.56.030 (âIn the event of conflict between the provisions of this chapter and any other act, the provisions of this chapter shall govern.â). 221 Lyft, Inc., 190 Wash. 2d at 786, quoting Belo Mgmt. Servs., Inc. v. Click! Network, 184 Wash. App. 649, 661, 343 P.3d 370 (2014). 222 Lyft, Inc., 190 Wash. 2d at 796. 223 See, e.g., Gadd v. News-Press Publâg Co., 412 So. 2d 894 (Fla. 2d DCA 1982) (records of a county hospital committee are not exempt from the public records law, although the information may come from sources who expect or have been promised confidentiality). 224 Cal. Sts. & High. Code § 31490.
