In a decision seemingly at odds with modern conceptions of privacy in the digital age, the Washington Supreme Court in Washington Pub. Emps. Ass’n et al. v. Evergreen Freedom Foundation concluded that public employees do not have a protected privacy interest against disclosure of their birthdates associated with their full names that would exempt that information from disclosure under the Public Records Act (“PRA”).
The Freedom Foundation submitted a public records request to several state agencies seeking records including the full names, birthdates and work email addresses of union-represented employees. Several unions sought to enjoin disclosure of the requested information on both statutory and constitutional grounds. The superior court granted a temporary injunction but ultimately denied the unions’ motion to permanently enjoin release of the employees’ information. On appeal, the Court of Appeals reversed the superior court and held that article I, section 7 of the Washington Constitution creates a privacy interest against public disclosure of a state employee’s full name together with his or her birthdate. In a five-to-four decision, the Washington Supreme Court reversed the Court of Appeals, holding that the PRA does not exempt such employee information from disclosure and that no privacy right protected by the state constitution would be violated by the disclosure.
First, the Court addressed the statutory grounds raised by the unions against disclosure, including RCW 42.56.250(4), RCW 42.56.230(7) and RCW 42.56.230(3). The Court held that under RCW 42.56.250(4), the legislature exempted only the birthdates of dependents from disclosure, not the birthdates of employees. Similarly, the Court strictly viewed RCW 42.56.230(7) as preventing disclosure of birth certificates or similar documents provided when obtaining a state identification card. That statute’s protections did not extend to the employment records requested by Freedom Foundation. Finally, the Court examined RCW 42.56.230(3), which exempts from disclosure “[p]ersonal information in files maintained for employees, appointees, or elected officials of any public agency to the extent that disclosure would violate their right to privacy.” The Court looked to the Second Restatement of Torts § 652D to determine what type of information is “private” within the scope of the PRA. The Court concluded that the Restatement’s privacy test left no room to include birthdates within the common law sphere of protected privacy. While the Court acknowledged the existence of legitimate concerns about the misappropriation of birthdates, the Court concluded those concerns do not render birth dates “private” information.
As to the constitution, the Court explained that two distinct constitutional interests are protected by the article I, section 7 right to privacy: (1) the right to autonomous decision-making and (2) the right to nondisclosure of intimate personal information, or confidentiality. The Court reasoned that while the autonomy interest is a “fundamental right,” the confidentiality right is not fundamental and therefore not entitled to the same protections. A lesser standard of court review was thus appropriate. The Court’s conclusion contrasts sharply with the European Union’s General Data Protection Regulation, which declares an individual’s right to protection of a broad array of personal data to be a fundamental right. In a world of ever increasing digital tracking, surveillance and identity theft, the Court’s conclusion is likely to disappoint privacy advocates.
Because the confidentiality protections of article I, section 7 were deemed non-fundamental, the Court applied a balancing analysis that allows the State “to require the [public] disclosure of personal information when it serves a legitimate governmental interest.” Under that standard, the Court determined that article I, section 7 did not afford public employees protection against disclosure of their birthdates associated with their names.
The lead dissent, authored by Justice Wiggins, is particularly critical of the majority’s adherence to the sixty-year-old Restatement as the defining standard for protected privacy interests, observing that this is inconsistent with evolving notions of privacy in the age of technology. The dissent points out that birthdates, particularly associated with a person’s full name, often play an important role in confirming a person’s identity in the digital world—something nefarious actors are all too willing to take advantage of. In this context, release of such personal information is both “highly offensive” and “not of legitimate concern to the public.” Justice Wiggins also takes aim at the majority’s decision to evaluate the unions’ article I, section 7 argument under the “rational basis review” standard. Justice Wiggins notes that the case law cited by the majority involved disclosures of private information to the state government, not by the state government to third parties—a distinction Justice Wiggins describes as a “fundamental mismatch.” Rather, the guarantee of article I, section 7, as well as the privacy protections of the PRA itself, should be interpreted in light of technological progress and changing notions of privacy in the modern age.
Perhaps the sharpest critique of the majority’s decision comes from Justice Gonzalez’s concurring dissent, which points out the incongruity of the majority’s decision and the statutory security breach section of the PRA, RCW 42.56.590. Justice Gonzalez notes that in RCW 42.56.590, the legislature has defined “personal information,” as an “individual’s first name or first initial and last name in combination with any one or more of…[various] data elements.” Effective March 1, 2020, those data elements will include “full date of birth.” Laws of 2019, ch. 241, § 5. Thus as of March 1, 2020, if a cybercriminal hacked into an agency database and accessed employee names and full birthdates, the agency would have a duty to notify the affected individuals, and the attorney general or media depending on the scope of the breach, consistent with RCW 42.56.590. Yet, if such information was disclosed in response to a public records request, the employee would be none the wiser. As Justice Gonzalez suggests, it seems hard to believe the legislature intended the PRA to undermine an agency’s protection of public employees’ personal information.
With comprehensive privacy legislation, such as the proposed Washington Privacy Act, on the horizon for Washington State, the legislature should consider whether changes to the PRA are also necessary to ensure that public employees are entitled to the same protections against disclosure of their personal information as other Washington residents. Public employees are no less susceptible to identity theft and other digital crimes than private citizens—and with the Court’s decision in this case, perhaps they are more exposed.
Local Open Government Blog covers the latest in open government across the Pacific Northwest, including the Public Records Act, the Open Public Meetings Act, public disclosure, campaign finance and the Freedom of Information Act.