Eighth Circuit Orders New Trial for Unauthorized Data Access Under Driver’s Privacy Protection Act
Driver’s licenses have been in the news quite a bit recently – and not just because of Olivia Rodrigo’s hit single. The Eighth Circuit recently ordered a new trial in a litigation involving alleged violations of the Driver’s Privacy Protection Act in a decision implicating important principles of evidentiary law in the context of data privacy litigation.
In Krekelberg v. City of Minneapolis, No. 20-1362, 2021 U.S. App. LEXIS 8147 (8th Cir. March 19, 2021), Plaintiff was a Minneapolis police officer who sued over 40 local government entities and employees, including the City of Minneapolis, based on over one thousand distinct accesses of her driver’s license data in violation of the Driver’s Privacy Protection Act (“DPPA”). The DPPA governs information collected by state Departments of Motor Vehicles (“DMVs”), and generally limits the disclosure of personal information – such as an individual’s social security number, address, or medical information – obtained from DMVs unless the disclosure falls under one of fourteen exceptions in the DPPA. Plaintiff had received a letter in 2013 indicating that her driver’s license data had impermissibly been accessed, and contacted her state Driver and Vehicle Services for an audit. The audit revealed approximately one thousand accesses without cause between 2003 and 2012.
By the time of the trial, all defendants other than the City of Minneapolis and two individual officers had been dismissed from the suit or had settled with Plaintiff. Plaintiff’s remaining claims against the city were claims of vicarious liability based on 74 accesses of her data, and her claims against the officers were for one access each. But Plaintiff was permitted to present evidence at trial of the approximately one thousand distinct accesses, many of which were by the defendants who had settled or been dismissed.
The Eighth Circuit found that the district court’s decision to admit evidence of the violations that were time-barred or dismissed was improper and in violation of Federal Rule of Evidence 403, which provides that evidence may be excluded if its probative value is outweighed by the danger that the evidence will be prejudicial. It found that allowing evidence of the nearly 850 accesses that were not at issue in the litigation was “extraordinarily prejudicial and risked confusing the jury” because it moved the focus from the 74 accesses that were at issue in the suit onto the 850 accesses that were no longer at issue and could not be considered as damages. The fact that the court had issued a limiting instruction for the evidence was insufficient to overcome its prejudicial nature.
The Eighth Circuit also found that the district court had committed other errors, such as allowing the plaintiff to offer evidence of harassment, retaliation, and failure to investigate when those actions had not been taken by any of the other remaining defendants. Based on the cumulative impact of a faulty jury instruction and the errors, it found that defendants’ substantial rights had been impacted, and ordered a new trial.
Krekelberg shows some of the red lights and stop signs to be aware of in data privacy litigation, which are not always specific to the data privacy context – the propriety of evidence that is presented to a jury is a key issue in any form of litigation. We’ll keep an eye on how this one continues to evolve for you.