This article appeared in Cybersecurity Law & Strategy, an ALM publication for privacy and security professionals, Chief Information Security Officers, Chief Information Officers, Chief Technology Officers, Corporate Counsel, Internet and Tech Practitioners, In-House Counsel. Visit the website to learn more.

 

In the brave new world of the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA), staking out a safe harbor for republishing and retaining publicly available court records is critical for protecting the public’s right to know the law and preventing criminals from hiding their crimes. Contrasted with GDPR, CCPA sets a crucial distinction between personal information and publicly available information obtained from government records, setting a workable balance between consumer privacy protections and the public’s right to know and access public records.

In this article, we’ll discuss the importance of securing a safe harbor for court records through reviewing an illustrative example of how a European Union (EU) citizen was able to force U.S. legal technology companies to remove and alter court records using GDPR. We’ll also look at CCPA in light of US case law, and close on potential paths forward for GDPR on re-using “public sector information.”

The Real-World Impact of the GDPR on Court Records

In September of 2018, Michael Francois Bujaldon, a defendant in a real estate and securities fraud case involving $62 million of allegedly ill-gotten gains, contacted multiple legal technology vendors to demand deletion of his name from all dockets for his case. Using the sword and shield of GDPR’s “right to be forgotten,” Bujaldon appears to have initially compelled PacerMonitor to remove his case (though it’s now available on PacerMonitor) and forced PlainSite to remove his name from the docket within their site.

We largely know about this use of GDPR against legal tech companies because it was reported by PlainSite after receiving Bujaldon’s request to remove his name from their dockets. Although PlainSite appears to have pushed back initially on removing Bujaldon’s name from the $62 million fraud case, it was ultimately forced by its ISP to abbreviate his name, effectively erasing Bujaldon from a search of PlainSite’s dockets.

While legal tech companies like UniCourt, PacerMonitor, and others still provide the public with access to Bujaldon’s case with his full name listed, this is only one of many instances where GDPR is being used to shroud court records from public scrutiny. In addition to direct requests to remove names from dockets, there are also more subtle and potentially damaging means of concealing court records from public view. Namely, EU citizens can use Google’s EU Privacy Removal request to remove search results containing court records and the only recourse available for legal tech companies is submitting an appeal after the fact to have their webpage reinstated.

Beyond the Bujaldon’s of the world, consider how EU attorneys could use GDPR to their advantage. Using “right to be forgotten” demands, along with Google’s EU Privacy Removal requests, EU attorneys could seek to obscure and remove cases from public review where they obtained poor results or may have committed malpractice. Though this may seem far removed from the typical uses of GDPR, attorneys in the US have already made unsuccessful attempts to remove their high profile briefs from public view arguing copyright privileges.

Taken to the extreme, the question left open is should an EU citizen convicted of murder in the US be able to use GDPR mechanisms to shroud court records from his or her criminal case and/or a wrongful death action brought by an aggrieved family? While the gut reaction for most would be to answer no, the balance set by GDPR weighs much more heavily in the individual’s privacy rights, leaving the public’s right to know left wanting.

A Step in the Right Direction: CCPA’s Safe Harbor Provision

Under CCPA, starting Jan. 1, 2020, any legal entity doing business in California that “collects personal information” and meets any of three specifically enumerated criteria is subject to the full requirements of CCPA. This includes responding to consumer requests about how their personal information is being used, halting the sale of personal information upon request, and providing means for consumers to submit CCPA requests.

As most court records contain personal information like names of parties involved, and most reputable court data providers meet at least one of the above mentioned criteria (i.e., sell access to court records containing personal information of 50,000+ consumers), a cursory reading of CCPA would conclude that court data providers doing business in California are in scope. However, CCPA makes a clear and important distinction between what is and is not “personal information,” by carving out “publicly available” information “lawfully made available from federal, state, or local government records.” CCPA also further qualifies that information is not publicly available if used for a purpose not compatible with why the data is maintained and made available in government records.

Assuming for argument’s sake that court records are lawfully published, publicly available information, the more important question for court data providers is whether they are using this data for a compatible purpose. Fortunately, both the U.S. Supreme Court and California Supreme Court have ruled squarely in favor of the public’s right to know and publish court records without fear of reprisal.

U.S. courts have long recognized that “What transpires in the courtroom is public property.” In Nixon v. Warner Communications, Inc., the U.S. Supreme Court unequivocally stated: “It is clear that the courts of this country recognize a general right to inspect and copy public records and documents, including judicial records and documents.” More directly linked to CCPA’s balancing of individual privacy rights and access to publicly available information, the Supreme Court’s ruling in Cox Broadcasting Corp. v. Cohn solidifies the Court’s stance on publishing information made available in court records.

In Cox Broadcasting, a murdered rape victim’s name was listed in the public indictment of her attacker and later broadcasted by a reporter who accessed the indictment. The victim’s father then sued for invasion of privacy based on a Georgia statute making it a misdemeanor to publish a rape victim’s name, winning at the trial court level and up through to the Georgia Supreme Court. Though the U.S. Supreme Court recognized the anguish of the victim’s father and noted the “strong tide” running in favor of privacy rights, it reversed the Georgia Supreme Court, ruling that “States may not impose sanctions on the publication of truthful information contained in official court records open to public inspection.”

Moreover, the California Supreme Court has ruled that public access to civil proceedings serves to demonstrate that justice is meted out fairly, provides a means for citizens to scrutinize and check possible abuses of judicial power, and enhances the truth finding function of proceedings. Among the many other California state rulings in favor of public access to court records, the California Court of Appeals has also held that “The law favors maximum public access to judicial proceedings and court records,” as “judicial records are historically and presumptively open to the public and there is an important right of access which should not be closed except for compelling countervailing reasons.”

With strong case law favoring public access to court records and the California Constitution’s assertion that “the writings of public officials and agencies shall be open to public scrutiny,” a strong presumption emerges that publishing court records for public consumption is a compatible purpose contemplated by CCPA. While there will likely be future discussions and debates surrounding the applicability of CCPA to public records, the safe harbor for publicly available information strikes an important balance tempering individual privacy rights with the public’s right to know.

A Way Forward for GDPR

The path forward for balancing GDPR privacy protections with public access to court records begins with strengthening existing concepts already included in Article 86 and Recital 154 of GDPR and the “PSI Directive.” Both Article 86 and Recital 154 specifically authorize Member States to write laws to “reconcile public access to official documents and the reuse of public sector information with the right to the protection of personal data.” Unfortunately, they do not require Member states to develop laws establishing public access to official documents, and adoption of new legislation appears sporadic.

The PSI Directive (as amended), similarly recognizes the importance of re-using public sector information as a source of innovation and goes well-beyond the reaches of Article 86 and Recital 154 by “creating a common legal framework for a European market for government-held data.” But while built on the twin pillars of “transparency and fair competition,” the PSI Directive falls flat on protecting access to public records and court records, as it largely provides regulations focused on economic aspects of the re-use of information within the EU market.

No matter the vehicle used to level-set the right to be forgotten, the central and more extreme question remains, should EU citizens convicted of murder, arson, or even terrorism be able to use the sword and shield of GDPR to conceal their crimes from public scrutiny. Amidst continued pushes to solidify individual rights governing “personal information” contained in public records, a countervailing argument and a compelling narrative is needed to protect the right to know.



Jeff Cox is the Director of Content & Data Acquisition for UniCourt, a SaaS offering using machine learning to disrupt the way court records are organized, accessed, and used. Jeff is a Florida attorney, who loves all things legal tech and volunteering with local legal aid programs in Tampa.