EFF is filing an amicus letter in support of a petition for review, asking the California Supreme Court to overturn a harmful appellate court decision in Sander v. State Bar of California that could prevent people from requesting public records from databases that contain private information, even if the requesters specifically ask for private information to be anonymized.
The First District Court of Appeal issued an opinion in August that effectively rewrites the California Public Records Act (CPRA) in a way that could limit Californians’ access to the vast amount of public data that state and local agencies are generating on our behalf. The court ruled that requiring the State Bar of California to de-identify personal information that could be linked to specific bar applicants creates a “new record” because it requires the State Bar to “recode its original data into new values.”
The petition raises “an important question of law” that the California Supreme Court must settle: does anonymization of public data amount to a creation of new records under the CPRA? If the appellate court’s opinion becomes the standard across California, the holding would undermine the purpose of the CPRA–the right to access government data and records in order to understand what the government is doing and allow oversight to prevent government inefficiencies or malfeasance. This is especially important today as modern governments generate and consume vast amounts of digital data about members of the public.
This case has been at the California Supreme Court before. Last time, the court acknowledged how useful this data is to the public, saying: “it seems beyond dispute that the public has a legitimate interest in whether different groups of applicants, based on race, sex or ethnicity, perform differently on the bar examination and whether any disparities in performance are the result of the admissions process or of other factors.” But when the case proceeded to trial, the superior court mistakenly placed the burden on the petitioners to show it was possible to de-identify this data. However, under the CPRA, when the government refuses to disclose records requested by the public, government agencies must show the court that it is not possible to release data and protect private information at the same time.
Interestingly, another superior court in California has ruled the opposite way, preserving the ability to access data by requiring government agencies to anonymize sensitive information under the CPRA. In Exide Technologies v. California Department of Public Health, the superior court in Contra Costa allowed protocols for de-identification that require the agency to manipulate existing public records to produce information. In that case, the court ruled that the state must share the investigations of blood lead levels in a format that serves the public interest in government transparency (by disclosing non-exempt information) while at the same time protecting the privacy interests of individual lead-poisoning patients (by withholding exempt information). The court recognized the state legislature’s finding that “knowledge about where and to what extent harmful childhood lead exposures are occurring in the state could lead to the prevention of these exposures, and to the betterment of the health of California's future citizens.”
This uncertainty of how to treat data disclosure and anonymization creates a need for the California Supreme Court to settle how agencies should handle sensitive digital information under the CPRA. The more data that the state collects from and about members of the public, the more important access to this data and oversight of agency practices becomes. But saying that good data-management practices like anonymization and de-identification create “new records” that can’t be disclosed compromises California’s fundamental commitment to transparency, accountability, and access to public information.