Yes, you are as far as I can see correct. The request should have been rejected as overbroad and against data privacy laws (in so far as they exist), or the purpose of the request could have been verified and then they might have seen whether or not there was another way to let the requester do their work without giving them the data they requested (see another comment of mine for one suggestion).
That's not how FOIA works. It's a good thing too. Government employees almost always fight FOIA requests. There aren't many subjective tools (e.g. overbroad) and you're certainly not required to say why you're making the request.
Data privacy laws in the US are unfortunately minimal. The bigger problem comes from imbalance -- if the government and corporations have lists of names, people need them to in order to be able to work together and organize.
If you don't think this information should go out in FOIA requests, the tool to accomplish that is data destruction. Government could wipe old emails once no longer relevant.
Email is really difficult because retention law and regulation is based on a topic.
To meet federal requirements, information about procuring equipment with certain grants must be maintained for 10 years. Caseworker notes for a minor who is a ward of the state may be required to be kept for 20 years after the 18th birthday.
If a record is deemed in scope and topical, an employee could be committing a crime by deleting that email. As a result, the easy answer is retain.
Commercial organizations at least are known to implement maximum allowed retention strategies, such as having their staff not keep archived email beyond three months, presumably so it doesn't embarrassingly show up when it's legally unfavorable. Not quite the same, but along the same lines.
No, the Washington State law does not allow for agencies to reject requests on the basis of being overly broad or against data privacy laws. There are specific exemptions (e.g. library records), and for records that may contain personal info (like someone emailing the mayor and including their own credit card number), it is up to the agency to redact such info. However, the agency can charge the requester for that work.
Moreover, the requester is not required to give a reason for the request.
Ok, so in that case redaction would have been the way to go here. But the request as it is actually harms the privacy of large numbers of individuals which is not what the FOI laws are supposed to be used for.
Also, of course Seattle could reject the request, they could simply say: "Without an explicit court order to release this information we will not do so", and that would be that. It would then be upon the petitioner to ask the courts to force the release of the information requested, if the petitioner felt his rights had been violated. In the present situation the city is opening itself up to liability because of the privacy of all the people they have exposed (and more so because of the mistake). FOI does not mean 'every piece of data the government has should be released to the requester', the goal is increased transparency of government, not privacy violation of citizens using the FOI requests as an end-run around any kind of privacy law.
There is a tension between those two and typically the legal branch will determine where exactly the line is, when in doubt: go to court.
But Seattle cannot summarily reject the request -- they have to follow the law, and the law does not require FOI requesters to get an explicit court order, e.g. a subpoena, for this information or for any other valid request. I mean, yes, the city of Seattle could try to reject the request, and the requester could sue and win in court after the judge finds that the city acted illegally. But that's like saying Seattle police "can" just arbitrarily arrest and imprison people, and fight the subsequent lawsuits.
Because the FOI law exists, the city does not open itself to liability in releasing records, except when it accidentally releases records that are mandated to be private, which I'm not even sure is the situation here.
Increased transparency is almost always a tradeoff with privacy. I don't disagree with you that the law may be abused for commercial or malicious intent, but it is up to the legislature to propose a bill that curbs FOI. Until then, the government cannot just deny valid requests because they don't approve of the requester or the requester's purported motives.
That's the key bit right there. So, if you are not sure - and they are also not sure - then they could ask for a ruling before releasing. Err on the side of caution is good practice when it comes to releasing data.
I just looked at the dataset and it is full of information that I would normally consider to be private, which private citizens contact which government officials and when is in principle not something that should be disclosed to all callers in a format of their choosing.
What's to stop you from asking for stuff that infringes other people's privacy? I'm all for a more open government but 'anything goes' FOI requests are only a little bit less dangerous than non-transparency.
Sorry, what I'm not sure about is whether an agency is liable if it releases exempt information. Exemptions allow an agency to deny a request, but the agency still has discretion whether or not to follow the exemption.
> So, if you are not sure - and they are also not sure - then they could ask for a ruling before releasing. Err on the side of caution is good practice when it comes to releasing data.
Again, that is simply not how the law works. Some years ago, elected Washington state legislators and the governor decided the law should make these tradeoffs between transparency and privacy. And until subsequent legislators get together and decide otherwise, that is the law of the land. Washington government agencies do not have discretion to reject requests based on requester identity or motivation, period, nor can they make up their own reasons for exemptions.
The "middle ground" has already been decided -- that's ostensibly how the law got written and signed in the first place. Your line of argument would allow literally any government employee to make arbitrary rejections -- the law was codified to prevent exactly that situation.
Your concerns are no different than concerns raised about freedom of speech and the press (and of course, the right to bear arms, but let's not follow that tangent for now) -- e.g. "I'm all for people being able to express themselves, but what if those people say incredibly hurtful and damaging things?". The legislature can pass laws that limit those rights (e.g. defamation laws), and courts interpret whether those laws follow the Constitution, but it is not up to the executive branch (i.e. government agencies) to ignore the law because they disagree with it.
No, but they should decide based on the data requested. And in this case the data requested is none of the requesters business since it involves the privacy of other citizens.
Which definitely could be in contravention of other laws and in cases like that judges usually get to decide which weighs heavier. If I were a civil servant faced with a request that releases information that I felt would infringe on some other law I would definitely not decide to be the one to make the call and release it without a sign-off.
I agree with this -- of course a request can be rejected if it requests something that is explicitly exempted in the law. The metadata of emails to public agencies is currently not exempt from Washington state law.
> And in this case the data requested is none of the requesters business since it involves the privacy of other citizens.
OK, but that is not your or the state government's decision to make. The law does not allow for the government to make a unilateral judgment on whether something is "none of the requesters business" -- isn't it patently obvious how this could be abused?
> If I were a civil servant faced with a request that releases information that I felt would infringe on some other law I would definitely not decide to be the one to make the call and release it without a sign-off.
Sure, if you don't know the law exactly (most employees don't), then you consult your agency's FOI officer, who would then tell you whether the request is valid. If it is valid, and you decide to reject it anyway, you'd probably be fired (I don't think most state FOI laws provide criminal penalties for violating FOI).
I'm not a Washington historian, but I'm assuming the FOI law was passed because legislators had actual scenarios and use-cases in mind. For example, being able to request the emails sent and received by a government employee is useful if you want to know who contacted that employee about an issue, such as a regulatory enforcement action. Maybe there are clear-cut cases where a received email is obviously not work or issue-related, such as emails from that employee's mom. But what if the mom is herself a lobbyist or other influential official? Or how about an email from a guy talking about going golfing and getting a few beers? Is that just personal? What if the guy emails every week about going golfing on his dime, and the guy happens to be a businessperson waiting for regulatory approval on some project?
Apparently, the myriad of ways for unwanted behavior to be expressed via email are so plentiful that legislators decided to err on the side of transparency, because it would be too easy for officials to shut down requests and deny transparency all but to those with the means to sue (usually, corporations and journalists). It is not up to a civil servant to decide otherwise; likewise, the law protects the civil servant from liability for following a lawful request.
Say an ex finds the new address of a former partner then goes around and shoots them dead.
BTW I am not being hyperbolic here there was a case where this happened when I worked for BT - someone as a favor looked someone's new address up for a friend which resulted in a murder.
The scenario you propose is possible through using Google, and/or many other services that collate public records of people's names and addresses. Try Googling your name and one of your cities of residence some time.
> someone as a favor looked someone's new address up for a friend which resulted in a murder.
A government employee who looks up someone's address for a friend is not covered by FOI laws. Just as FOI doesn't protect cops who use the DMV database to look up other cops they like/hate:
FOI is a law mandating these public records be provided on request -- with various exemptions and allowances for redacting information that could be reasonably seen as a violation of privacy. It's not about being "somehow better", because legislators have deemed that bureaucrats cannot be trusted to decide whether transparency is a good thing.
Consider the example you brought up -- it is against the law for a state employee to send a friend that kind of information, and I imagine that that law exists because politicians feared that kind of murderer scenario. How exactly does that murderer use a cache of email metadata and redacted messages to go after his victim?
