This writ proceeding raises weighty questions of first impression, which illuminate tensions between federal homeland security provisions and our state’s open public record laws. This proceeding also requires us to consider a state law exemption allowing nondisclosure in the public interest; the impact of copyright claims on disclosure; and the extent to which charges for electronic public records may exceed reproduction costs. After analyzing these important and novel issues, we conclude that the law calls for unrestricted disclosure of the information sought here, subject to the payment of costs to be determined by the trial court.
…
On June 12, 2006, CFAC submitted a request for a copy of the County’s geographic information system (GIS) basemap. The request was made under the California Public Records Act (CPRA), Government Code section 6250 et seq. Two weeks later, the County denied the request, citing statutory exemptions and copyright protection. On August 16, 2006, CFAC renewed its request for the GIS basemap, with some modifications. Later that month, the County denied the renewed request.
…
As indicated above, the County offers three grounds to support its petition, which asserts trial court error in mandating disclosure of its GIS basemap.
The County’s first argument relies on federal law, including the Critical Infrastructure Information Act of 2002. According to the County, that statute and its accompanying regulations preempt state law. And under those superseding federal provisions, disclosure of the GIS basemap is prohibited, because it has been validated by the United States Department of Homeland Security as protected critical infrastructure information.
The County’s second argument is based on state law, the CPRA. According to the County, even if the CPRA is not preempted by federal law, its “catchall” exemption shields the GIS basemap from public disclosure.
As the third ground for its petition, the County posits that even if neither preemption nor exemption supports nondisclosure, it should be allowed (a) to demand end user agreements, because the GIS basemap is copyrightable, and (b) to recover more than its direct cost of providing the record, based on a provision of the CPRA.
…
The federal statute at issue here is the Critical Infrastructure Information Act of 2002 (CII Act)…. The CII Act is part of the Homeland Security Act of 2002, which established the Department of Homeland Security (DHS)….Within the DHS, Congress established an Office of Intelligence and Analysis and an Office of Infrastructure Protection…. The statutory responsibilities associated with those offices include carrying out “comprehensive assessments of the vulnerabilities of the key resources and critical infrastructure of the United States,” and developing “a comprehensive national plan for securing the key resources and critical infrastructure of the United States, including power production, generation, and distribution systems, information technology and telecommunications systems (including satellites), electronic financial and property record storage and transmission systems, emergency preparedness communications systems, and the physical and technological assets that support such systems.”…
…
At the heart of the CII Act is the protection of critical infrastructure information (CII), statutorily defined as “information not customarily in the public domain and related to the security of critical infrastructure or protected systems … .”
….
The CII Act contains a section aimed at protecting voluntarily shared CII. …Concerning the disclosure of such information, it provides in pertinent part: “Notwithstanding any other provision of law, critical infrastructure information (including the identity of the submitting person or entity) that is voluntarily submitted to [the DHS] for use by that agency regarding the security of critical infrastructure and protected systems … [¶] (A) shall be exempt from disclosure under … the Freedom of Information Act …” and “(E) shall not, if provided to a State or local government or government agency … [¶] … be made available pursuant to any State or local law requiring disclosure of information or records.”…
The CII Act directs the Department of Homeland Security to “establish uniform procedures for the receipt, care, and storage by Federal agencies of critical infrastructure information that is voluntarily submitted to the Government.” …It further provides that those procedures “shall include mechanisms” for “the protection and maintenance of the confidentiality of such information so as to permit the sharing of such information within the Federal Government and with State and local governments, and the issuance of notices and warnings related to the protection of critical infrastructure and protected systems, in such manner as to protect from public disclosure the identity of the submitting person or entity, or information that is proprietary, business sensitive, relates specifically to the submitting person or entity, and is otherwise not appropriately in the public domain.”
…
The federal regulations implementing the CII Act are found in the Code of Federal Regulations, volume 6, part 29 (2009). Those regulations are intended to implement the federal statute “through the establishment of uniform procedures for the receipt, care, and storage of Critical Infrastructure Information (CII) voluntarily submitted to the Department of Homeland Security (DHS).”
…
As stated in the regulations: “Consistent with the statutory mission of DHS to prevent terrorist attacks within the United States and reduce the vulnerability of the United States to terrorism, DHS will encourage the voluntary submission of CII by safeguarding and protecting that information from unauthorized disclosure and by ensuring that such information is, as necessary, securely shared with State and local government pursuant to … the CII Act. As required by the CII Act, these rules establish procedures regarding: … [¶] … The receipt, validation, handling, storage, proper marking and use of information as PCII … .”
…
PCII (protected CII) is CII that has been validated by DHS….
Among the regulations is one relied on by the County, which states that PCII “shall be treated as exempt from disclosure under the Freedom of Information Act and any State or local law requiring disclosure of records or information.” …
…
We agree with CFAC that the pertinent question here is not whether federal homeland security law trumps state disclosure law. Instead, the analysis in this case turns on whether the federal act and accompanying regulations apply at all. As we now explain, we conclude that the CII Act does not apply here because the County is a submitter of CII, not a recipient of PCII. Given that conclusion, we need not consider whether the CII Act preempts the CPRA.
…
In undertaking our statutory analysis, we begin by examining the language of the relevant provisions….Statutory interpretation presents a legal question, which we decide de novo….The CII Act provides that CII that has been voluntarily submitted “shall be exempt from disclosure” under the federal Freedom of Information Act….As more particularly relevant here, it also prohibits disclosure of PCII “pursuant to any State or local law requiring disclosure of information or records”—but only “if provided to a State or local government … .”…
We are not aware of any case law interpreting this provision. But the regulations promulgated under the CII Act bear out the statute’s apparent distinction between the submission of CII and the receipt of PCII, as we now explain.
We begin with the specific regulation cited by the County, 6 Code of Federal Regulations, part 29.8 (2009). Subdivision (g) of that regulation provides in part that PCII “shall be treated as exempt from disclosure under the Freedom of Information Act and any State or local law requiring disclosure of records or information.”…We acknowledge that subdivision (g) does not distinguish between CII submitters and PCII recipients. But another subdivision of this regulation does reflect that distinction.
Subdivision (b) of 6 Code of Federal Regulations, part 29.8 thus states in pertinent part: “PCII may be provided to a state or local government entity for the purpose of protecting critical infrastructure or protected systems … .”…“The provision of PCII to a State or local government entity will normally be made only pursuant to an arrangement with the PCII Program Manager providing for compliance … and acknowledging the understanding and responsibilities of the recipient. State and local governments receiving such information will acknowledge in such arrangements the primacy of PCII protections under the CII Act …” and “agree to assert all available legal defenses to disclosure of PCII under State, or local public disclosure laws, statutes or ordinances … .” …
This emphasis on recipients of PCII also appears at subdivision (d) of the same regulation, which provides: “State and local governments receiving information marked ‘Protected Critical Infrastructure Information’ shall not share that information …” except as allowed by the regulations. On the subject of enforcement, subdivision (d) of the next regulation states: if the PCII Program Manager determines that an entity or person who has received PCII has violated the provisions of this Part or used PCII for an inappropriate purpose, the PCII Program Manager may disqualify that entity or person from future receipt of any PCII or future receipt of any sensitive homeland security information … .”
…
Other regulations reflect the same dichotomy between the submission of CII and the receipt of PCII, as the following excerpts demonstrate. HN13
“The regulations in this Part apply to all persons and entities that are authorized to handle, use, or store PCII or that otherwise accept receipt of PCII.” (6 C.F.R. § 29.1(b) (2009), italics added.) HN14
The preamble to the final regulations likewise confirms the submitter/recipient distinction. For example, it clarifies that “State, local and tribal contractors” are not “precluded from receiving PCII” and it notes a change in the final regulations “to permit employees of Federal, State, local, and tribal contractors who are engaged in the performance of services in support of the purposes of the CII Act, to communicate with a submitting person … when authorized by the PCII Program Manager or … designee.” (71 Fed.Reg., supra, at p. 52269, italics added.)
Taken as a whole, this consistent and pervasive regulatory language supports our construction of the relevant provision of the CII Act, 6 United States Code section 133(a)(1)(E)(i). [**23] As we interpret that provision, HN17
This interpretation is also consonant with other aspects of the statute and regulations, particularly those that limit the uses of PCII in the hands of governmental recipients. As provided in the statute, PCII provided to a state or local government or agency shall not “be used other than for the purpose of protecting critical infrastructure or protected systems, or in furtherance of [*1319] an investigation or the prosecution of a criminal act.” (6 U.S.C. § 133(a)(1)(E)(iii).) The regulations are to the same effect: “A Federal, State or local agency that receives PCII may utilize [**24] the PCII only for purposes appropriate under the CII Act, including securing critical infrastructure or protected systems.” (6 C.F.R. § 29.3(b) (2009).) If the GIS basemap constitutes PCII in the County’s hands, as it maintains, then federal law strictly restricts use of that data to the narrow purposes enumerated in the CII Act.
In sum, we conclude that HN18
A Member of the Law Professor Blogs Network