In a landmark decision, the Georgia Supreme Court has expanded the Georgia Open Records Act (the Act) to include private businesses and contractors working with state and local government entities. The ruling in Milliron v. Antonakakis clarifies that public records held by nongovernment entities are subject to the same transparency requirements as government agencies. Consequently, businesses in sectors like construction, IT, health care, and consulting must navigate the Act’s complexities to avoid liability. This article explores the court’s decision and offers practical steps for compliance. For more insights, listen to our latest Regulatory Podcast episode, “Unveiling the Impact: How Georgia’s Open Records Act Affects Private Businesses.”
During my first three months as chief legal counsel to the Governor of Georgia, my office received more open record requests than previous governors did in any year of their respective terms. To say I became familiar with the Act[1] is an understatement.
When I transitioned from the public sector to a private law firm, I thought my days of responding to open records requests were over. However, the recent opinion from the Georgia Supreme Court suggests otherwise.
On August 13, the court issued an opinion in Milliron v. Antonakakis, clarifying the Act applies to public records held by nongovernment entities, including private companies and persons serving as contractors for public agencies, and that citizen requests for public records may be submitted directly to businesses.[2]
Notably the Act applies to state, county, and municipal governments in Georgia.[3] The breadth of the Act in light of this opinion means that now many construction, IT, health care, environmental, and consulting companies, as well as many small businesses are now subject to the Act and may be held civilly or criminally liable if they do not act in compliance with the law.[4]
However, there is a playbook you can utilize to ensure your business remains in compliance with the Act.[5]
At its core, the Act is designed to promote transparency in government operations by granting the public the right to request, copy, and inspect all “public records” maintained by state or local government agencies.[6] Open records requests may be made by anyone, regardless of residency or purpose, to an agency in possession of the records.[7] The agency must then turn over the records within a reasonable amount of time — no more than three business days — subject to some exceptions.[8] If an agency fails to comply with a written request, it can face civil or criminal liability.[9]
The law applies broadly to all entities that are an “agency” of the state, county, or municipal government in Georgia, including, but not limited to: every state department; every county, city, or school district; every local authority; as well as nonprofit organizations deriving substantial agency funding.[10]
Now, Georgia’s highest court established that the law applies to private businesses too.[11]
The new ruling means that it’s not only the agencies themselves that are obligated to produce public records in response to requests — businesses working with state or local government entities are legally obligated to produce public records as well. [12]
The law’s scope came into question after a Georgia Tech professor declined an open records request to search his private email account for “public records” pertaining to his service to the university.[13] In addition to being employed by the state, the professor had two private businesses that worked “for the benefit” of Georgia Tech.[14] The citizen seeking the records sued to force the professor to hand over the emails, arguing that, in his capacity as a private contractor to Georgia Tech, he possessed public records that must be made available upon request under the Act.[15] The Georgia Supreme Court agreed.
So, what does this mean for private entities working with agencies? It means that both individuals and businesses with state or local government contracts in Georgia must comply with the Act or risk facing civil or criminal liability. In short, the opinion stated:
- Records held by a business related to services for a public agency are subject to the Act; and
- Requests to produce these records can be made directly to private businesses working for the agency.[16]
Most importantly, the decision established that legal action to enforce compliance with the Act can be brought directly against business with qualifying records.[17]
However, just because you contract with the government does not mean you are exposed to liability. Responsible persons and businesses must be performing a government function or otherwise hold public records. Determining exposure requires a fact intensive analysis.[18] For example, business logic on processing systems may not create public records, but a report sent to an agency by a business may be public under the Act, including supporting documents and previous drafts held exclusively by a private business.[19] This may even extend as far as the internal communications by employees of the business.
The court left many questions unanswered: the opinion is silent as to whether businesses should designate open records officers to manage requests pursuant to the Act, or if an entire organization is liable when only one employee uses organizational resources to service as a subcontractor. Additionally, it is unclear whether businesses may charge for production of records like a government agency, how exceptions will be applied, whether businesses or individuals will be held responsible for violations, and what scope of email, text, or other app-based communications between private employees may be subject to public disclosure.
These unanswered questions suggest the court will be faced with future challenges that will test the limits of the Act under this new application. Success for private businesses means ensuring compliance with the Act to the extent possible and not becoming an exemplar of noncompliance in future litigation.
Despite the lack of clarity, there are steps businesses can take to prevent risks of violation. It is important for any person or company doing business with any Georgia government to survey their relative exposure and make a plan. Below are some general considerations that create a baseline for ensuring compliance with the Act.
- Companies should identify their engagement with the government to determine whether they are subject to the Act given the decision in Milliron. Notably, not every business that contracts with a government will be considered a private contractor. To be considered subject to the Act, a business must prepare, maintain, or receive records “in the performance of a service or function for or on behalf of an agency.”[20] In other words, a business must prepare, maintain, or receive public records from an agency to be subject to the Act.
- Companies must identify what records are public records versus what records are not. As stated earlier, this is a fact-intensive analysis. Businesses should look at what divisions of their company engage with a government agency and then what records contained within that division constitute “material prepared and maintained…in the performance of a service or function for or on behalf of an agency.”[21] It is important to note here that records take many forms, including “documents, papers, letters, maps, books, tapes, photographs, computer based or generated information, data, data fields, or similar material…”[22]
- Anyone subject to the Act must know what record retention requirements apply to them based on the schedules set by the State Records Committee. This small administrative board controls and updates retention requirements that are specific to the types of documents and applies those requirements differently agency by agency. Failure to retain a document pursuant to its applicable retention schedule may constitute a violation of the Act.
- After ascertaining what records must be retained and for how long, it is prudent for covered businesses to establish a process for handling open records requests. This process will likely involve designating a public records officer, granting access controls to certain documents or data, separating unrelated records, and developing a protocol for handling requests when they are submitted to ensure timeliness under the statute.
- Companies must also be aware of the exceptions contained within the Act. There are 50 enumerated exceptions to the disclosure of certain records, and within those exceptions, specific provisions that apply to certain information. It is essential not only for compliance, but also to ensure confidentiality of nonpublic information, that you are fully trained on what exceptions may apply to you and how to properly redact or withhold that information in responding to a request.
- Finally, you must train your employees. Once all these steps are in place, it is critical you instruct every employee who may engage with these records or who may receive an open records request how to process the request and which persons must be involved to ensure compliance with the Act and with the specific parameters applicable to your business.
Understanding what you need to do to comply with the Open Records Act is essential to avoid criminal and civil penalties imposed by violations. With our step-by-step playbook, you can ensure you or your business are equipped to navigate a changing landscape for private companies in Georgia.
Troutman Pepper’s Public Records team is here to assist you every step of the way, offering expert guidance and tailored solutions to ensure full compliance with the Act. Let us help you mitigate risks and streamline your compliance process.
* Bridget Nabors, an associate with Troutman Pepper who is not licensed to practice law in any jurisdiction, contributed to this article.
[1] See O.C.G.A. § 50-18-70 et seq.
[2] Milliron v. Antonakakis, No. S24G0198, 2024 WL 3802782, at *1–2 (Ga. Aug. 13, 2024) (“[W]e conclude that the Open Records Act applies [to records held by private contractors] . . . [and that] a request for public records related to a private contractor’s services to a public agency can be served upon nonagency custodians of the relevant public records.”).
[3] See O.C.G.A. § 50-14-1(a)(1) (defining the term “agency”).
[4] Milliron, 2024 WL 3802782, at *15–16.
[5] Note that this article discusses Milliron v. Antonakakis in terms of impacted businesses, but the opinion makes clear that individuals have the same exposure and should take the same steps to avoid liability.
[6] O.C.G.A. § 50-18-70.
[7] O.C.G.A. § 50-18-71(a) (extending the right of access to individuals outside the state of Georgia).
[8] See O.C.G.A. § 50-18-71(b)(1)(A); § 50-18-72 (detailing when public disclosure of records is not required); see also § 50-18-71(d) (stating that an agency denying a request must do so in writing with the legal authority exempting the record from inspection).
[9] O.C.G.A. § 50-18-71(b)(3).
[10] O.C.G.A. § 50-14-1(a)(1).
[11] Milliron, 2024 WL 3802782, at *14–16.
[12] Id.
[13] Id. at *3.
[14] Id. at *4.
[15] Id. at *3.
[16] Id. at *15–16.
[17] Id. at *19–20 (“[A]n action to enforce compliance with the provisions of the Act may also be brought against persons or agencies having custody of records open to the public.”) (quotations omitted).
[18] Id. at *23 (remanding the case for the trial court to make a factual determination based on the Court’s interpretation of the Open Records Act).
[19] See generally O.C.G.A. § 50-18-72 (listing records not subject to the Open Records Act).
[20] Milliron, 2024 WL 3802782, at *14–15 (citing O.C.G.A. § 50-18-70(b)(2) and Smith v. Northside Hospital, Inc., 302 Ga. 517, 523 (2017)).
[21] O.C.G.A. § 50-18-70(b)(2).
[22] Id.