Searching over 5,500,000 cases.

Buy This Entire Record For $7.95

Download the entire decision to receive the complete text, official citation,
docket number, dissents and concurrences, and footnotes for this case.

Learn more about what you receive with purchase of this case.

Electronic Privacy Information Center v. United States Drug Enforcement Administration

United States District Court, District of Columbia

September 13, 2016



          CHRISTOPHER R. COOPER United States District Judge.

         Before developing or procuring new information technology that involves the collection of identifiable personal information, federal agencies must assess how that technology will affect citizens' civil liberties and privacy. Plaintiff Electronic Privacy Information Center (“EPIC”) submitted a two-part Freedom of Information Act request to the Drug Enforcement Administration to obtain all such privacy assessments prepared by the agency. After considerable back-and-forth on search parameters and results, EPIC eventually received ten pages of responsive records from the DEA and 13 pages of records from the Department of Justice's Office of Privacy and Civil Liberties (“OPCL”), which coordinates privacy assessments for all DOJ components including the DEA. Believing that it has fulfilled its FOIA obligations, the DEA has moved for summary judgment. EPIC has challenged the adequacy of the DEA's searches in its own cross-motion for summary judgment. Because the DEA's declarations establish the reasonableness of its initial searches but not its supplemental search for four specific programs, the Court will grant in part and deny in part the DEA's motion, deny in part and reserve judgment in part on EPIC's cross-motion, and direct the DEA to conduct a limited additional search.

         I. Background

         EPIC is a public-interest research organization based in Washington, D.C. Pl.'s Compl. (“Compl.”) ¶ 4. Through its print and online publications, EPIC distributes reports “analyz[ing] the impact of government programs on civil liberties and privacy interests.” Id. In February 2015, EPIC submitted a FOIA request to the DEA seeking the following records:

Part 1: All Privacy Impact Assessments (“PIAs”) the DEA has conducted that are not publicly available at; and
Part 2: All Privacy Threshold Analysis (“PTA”) documents and Initial Privacy Assessments (“IPAs”) the DEA has conducted since 2007 to present.

Def.'s Statement of Material Facts (“DSOF”) ¶ 1. Agencies must generate a Privacy Impact Assessment (“PIA”) when “initiating a new collection of information” or “developing or procuring information technology that collects, maintains, or disseminates information that is an identifiable form.” E-Government Act of 2002, Pub. L. 107-347, § 208, 116 Stat. 2899, 2921 (2002). The OPCL assists DOJ components, like the DEA, “by assessing the need to conduct a PIA through the Initial Privacy Assessment (“IPA”) process.” Pl.'s Opp'n & Cross-Mot. Summ J. (“Pl.'s Opp'n”), Ex. 2 at 4. This initial assessment, previously known as the Privacy Threshold Analysis (“PTA”), identifies privacy concerns surrounding the technology and informs the decision of whether additional privacy assessments, like a final PIA, will be necessary before the agency can implement a data collection program or IT system. Compl. ¶ 11. If the OPCL determines a PIA is needed, the agency must submit the assessment for final OPCL approval and, if practicable, publicly post it before the system is operational. Id. ¶¶ 13, 15. The PIA remains online as long as the program is in use. Decl. Katherine L. Myrick Supp. Def.'s Mot. Summ. J (“First Myrick Decl.”) ¶ 16.

         The Chief Information Officer Support Unit (“CIOSU”)-housed in the DEA's Office of Information Systems-manages the “day-to-day implementation of and compliance” with the agency's privacy assessment requirements. Decl. Katherine L. Myrick Supp. Def.'s Reply Mot. Summ. J. (“Second Myrick Decl.”) ¶ 6. The CIOSU is the DEA's point-of-contact for the OPCL and acts as a liaison between the OPCL and the DEA's Senior Component Official for Privacy (“SCOP”). The SCOP is responsible for approving PIAs before the CIOSU submits them to the OPCL for final authorization. First Myrick Decl. ¶ 10. The CIOSU then “transmit[s], publish[es] online, and store[s] record copies of final DEA PIAs.” Second Myrick Decl. ¶ 6.

         DEA, accordingly, charged the CIOSU with leading the search for the requested records and providing responsive records to EPIC. Def.'s Mem. Supp. Mot. Summ. J. 2. The CIOSU reached out to EPIC to clarify if EPIC sought only final privacy assessments, or draft versions as well. First Myrick Decl. ¶ 11. EPIC responded that it was only interested in the final versions. Id. The CIOSU then crafted a search tailored to EPIC's request: For Part 1 of the request, the CIOSU searched its paper files; its SharePoint site-a network drive shared by DEA components with IT responsibilities; relevant staff email; and its Share Drive-another network drive containing the CIOSU's most comprehensive collection of records and where privacy assessments are typically stored. Id. ¶ 18. It used the search terms “Privacy Impact Assessment” and “PIA” for all of the electronic databases; then, it winnowed the results by adding the search term “final.” The Share Drive search-and no others-yielded responsive records. Id. ¶ 19. As an added precaution, the CIOSU ran individual searches using terms derived from the letter containing EPIC's FOIA request.[1] Id. All but one of the PIAs uncovered were already public. The remaining PIA, for a program called Avue Digital Services, was released to EPIC. Id. ¶¶ 20-22.

         The CIOSU followed the same methodology for Part 2 of EPIC's request, searching the same databases in a similar manner. It used search terms-“Privacy Threshold Analysis, ” “PTA, ” “Initial Privacy Assessment, ” “IPA, ” and “, ” the OPCL's email address-with “final” as an additional filter. Id. ¶ 24. And, again, it ran independent searches using the program names listed above. No final PTAs or IPAs turned up. Id. The CIOSU did find, however, 13 OPCL determination letters. Id. ¶ 25. The DEA told EPIC that IPAs and PTAs were essentially “working drafts” and that the final products from discussions with the OPCL were the determination letters themselves, which stated whether a final privacy assessment was needed before the system could be implemented. Id. EPIC chose to accept the OPCL determination letters in lieu of the PTAs and IPAs. Id. ¶ 26. Because the OPCL drafted these letters, the CIOSU sent the letters to the OPCL to review and release. The OPCL released 13 minimally redacted determination letters to EPIC in August 2015. Id. ¶¶ 30-32; see also Pl.'s Opp'n, Ex. 3. EPIC does not challenge these redactions. Joint Status Report 1, ECF No. 16.

         After reviewing the determination letters, EPIC challenged the sufficiency of the DEA's initial search. The determination letters showed that the OPCL had requested four PIAs from DEA that were not available online and had not been uncovered by the DEA's initial search. EPIC asked the DEA to locate them. First Myrick Decl. ¶ 32. The CIOSU re-ran its initial search, using the terms “PIA” and “final” to search its electronic databases; no new PIAs were uncovered. Id. ¶ 33.

         The DEA now moves for summary judgment on the grounds that it conducted a reasonable search and produced responsive records, thus fulfilling its obligations under FOIA. EPIC's cross-motion for summary judgment raises three main objections to the DEA's search:[2](1) The DEA's search methodology was incomplete and not comprehensive, (2) the agency improperly limited the scope of its search by using unsuitable search terms, and (3) it should have altered its search approach when EPIC provided it evidence of unaccounted-for PIAs. Pl.'s Opp'n 7-8.

         II. Standard of Review

         Organizations invoke FOIA “to pierce the veil of administrative secrecy and to open agency action to the light of public scrutiny.” Am. Civil Liberties Union v. U.S. Dep't of Justice, 655 F.3d 1, 5 (D.C. Cir. 2011). The statute imposes a general obligation on the government to provide records to the public. 5 U.S.C. § 552(a). FOIA carves out explicit exceptions to this disclosure obligation, 5 U.S.C. § 552(b), but “[t]he basic purpose of FOIA is to ensure an informed citizenry, vital to the functioning of a democratic society, needed to check against corruption and to hold the governors accountable to the governed, ” NLRB v. Robbins Tire & Rubber Co., 437 U.S. 214, 242 (1978). Congress did not ...

Buy This Entire Record For $7.95

Download the entire decision to receive the complete text, official citation,
docket number, dissents and concurrences, and footnotes for this case.

Learn more about what you receive with purchase of this case.