Electronic Privacy Information Center v. United States Drug Enforcement Administration , 208 F. Supp. 3d 108 ( 2016 )


Menu:
  •                               UNITED STATES DISTRICT COURT
    FOR THE DISTRICT OF COLUMBIA
    ELECTRONIC PRIVACY
    INFORMATION CENTER,
    Plaintiff,                  Case No. 15-cv-00667 (CRC)
    v.
    UNITED STATES DRUG
    ENFORCEMENT ADMINISTRATION,
    Defendant.
    MEMORANDUM OPINION
    Before developing or procuring new information technology that involves the collection
    of identifiable personal information, federal agencies must assess how that technology will affect
    citizens’ civil liberties and privacy. Plaintiff Electronic Privacy Information Center (“EPIC”)
    submitted a two-part Freedom of Information Act request to the Drug Enforcement
    Administration to obtain all such privacy assessments prepared by the agency. After
    considerable back-and-forth on search parameters and results, EPIC eventually received ten
    pages of responsive records from the DEA and 13 pages of records from the Department of
    Justice’s Office of Privacy and Civil Liberties (“OPCL”), which coordinates privacy assessments
    for all DOJ components including the DEA. Believing that it has fulfilled its FOIA obligations,
    the DEA has moved for summary judgment. EPIC has challenged the adequacy of the DEA’s
    searches in its own cross-motion for summary judgment. Because the DEA’s declarations
    establish the reasonableness of its initial searches but not its supplemental search for four
    specific programs, the Court will grant in part and deny in part the DEA’s motion, deny in part
    and reserve judgment in part on EPIC’s cross-motion, and direct the DEA to conduct a limited
    additional search.
    I.      Background
    EPIC is a public-interest research organization based in Washington, D.C. Pl.’s Compl.
    (“Compl.”) ¶ 4. Through its print and online publications, EPIC distributes reports “analyz[ing]
    the impact of government programs on civil liberties and privacy interests.” 
    Id. In February
    2015, EPIC submitted a FOIA request to the DEA seeking the following records:
    Part 1: All Privacy Impact Assessments (“PIAs”) the DEA has conducted that are not
    publicly available at http://www.dea.gov/FOIA/PIA.shtml; and
    Part 2: All Privacy Threshold Analysis (“PTA”) documents and Initial Privacy
    Assessments (“IPAs”) the DEA has conducted since 2007 to present.
    Def.’s Statement of Material Facts (“DSOF”) ¶ 1. Agencies must generate a Privacy Impact
    Assessment (“PIA”) when “initiating a new collection of information” or “developing or
    procuring information technology that collects, maintains, or disseminates information that is an
    identifiable form.” E-Government Act of 2002, Pub. L. 107-347, § 208, 116 Stat. 2899, 2921
    (2002). The OPCL assists DOJ components, like the DEA, “by assessing the need to conduct a
    PIA through the Initial Privacy Assessment (“IPA”) process.” Pl.’s Opp’n & Cross-Mot. Summ
    J. (“Pl.’s Opp’n”), Ex. 2 at 4. This initial assessment, previously known as the Privacy
    Threshold Analysis (“PTA”), identifies privacy concerns surrounding the technology and
    informs the decision of whether additional privacy assessments, like a final PIA, will be
    necessary before the agency can implement a data collection program or IT system. Compl.
    ¶ 11. If the OPCL determines a PIA is needed, the agency must submit the assessment for final
    OPCL approval and, if practicable, publicly post it before the system is operational. 
    Id. ¶¶ 13,
    15. The PIA remains online as long as the program is in use. Decl. Katherine L. Myrick Supp.
    Def.’s Mot. Summ. J (“First Myrick Decl.”) ¶ 16.
    2
    The Chief Information Officer Support Unit (“CIOSU”)—housed in the DEA’s Office of
    Information Systems—manages the “day-to-day implementation of and compliance” with the
    agency’s privacy assessment requirements. Decl. Katherine L. Myrick Supp. Def.’s Reply Mot.
    Summ. J. (“Second Myrick Decl.”) ¶ 6. The CIOSU is the DEA’s point-of-contact for the OPCL
    and acts as a liaison between the OPCL and the DEA’s Senior Component Official for Privacy
    (“SCOP”). The SCOP is responsible for approving PIAs before the CIOSU submits them to the
    OPCL for final authorization. First Myrick Decl. ¶ 10. The CIOSU then “transmit[s],
    publish[es] online, and store[s] record copies of final DEA PIAs.” Second Myrick Decl. ¶ 6.
    DEA, accordingly, charged the CIOSU with leading the search for the requested records
    and providing responsive records to EPIC. Def.’s Mem. Supp. Mot. Summ. J. 2. The CIOSU
    reached out to EPIC to clarify if EPIC sought only final privacy assessments, or draft versions as
    well. First Myrick Decl. ¶ 11. EPIC responded that it was only interested in the final versions.
    
    Id. The CIOSU
    then crafted a search tailored to EPIC’s request: For Part 1 of the request, the
    CIOSU searched its paper files; its SharePoint site—a network drive shared by DEA components
    with IT responsibilities; relevant staff email; and its Share Drive—another network drive
    containing the CIOSU’s most comprehensive collection of records and where privacy
    assessments are typically stored. 
    Id. ¶ 18.
    It used the search terms “Privacy Impact Assessment”
    and “PIA” for all of the electronic databases; then, it winnowed the results by adding the search
    term “final.” The Share Drive search—and no others—yielded responsive records. 
    Id. ¶ 19.
    As
    an added precaution, the CIOSU ran individual searches using terms derived from the letter
    containing EPIC’s FOIA request.1 
    Id. All but
    one of the PIAs uncovered were already public.
    1
    The additional search terms included: Hemisphere, National License Plate Reader
    Initiative, LPR, DEA Internet Connectivity Endeavor, DICE, Special Operations Division, SOD,
    3
    The remaining PIA, for a program called Avue Digital Services, was released to EPIC. 
    Id. ¶¶ 20–22.
    The CIOSU followed the same methodology for Part 2 of EPIC’s request, searching the
    same databases in a similar manner. It used search terms—“Privacy Threshold Analysis,”
    “PTA,” “Initial Privacy Assessment,” “IPA,” and “privacy@usdoj.gov,” the OPCL’s email
    address—with “final” as an additional filter. 
    Id. ¶ 24.
    And, again, it ran independent searches
    using the program names listed above. No final PTAs or IPAs turned up. 
    Id. The CIOSU
    did
    find, however, 13 OPCL determination letters. 
    Id. ¶ 25.
    The DEA told EPIC that IPAs and
    PTAs were essentially “working drafts” and that the final products from discussions with the
    OPCL were the determination letters themselves, which stated whether a final privacy
    assessment was needed before the system could be implemented. 
    Id. EPIC chose
    to accept the
    OPCL determination letters in lieu of the PTAs and IPAs. 
    Id. ¶ 26.
    Because the OPCL drafted
    these letters, the CIOSU sent the letters to the OPCL to review and release. The OPCL released
    13 minimally redacted determination letters to EPIC in August 2015. 
    Id. ¶¶ 30–32;
    see also Pl.’s
    Opp’n, Ex. 3. EPIC does not challenge these redactions. Joint Status Report 1, ECF No. 16.
    After reviewing the determination letters, EPIC challenged the sufficiency of the DEA’s
    initial search. The determination letters showed that the OPCL had requested four PIAs from
    DEA that were not available online and had not been uncovered by the DEA’s initial search.
    EPIC asked the DEA to locate them. First Myrick Decl. ¶ 32. The CIOSU re-ran its initial
    search, using the terms “PIA” and “final” to search its electronic databases; no new PIAs were
    uncovered. 
    Id. ¶ 33.
    telecommunications metadata, telecommunications, and metadata. First Myrick Decl. ¶ 19.
    None of these searches produced responsive records. 
    Id. 4 The
    DEA now moves for summary judgment on the grounds that it conducted a
    reasonable search and produced responsive records, thus fulfilling its obligations under FOIA.
    EPIC’s cross-motion for summary judgment raises three main objections to the DEA’s search:2
    (1) The DEA’s search methodology was incomplete and not comprehensive, (2) the agency
    improperly limited the scope of its search by using unsuitable search terms, and (3) it should
    have altered its search approach when EPIC provided it evidence of unaccounted-for PIAs. Pl.’s
    Opp’n 7–8.
    II.     Standard of Review
    Organizations invoke FOIA “to pierce the veil of administrative secrecy and to open
    agency action to the light of public scrutiny.” Am. Civil Liberties Union v. U.S. Dep’t of
    Justice, 
    655 F.3d 1
    , 5 (D.C. Cir. 2011). The statute imposes a general obligation on the
    government to provide records to the public. 5 U.S.C. § 552(a). FOIA carves out explicit
    exceptions to this disclosure obligation, 5 U.S.C. § 552(b), but “[t]he basic purpose of FOIA is to
    ensure an informed citizenry, vital to the functioning of a democratic society, needed to check
    against corruption and to hold the governors accountable to the governed,” NLRB v. Robbins
    Tire & Rubber Co., 
    437 U.S. 214
    , 242 (1978). Congress did not intend, however, “to reduce
    government agencies to full-time investigators on behalf of requesters.” Judicial Watch v.
    Export-Import Bank, 
    108 F. Supp. 2d 19
    , 27 (D.D.C. 2000).
    FOIA cases are appropriately resolved at summary judgment. See Brayton v. Office of
    U.S. Trade Rep., 
    641 F.3d 521
    , 527 (D.C. Cir. 2011). In deciding a motion for summary
    2
    EPIC originally challenged the sufficiency of the DEA’s searches for responsive records
    to Part 1 and Part 2 of its FOIA request. It has since dropped its challenge to the DEA’s search
    for responsive records to Part 2 of its request. Pl.’s Reply Supp. Cross-Mot. Summ. J. 2.
    5
    judgment, the Court assumes the truth of the non-movant’s evidence and draws all reasonable
    inferences in the non-movant’s favor. See Anderson v. Liberty Lobby, Inc., 
    477 U.S. 242
    , 255
    (1986). When an agency’s search is questioned, it must show “beyond material doubt that its
    search was reasonably calculated to uncover all relevant documents.” Ancient Coin Collectors
    Guild v. U.S. Dep’t of State, 
    641 F.3d 504
    , 514 (D.C. Cir. 2011) (quoting Valencia-Lucena v.
    U.S. Coast Guard, 
    180 F.3d 321
    , 325 (D.C. Cir. 1999)) (internal quotation marks omitted). An
    agency’s search is judged by the individual circumstances of each case. See Truitt v. Dep’t of
    State, 
    897 F.2d 540
    , 542 (D.C. Cir. 1990). The central question is whether the search itself was
    reasonable, regardless of the results. See Cunningham v. U.S. Dep’t of Justice, 
    40 F. Supp. 3d 71
    , 83–84 (D.D.C. 2014). Agencies need not scour every database, but rather should conduct a
    “good faith, reasonable search of those systems of records likely to possess requested records.”
    
    Id. (quoting SafeCard
    Servs., Inc. v. SEC, 
    926 F.2d 1197
    , 1201 (D.C. Cir. 1991)). Agency
    declarations, especially from individuals coordinating the search, are accorded “a presumption of
    good faith, which cannot be rebutted by purely speculative claims about the existence and
    discoverability of other documents.” 
    SafeCard, 926 F.2d at 1200
    .
    Courts can decide—and award—summary judgment solely based on agency affidavits
    and declarations that are “relatively detailed and non-conclusory.” 
    Id. Important details
    include
    what records were searched, who did the search, and what search terms or processes were used.
    See Judicial Watch., Inc. v. Dep’t of the Navy, 
    971 F. Supp. 2d 1
    , 2 (D.D.C. 2013). A plaintiff
    can rebut an agency declaration by raising “substantial doubt[s] as to the reasonableness of the
    search, especially in light of ‘well-defined requests and positive indications of overlooked
    materials.’” 
    Cunningham, 40 F. Supp. 3d at 84
    (quoting Founding Church of Scientology of
    Washington, D.C. v. NSA, 
    610 F.2d 824
    , 837 (D.C. Cir. 1979)).
    6
    III.    Analysis
    As noted, EPIC contends the DEA’s search for final PIAs was unreasonable because it
    initially used an incomplete search methodology, unnecessarily limited the scope of the search,
    and did not modify its search once EPIC provided evidence of potentially additional PIAs.
    A.     Initial Search Methodology
    EPIC first maintains that performing a keyword search was unnecessary. In EPIC’s
    view, the DEA should have instead spoken with OPCL, CIOSU, and SCOP employees to
    determine the number and location of completed PIAs. The DEA—rightly—responds that
    conducting a reasonable search does not require involving external agencies or departments.
    Def.’s Reply Supp. Mot. Summ. J. 3–4. Even though both are parts of the Justice Department,
    the OPCL exists outside of the DEA. Thus, a search of the OPCL’s records is best initiated by
    directing a FOIA request to the OPCL itself, which EPIC did not do. See Campbell v. U.S.
    Dep’t of Justice, 
    133 F. Supp. 3d 58
    , 65 (D.D.C. 2015) (holding that the DOJ’s Criminal
    Division was not required to search the DEA for responsive records).
    More to the point, an agency’s search is reasonable if it is designed and likely to produce
    responsive records. See 
    id. at 64.
    The agency’s declarations show that the DEA’s initial search
    was just that. DEA chose the CIOSU to lead the search because of its familiarity and expertise
    with the agency’s compliance efforts and privacy documents. First Myrick Decl. ¶ 10. The
    CIOSU drafts, stores, and discusses privacy assessments with the OPCL. Second Myrick Decl. ¶
    6. Conversely, the SCOP only signs off on final PIAs before they are submitted to the OPCL.
    
    Id. Thus, the
    “CIOSU knows the locations where responsive [PIAs] are likely to be found.”
    First Myrick Decl. ¶ 10. The CIOSU searched its paper files, its Share Drive, its SharePoint site,
    and relevant staff electronic mail. And the search it designed was successful: It found PIAs, one
    7
    of which was not already posted online. Furthermore, the DEA explained why the CIOSU did
    not consult with the SCOP: “[T]here [was] no reasonable basis to believe that the SCOP would
    be able to identify the location of any additional final DEA PIAs that CIOSU personnel did not
    locate through the searches they already conducted based on their knowledge of, and experience
    with, privacy documentation requirements. . . .” Second Myrick Decl. ¶ 6. The DEA, not its
    FOIA requestors, is charged with determining the most effective way to search its records. EPIC
    has not provided any evidence undermining the DEA’s initial, good-faith assessment of how and
    where to search for responsive records.
    B.      Scope of Search
    EPIC next asserts that adding “final” as a search term resulted in underinclusive search
    results. EPIC’s main concern is that some requested records would not have “final” in the body
    of the text or in the attached message. It points to public PIAs that do not include “final” in the
    name or content. Pl.’s Opp’n 9–10. But the DEA had clarified with EPIC that it wanted only the
    final PIAs. First Myrick Decl. ¶ 11. And the CIOSU’s initial set of search terms included the
    words “Privacy Impact Assessment” and “PIA,” which yielded too many results including all
    draft PIAs and any document that mentioned a PIA in passing. Second Myrick Decl. ¶ 5. To
    find responsive records, the CIOSU added the term “final” because “[i]t is the customary
    practice of the CIOSU to use the word ‘final’ in the electronic file names of final, as opposed to
    draft, PIAs [in the Share Drive and SharePoint site].” 
    Id. The CIOSU
    also typically uses “final”
    in “electronic mail message[s] transmitting a final PIA.” 
    Id. Finally, the
    CIOSU conducted
    specific searches based on program names provided by EPIC without adding “final” as a search
    term. These searches yielded no additional results. 
    Id. This bolsters
    the DEA’s justification
    because searches without “final” as a search term did not generate different results. EPIC does
    8
    not respond to this argument and, in any event, has not raised substantial doubts about the scope
    of the DEA’s search.
    C.      Supplemental Search for Missing PIAs
    The final issue before the Court is what obligations DEA was under to continue searching
    once EPIC provided evidence of missing PIAs. EPIC reviewed the 13 OPCL determination
    letters and found that the OPCL had required the DEA to perform a PIA for four technology
    systems.3 These (potential) PIAs were not online and had not previously been provided to EPIC.
    Pl.’s Opp’n 10–11. EPIC requested that the DEA perform a supplemental search to uncover
    them. The CIOSU re-ran its initial search with the same results. EPIC rejects this latter search
    as unreasonable.
    A FOIA plaintiff can undermine the adequacy of an agency’s search if it shows that the
    agency failed to follow a “clear and certain” lead. See Mobley v. C.I.A., 
    806 F.3d 568
    , 582
    (D.C. Cir. 2015). “Such leads may indicate, for example, other offices that should have been
    searched, additional search terms that should have been used, or records custodians who should
    have been consulted.” Coleman v. DEA, 
    134 F. Supp. 3d 294
    , 301 (D.D.C. 2015) (quoting
    Rollins v. U.S. Dep’t of State, 
    70 F. Supp. 3d 546
    , 550 (D.D.C. 2014)). An initially reasonable
    search can also become “‘untenable’ once [the agency] discover[s] information suggesting the
    existence of other responsive material.” 
    Coleman, 134 F. Supp. 3d at 302
    (quoting Campbell v.
    DOJ, 
    164 F.3d 20
    , 28 (D.C. Cir. 1998)). Here, the relevant OPCL determination letters—
    addressed to the DEA’s SCOP and Operational Support Division and dated from 2010 to 2011—
    stated that “the DEA must complete a privacy impact assessment . . . for this system.” Pl.’s
    3
    The four unaccounted-for PIAs relate to the LIMS, DrugSTAR, NVNS, and WebOCTS
    systems. See Pl.’s Opp’n, Ex. 3 at 3, 4, 12, 13.
    9
    Opp’n 10. The E-Government Act mandates that PIAs be approved prior to a technology system
    being implemented. See Pub. L. 107-347, § 208, 116 Stat. 2899, 2921 (2002). Thus, if the DEA
    implemented or is operating any of these systems, a PIA should have existed for it. This is a
    “clear and certain” lead about four specific PIAs. And while the DEA is not required to account
    for specific records, it must “reasonably attempt[] to locate them.” West v. Spellings, 539 F.
    Supp. 2d 55, 62 (D.D.C. 2008).
    Yet it does not appear that the DEA took reasonable steps to locate these four PIAs.
    First, it failed to justify why re-running its original search would suddenly uncover new PIAs for
    programs that were years old. Second, the CIOSU apparently did not run any independent
    searches using the program names as search terms—as it did with earlier searches. What is
    more, the OPCL letters were directed to the SCOP, but no efforts were made to search the
    SCOP’s records. In the DEA’s own words, the SCOP “reviews, approves, and signs final PIAs.”
    Second Myrick Decl. ¶ 6. If the SCOP had reviewed and approved a final PIA without returning
    it to the CIOSU, a final version of the PIA might remain with the SCOP. The CIOSU did not
    explain why searching the SCOP, once EPIC presented evidence of potential additive PIAs, was
    not likely to uncover responsive records. The OPCL letters provide a “lead” that the CIOSU
    failed to reasonably follow. Thus, the Court finds that EPIC has raised a substantial doubt as to
    the sufficiency of the DEA’s supplemental search for PIAs covering the four identified
    programs. It will therefore order the agency either to conduct a supplemental search consistent
    with this opinion or explain in a supplemental declaration why such a search would not be likely
    to uncover the remaining records in question.
    Apart from the DEA’s failure to run down the lead discussed above, the Court finds that
    the DEA undertook a good-faith, initial search that was reasonably calculated to uncover
    10
    responsive records. The affidavits offered by the DEA explain and justify where, why, and how
    the agency searched its files. Neither FOIA nor this Court demands more of it.
    IV.    Conclusion
    For the foregoing reasons, the Court will grant in part and deny in part Defendant’s
    Motion for Summary Judgment, and will deny in part and reserve judgment in part on Plaintiff’s
    Cross-Motion for Summary Judgment. An Order accompanies this Memorandum Opinion.
    CHRISTOPHER R. COOPER
    United States District Judge
    Date: September 13, 2016
    11