Electronic Privacy Information Center v. United States Drug Enforcement Administration , 208 F. Supp. 3d 108 ( 2016 )

                              UNITED STATES DISTRICT COURT
FOR THE DISTRICT OF COLUMBIA
ELECTRONIC PRIVACY
INFORMATION CENTER,
Plaintiff,                  Case No. 15-cv-00667 (CRC)
v.
UNITED STATES DRUG
ENFORCEMENT ADMINISTRATION,
Defendant.
MEMORANDUM OPINION
Before developing or procuring new information technology that involves the collection
of identifiable personal information, federal agencies must assess how that technology will affect
citizens’ civil liberties and privacy. Plaintiff Electronic Privacy Information Center (“EPIC”)
submitted a two-part Freedom of Information Act request to the Drug Enforcement
Administration to obtain all such privacy assessments prepared by the agency. After
considerable back-and-forth on search parameters and results, EPIC eventually received ten
pages of responsive records from the DEA and 13 pages of records from the Department of
Justice’s Office of Privacy and Civil Liberties (“OPCL”), which coordinates privacy assessments
for all DOJ components including the DEA. Believing that it has fulfilled its FOIA obligations,
the DEA has moved for summary judgment. EPIC has challenged the adequacy of the DEA’s
searches in its own cross-motion for summary judgment. Because the DEA’s declarations
establish the reasonableness of its initial searches but not its supplemental search for four
specific programs, the Court will grant in part and deny in part the DEA’s motion, deny in part
and reserve judgment in part on EPIC’s cross-motion, and direct the DEA to conduct a limited
additional search.
I.      Background
EPIC is a public-interest research organization based in Washington, D.C. Pl.’s Compl.
(“Compl.”) ¶ 4. Through its print and online publications, EPIC distributes reports “analyz[ing]
the impact of government programs on civil liberties and privacy interests.” 

2015, EPIC submitted a FOIA request to the DEA seeking the following records:
Part 1: All Privacy Impact Assessments (“PIAs”) the DEA has conducted that are not
publicly available at http://www.dea.gov/FOIA/PIA.shtml; and
Part 2: All Privacy Threshold Analysis (“PTA”) documents and Initial Privacy
Assessments (“IPAs”) the DEA has conducted since 2007 to present.
Def.’s Statement of Material Facts (“DSOF”) ¶ 1. Agencies must generate a Privacy Impact
Assessment (“PIA”) when “initiating a new collection of information” or “developing or
procuring information technology that collects, maintains, or disseminates information that is an
identifiable form.” E-Government Act of 2002, Pub. L. 107-347, § 208, 116 Stat. 2899, 2921
(2002). The OPCL assists DOJ components, like the DEA, “by assessing the need to conduct a
PIA through the Initial Privacy Assessment (“IPA”) process.” Pl.’s Opp’n & Cross-Mot. Summ
J. (“Pl.’s Opp’n”), Ex. 2 at 4. This initial assessment, previously known as the Privacy
Threshold Analysis (“PTA”), identifies privacy concerns surrounding the technology and
informs the decision of whether additional privacy assessments, like a final PIA, will be
necessary before the agency can implement a data collection program or IT system. Compl.
¶ 11. If the OPCL determines a PIA is needed, the agency must submit the assessment for final
OPCL approval and, if practicable, publicly post it before the system is operational. 

15. The PIA remains online as long as the program is in use. Decl. Katherine L. Myrick Supp.
Def.’s Mot. Summ. J (“First Myrick Decl.”) ¶ 16.
2
The Chief Information Officer Support Unit (“CIOSU”)—housed in the DEA’s Office of
Information Systems—manages the “day-to-day implementation of and compliance” with the
agency’s privacy assessment requirements. Decl. Katherine L. Myrick Supp. Def.’s Reply Mot.
Summ. J. (“Second Myrick Decl.”) ¶ 6. The CIOSU is the DEA’s point-of-contact for the OPCL
and acts as a liaison between the OPCL and the DEA’s Senior Component Official for Privacy
(“SCOP”). The SCOP is responsible for approving PIAs before the CIOSU submits them to the
OPCL for final authorization. First Myrick Decl. ¶ 10. The CIOSU then “transmit[s],
publish[es] online, and store[s] record copies of final DEA PIAs.” Second Myrick Decl. ¶ 6.
DEA, accordingly, charged the CIOSU with leading the search for the requested records
and providing responsive records to EPIC. Def.’s Mem. Supp. Mot. Summ. J. 2. The CIOSU
reached out to EPIC to clarify if EPIC sought only final privacy assessments, or draft versions as
well. First Myrick Decl. ¶ 11. EPIC responded that it was only interested in the final versions.

then crafted a search tailored to EPIC’s request: For Part 1 of the request, the
CIOSU searched its paper files; its SharePoint site—a network drive shared by DEA components
with IT responsibilities; relevant staff email; and its Share Drive—another network drive
containing the CIOSU’s most comprehensive collection of records and where privacy
assessments are typically stored. 

It used the search terms “Privacy Impact Assessment”
and “PIA” for all of the electronic databases; then, it winnowed the results by adding the search
term “final.” The Share Drive search—and no others—yielded responsive records. 

As
an added precaution, the CIOSU ran individual searches using terms derived from the letter
containing EPIC’s FOIA request.1 

one of the PIAs uncovered were already public.
1
The additional search terms included: Hemisphere, National License Plate Reader
Initiative, LPR, DEA Internet Connectivity Endeavor, DICE, Special Operations Division, SOD,
3
The remaining PIA, for a program called Avue Digital Services, was released to EPIC. 

The CIOSU followed the same methodology for Part 2 of EPIC’s request, searching the
same databases in a similar manner. It used search terms—“Privacy Threshold Analysis,”
“PTA,” “Initial Privacy Assessment,” “IPA,” and “privacy@usdoj.gov,” the OPCL’s email
address—with “final” as an additional filter. 

And, again, it ran independent searches
using the program names listed above. No final PTAs or IPAs turned up. 

did
find, however, 13 OPCL determination letters. 

The DEA told EPIC that IPAs and
PTAs were essentially “working drafts” and that the final products from discussions with the
OPCL were the determination letters themselves, which stated whether a final privacy
assessment was needed before the system could be implemented. 

to accept the
OPCL determination letters in lieu of the PTAs and IPAs. 

Because the OPCL drafted
these letters, the CIOSU sent the letters to the OPCL to review and release. The OPCL released
13 minimally redacted determination letters to EPIC in August 2015. 

see also Pl.’s
Opp’n, Ex. 3. EPIC does not challenge these redactions. Joint Status Report 1, ECF No. 16.
After reviewing the determination letters, EPIC challenged the sufficiency of the DEA’s
initial search. The determination letters showed that the OPCL had requested four PIAs from
DEA that were not available online and had not been uncovered by the DEA’s initial search.
EPIC asked the DEA to locate them. First Myrick Decl. ¶ 32. The CIOSU re-ran its initial
search, using the terms “PIA” and “final” to search its electronic databases; no new PIAs were
uncovered. 

telecommunications metadata, telecommunications, and metadata. First Myrick Decl. ¶ 19.
None of these searches produced responsive records. 

DEA now moves for summary judgment on the grounds that it conducted a
reasonable search and produced responsive records, thus fulfilling its obligations under FOIA.
EPIC’s cross-motion for summary judgment raises three main objections to the DEA’s search:2
(1) The DEA’s search methodology was incomplete and not comprehensive, (2) the agency
improperly limited the scope of its search by using unsuitable search terms, and (3) it should
have altered its search approach when EPIC provided it evidence of unaccounted-for PIAs. Pl.’s
Opp’n 7–8.
II.     Standard of Review
Organizations invoke FOIA “to pierce the veil of administrative secrecy and to open
agency action to the light of public scrutiny.” Am. Civil Liberties Union v. U.S. Dep’t of
Justice, 

, 5 (D.C. Cir. 2011). The statute imposes a general obligation on the
government to provide records to the public. 5 U.S.C. § 552(a). FOIA carves out explicit
exceptions to this disclosure obligation, 5 U.S.C. § 552(b), but “[t]he basic purpose of FOIA is to
ensure an informed citizenry, vital to the functioning of a democratic society, needed to check
against corruption and to hold the governors accountable to the governed,” NLRB v. Robbins
Tire & Rubber Co., 

, 242 (1978). Congress did not intend, however, “to reduce
government agencies to full-time investigators on behalf of requesters.” Judicial Watch v.
Export-Import Bank, 

, 27 (D.D.C. 2000).
FOIA cases are appropriately resolved at summary judgment. See Brayton v. Office of
U.S. Trade Rep., 

, 527 (D.C. Cir. 2011). In deciding a motion for summary
2
EPIC originally challenged the sufficiency of the DEA’s searches for responsive records
to Part 1 and Part 2 of its FOIA request. It has since dropped its challenge to the DEA’s search
for responsive records to Part 2 of its request. Pl.’s Reply Supp. Cross-Mot. Summ. J. 2.
5
judgment, the Court assumes the truth of the non-movant’s evidence and draws all reasonable
inferences in the non-movant’s favor. See Anderson v. Liberty Lobby, Inc., 

, 255
(1986). When an agency’s search is questioned, it must show “beyond material doubt that its
search was reasonably calculated to uncover all relevant documents.” Ancient Coin Collectors
Guild v. U.S. Dep’t of State, 

, 514 (D.C. Cir. 2011) (quoting Valencia-Lucena v.
U.S. Coast Guard, 

, 325 (D.C. Cir. 1999)) (internal quotation marks omitted). An
agency’s search is judged by the individual circumstances of each case. See Truitt v. Dep’t of
State, 

, 542 (D.C. Cir. 1990). The central question is whether the search itself was
reasonable, regardless of the results. See Cunningham v. U.S. Dep’t of Justice, 

, 83–84 (D.D.C. 2014). Agencies need not scour every database, but rather should conduct a
“good faith, reasonable search of those systems of records likely to possess requested records.”

Servs., Inc. v. SEC, 

, 1201 (D.C. Cir. 1991)). Agency
declarations, especially from individuals coordinating the search, are accorded “a presumption of
good faith, which cannot be rebutted by purely speculative claims about the existence and
discoverability of other documents.” 

.
Courts can decide—and award—summary judgment solely based on agency affidavits
and declarations that are “relatively detailed and non-conclusory.” 

include
what records were searched, who did the search, and what search terms or processes were used.
See Judicial Watch., Inc. v. Dep’t of the Navy, 

, 2 (D.D.C. 2013). A plaintiff
can rebut an agency declaration by raising “substantial doubt[s] as to the reasonableness of the
search, especially in light of ‘well-defined requests and positive indications of overlooked
materials.’” 

(quoting Founding Church of Scientology of
Washington, D.C. v. NSA, 

, 837 (D.C. Cir. 1979)).
6
III.    Analysis
As noted, EPIC contends the DEA’s search for final PIAs was unreasonable because it
initially used an incomplete search methodology, unnecessarily limited the scope of the search,
and did not modify its search once EPIC provided evidence of potentially additional PIAs.
A.     Initial Search Methodology
EPIC first maintains that performing a keyword search was unnecessary. In EPIC’s
view, the DEA should have instead spoken with OPCL, CIOSU, and SCOP employees to
determine the number and location of completed PIAs. The DEA—rightly—responds that
conducting a reasonable search does not require involving external agencies or departments.
Def.’s Reply Supp. Mot. Summ. J. 3–4. Even though both are parts of the Justice Department,
the OPCL exists outside of the DEA. Thus, a search of the OPCL’s records is best initiated by
directing a FOIA request to the OPCL itself, which EPIC did not do. See Campbell v. U.S.
Dep’t of Justice, 

, 65 (D.D.C. 2015) (holding that the DOJ’s Criminal
Division was not required to search the DEA for responsive records).
More to the point, an agency’s search is reasonable if it is designed and likely to produce
responsive records. See 

The agency’s declarations show that the DEA’s initial search
was just that. DEA chose the CIOSU to lead the search because of its familiarity and expertise
with the agency’s compliance efforts and privacy documents. First Myrick Decl. ¶ 10. The
CIOSU drafts, stores, and discusses privacy assessments with the OPCL. Second Myrick Decl. ¶
6. Conversely, the SCOP only signs off on final PIAs before they are submitted to the OPCL.

“CIOSU knows the locations where responsive [PIAs] are likely to be found.”
First Myrick Decl. ¶ 10. The CIOSU searched its paper files, its Share Drive, its SharePoint site,
and relevant staff electronic mail. And the search it designed was successful: It found PIAs, one
7
of which was not already posted online. Furthermore, the DEA explained why the CIOSU did
not consult with the SCOP: “[T]here [was] no reasonable basis to believe that the SCOP would
be able to identify the location of any additional final DEA PIAs that CIOSU personnel did not
locate through the searches they already conducted based on their knowledge of, and experience
with, privacy documentation requirements. . . .” Second Myrick Decl. ¶ 6. The DEA, not its
FOIA requestors, is charged with determining the most effective way to search its records. EPIC
has not provided any evidence undermining the DEA’s initial, good-faith assessment of how and
where to search for responsive records.
B.      Scope of Search
EPIC next asserts that adding “final” as a search term resulted in underinclusive search
results. EPIC’s main concern is that some requested records would not have “final” in the body
of the text or in the attached message. It points to public PIAs that do not include “final” in the
name or content. Pl.’s Opp’n 9–10. But the DEA had clarified with EPIC that it wanted only the
final PIAs. First Myrick Decl. ¶ 11. And the CIOSU’s initial set of search terms included the
words “Privacy Impact Assessment” and “PIA,” which yielded too many results including all
draft PIAs and any document that mentioned a PIA in passing. Second Myrick Decl. ¶ 5. To
find responsive records, the CIOSU added the term “final” because “[i]t is the customary
practice of the CIOSU to use the word ‘final’ in the electronic file names of final, as opposed to
draft, PIAs [in the Share Drive and SharePoint site].” 

also typically uses “final”
in “electronic mail message[s] transmitting a final PIA.” 

CIOSU conducted
specific searches based on program names provided by EPIC without adding “final” as a search
term. These searches yielded no additional results. 

the DEA’s justification
because searches without “final” as a search term did not generate different results. EPIC does
8
not respond to this argument and, in any event, has not raised substantial doubts about the scope
of the DEA’s search.
C.      Supplemental Search for Missing PIAs
The final issue before the Court is what obligations DEA was under to continue searching
once EPIC provided evidence of missing PIAs. EPIC reviewed the 13 OPCL determination
letters and found that the OPCL had required the DEA to perform a PIA for four technology
systems.3 These (potential) PIAs were not online and had not previously been provided to EPIC.
Pl.’s Opp’n 10–11. EPIC requested that the DEA perform a supplemental search to uncover
them. The CIOSU re-ran its initial search with the same results. EPIC rejects this latter search
as unreasonable.
A FOIA plaintiff can undermine the adequacy of an agency’s search if it shows that the
agency failed to follow a “clear and certain” lead. See Mobley v. C.I.A., 

, 582
(D.C. Cir. 2015). “Such leads may indicate, for example, other offices that should have been
searched, additional search terms that should have been used, or records custodians who should
have been consulted.” Coleman v. DEA, 

, 301 (D.D.C. 2015) (quoting
Rollins v. U.S. Dep’t of State, 

, 550 (D.D.C. 2014)). An initially reasonable
search can also become “‘untenable’ once [the agency] discover[s] information suggesting the
existence of other responsive material.” 

(quoting Campbell v.
DOJ, 

, 28 (D.C. Cir. 1998)). Here, the relevant OPCL determination letters—
addressed to the DEA’s SCOP and Operational Support Division and dated from 2010 to 2011—
stated that “the DEA must complete a privacy impact assessment . . . for this system.” Pl.’s
3
The four unaccounted-for PIAs relate to the LIMS, DrugSTAR, NVNS, and WebOCTS
systems. See Pl.’s Opp’n, Ex. 3 at 3, 4, 12, 13.
9
Opp’n 10. The E-Government Act mandates that PIAs be approved prior to a technology system
being implemented. See Pub. L. 107-347, § 208, 116 Stat. 2899, 2921 (2002). Thus, if the DEA
implemented or is operating any of these systems, a PIA should have existed for it. This is a
“clear and certain” lead about four specific PIAs. And while the DEA is not required to account
for specific records, it must “reasonably attempt[] to locate them.” West v. Spellings, 539 F.
Supp. 2d 55, 62 (D.D.C. 2008).
Yet it does not appear that the DEA took reasonable steps to locate these four PIAs.
First, it failed to justify why re-running its original search would suddenly uncover new PIAs for
programs that were years old. Second, the CIOSU apparently did not run any independent
searches using the program names as search terms—as it did with earlier searches. What is
more, the OPCL letters were directed to the SCOP, but no efforts were made to search the
SCOP’s records. In the DEA’s own words, the SCOP “reviews, approves, and signs final PIAs.”
Second Myrick Decl. ¶ 6. If the SCOP had reviewed and approved a final PIA without returning
it to the CIOSU, a final version of the PIA might remain with the SCOP. The CIOSU did not
explain why searching the SCOP, once EPIC presented evidence of potential additive PIAs, was
not likely to uncover responsive records. The OPCL letters provide a “lead” that the CIOSU
failed to reasonably follow. Thus, the Court finds that EPIC has raised a substantial doubt as to
the sufficiency of the DEA’s supplemental search for PIAs covering the four identified
programs. It will therefore order the agency either to conduct a supplemental search consistent
with this opinion or explain in a supplemental declaration why such a search would not be likely
to uncover the remaining records in question.
Apart from the DEA’s failure to run down the lead discussed above, the Court finds that
the DEA undertook a good-faith, initial search that was reasonably calculated to uncover
10
responsive records. The affidavits offered by the DEA explain and justify where, why, and how
the agency searched its files. Neither FOIA nor this Court demands more of it.
IV.    Conclusion
For the foregoing reasons, the Court will grant in part and deny in part Defendant’s
Motion for Summary Judgment, and will deny in part and reserve judgment in part on Plaintiff’s
Cross-Motion for Summary Judgment. An Order accompanies this Memorandum Opinion.
CHRISTOPHER R. COOPER
United States District Judge
Date: September 13, 2016
11