UNITED STATES DISTRICT COURT
FOR THE DISTRICT OF COLUMBIA
ELECTRONIC PRIVACY
INFORMATION CENTER,
Plaintiff,
Case No. 1:21-cv-02156 (TNM)
v.
UNITED STATES POSTAL SERVICE, et
al.,
Defendants.
MEMORANDUM OPINION
The Electronic Privacy Information Center (EPIC) is a frequent litigant in this circuit.
Here, EPIC on its own behalf and on behalf of its members sues the U.S. Postal Service (USPS)
and its law enforcement component for failure to comply with the E-Government Act. USPS
disputes EPIC’s standing for these claims. Indeed, in EPIC’s prior actions the D.C. Circuit has
rejected some of the standing theories that EPIC advances now. For all other theories, the Court
agrees with USPS that EPIC has not met its burden to show a cognizable injury in fact. The
Court will therefore grant USPS’s motion to dismiss the Complaint.
I.
Congress passed the E-Government Act to improve the Government’s use of information
technology “in a manner consistent with laws regarding protection of personal privacy, national
security, . . . and other relevant laws.” Pub. L. No. 107-347, § 2(b)(11), 116 Stat. 2899, 2901
(2002) (Act), codified at 44 U.S.C. § 3501 note. Section 208 of the Act requires an agency to
conduct, review, and, “if practicable,” publish a privacy impact assessment (PIA). Id.
§ 208(b)(1)(B). The agency must take these steps before it collects “information in an
identifiable form permitting the physical or online contacting of a specific individual,” if the
agency imposes the same reporting requirements on “10 or more persons.” Id. § 208(b)(1).
Since “at least 2018,” USPS has operated a “surveillance program known as the Internet
Covert Operations Program (iCOP).” Am. Compl. ¶ 21, ECF No. 13 (Compl.). This program
facilitates the identification of individuals and organizations who use “the mail or USPS online
tools” for illegal purposes. Id. Through the program, USPS monitors social media posts to
“search for potential threats of violence,” id. ¶ 33, and identifies the users of the most worrisome
accounts, see id. ¶¶ 30–31. For that identification, USPS relies on facial recognition software.
Particularly relevant here is Clearview AI, which provides “a database of over 3 million
images scraped from Facebook and other social media sites.” Id. ¶ 24. When a user inputs a
person’s image, the software compares that image against others in the database. See id. If there
is a match, Clearview AI gives “links to the individual’s personal information, social media
profiles, and other related online material.” Id. Using iCOP, USPS has identified multiple
individuals. See id. ¶¶ 30, 34.
Enter EPIC, a nonprofit membership organization committed to “oversight and analysis
of government data collection activities.” Id. ¶ 6. In May 2021, EPIC submitted a FOIA request
seeking a PIA for the facial recognition and social media monitoring systems used by iCOP. See
id. ¶ 42. USPS conducted a search but found no PIA. See id. ¶ 43. EPIC renewed its request but
never received a response. See id. ¶¶ 50–56.
EPIC then filed this suit, making three claims. Count I alleges “unlawful agency action”
under the Administrative Procedure Act (APA) because USPS began using iCOP and its
attendant tools without conducting a PIA as required by the E-Government Act. See id. ¶¶ 58–
65. Similarly, Count II alleges “agency action unlawfully withheld” because USPS “failed to
2
conduct and publish” a PIA. Id. ¶ 67. And Count III seeks a writ of mandamus compelling
USPS “to conduct and publish” a PIA and, until then, to suspend iCOP and the use of its
software. Id. ¶ 78.
EPIC attached to its Complaint declarations from two of its members. See Hartzog Decl.,
ECF No. 13-5; Gropper Decl., ECF No. 13-6. Both members say that their personal data,
including their “name and/or image,” “are likely contained in Clearview AI’s database” because
both members habitually use social media and did so while iCOP “[was] known to have used
social media monitoring tools.” Hartzog Decl. ¶¶ 9–10; Gropper Decl. ¶¶ 9–10.
USPS moves to dismiss EPIC’s Complaint, arguing that EPIC lacks standing and has
failed to properly state a claim. See Defs.’ Mot. to Dismiss, ECF No. 14-1 (MTD). That motion
is now ripe for decision.
II.
The Court begins and ends with standing. “[T]here is no justiciable case or controversy
unless the plaintiff has standing.” West v. Lynch, 845 F.3d 1228, 1230 (D.C. Cir. 2017). As the
party seeking federal jurisdiction, EPIC bears the burden to show standing. See Lujan v. Defs. of
Wildlife, 504 U.S. 555, 560 (1992). EPIC “must show (1) it has suffered a concrete and
particularized injury (2) that is fairly traceable to the challenged action of the defendant and (3)
that is likely” redressable by a favorable decision from the Court. EPIC v. Pres. Advisory
Comm’n on Election Integrity (EPIC I), 878 F.3d 371, 377 (D.C. Cir. 2017) (cleaned up).
When ruling on a motion to dismiss under Rule 12(b)(1), the Court “assume[s] the truth
of all material factual allegations in the complaint and construe[s] the complaint liberally,
granting [the] plaintiff the benefit of all inferences that can be derived from the facts alleged.”
Am. Nat’l Ins. Co. v. FDIC, 642 F.3d 1137, 1139 (D.C. Cir. 2011) (cleaned up). The Court “may
3
consider materials outside the pleadings in deciding whether to grant a motion to dismiss for lack
of jurisdiction.” Cal. Cattlemen’s Ass’n v. U.S. Fish and Wildlife Serv., 315 F. Supp. 3d 282,
285 (D.D.C. 2018) (cleaned up). And the Court treats any documents attached to the
Complaint—like the declarations from EPIC’s members—“as if they are part of the complaint.”
In re Cheney, 406 F.3d 723, 729 (D.C. Cir. 2005).
III.
EPIC argues that it has standing on two bases—organizational standing on its own behalf
and associational standing on behalf of its members. The Court takes those in turn.
A.
EPIC can assert standing on its own behalf “if the defendant’s actions cause a concrete
and demonstrable injury to [EPIC’s] activities that is more than simply a setback to the
organization’s abstract social interests.” ASPCA v. Feld Entm’t, Inc., 659 F.3d 13, 25 (D.C. Cir.
2011) (cleaned up). EPIC argues that it has suffered an informational injury because USPS’s
failure to publish a PIA “unlawfully denied [ ] EPIC access to information” otherwise required
by statute. Compl. ¶ 70, 75. For that informational gap to constitute an injury in fact, EPIC must
allege that “(1) it has been deprived of information that, on its interpretation, a statute requires
the government or a third party to disclose to it, and (2) it suffers, by being denied access to that
information, the type of harm Congress sought to prevent by requiring disclosure.” Friends of
Animals v. Jewell, 828 F.3d 989, 992 (D.C. Cir. 2016).
As a frequent filer in this circuit, EPIC is blessed and cursed with robust caselaw, some
of which is directly relevant to its current arguments. The D.C. Circuit has twice rejected EPIC’s
argument that failure to publish a PIA creates an informational injury sufficient for standing. See
4
EPIC v. Dep’t of Commerce (EPIC II), 928 F.3d 95, 101 (D.C. Cir. 2019); EPIC I, 878 F.3d at
378. The third time is not the charm.
Start with the most obvious. In EPIC I, the D.C. Circuit held that § 208 of the
E-Government Act “is intended to protect individuals.” 878 F.3d at 378 (emphasis in original).
Because EPIC was not—and still is not—an individual, it is “not the type of plaintiff [ ]
Congress had in mind.” Id. EPIC thus fails the second prong of the informational standing test.
More, in EPIC II, the Circuit held that “the lack of information itself is not the harm that
Congress sought to prevent through § 208.” 928 F.3d at 103. Instead, the statute prevented
against “harm to individual privacy.” Id. at 104. Thus, an asserted informational injury under
§ 208 “cannot satisfy the second step” of the test for an informational injury in fact. Id.
For these reasons already propounded to EPIC by the D.C. Circuit, the Court finds that
EPIC’s alleged informational injury from the lack of a PIA does not confer organizational
standing.
* * *
There is an old chestnut that insanity is doing the same thing over and over again and
expecting a different result. And at law, an attorney who repeatedly raises arguments that have
been squarely rejected in binding precedent risks sanctions. See, e.g., McLaughlin v. Bradlee,
803 F.2d 1197, 1205 (D.C. Cir. 1986). The Court reminds EPIC’s attorneys to scrupulously
adhere to their Rule 11 obligations in future cases.
B.
The Court turns next to EPIC’s assertion of associational standing. EPIC has
associational standing to sue on behalf of its members if, among other things, “at least one of
[EPIC’s] members has standing to sue in her or his own right[.]” EPIC II, 928 F.3d at 101.
5
EPIC says that its members have suffered informational and privacy injuries. See Pl.’s Opp’n to
MTD at 13, 16, ECF No. 15 (Opp’n). 1
1.
The Court applies the same two-pronged test to EPIC’s claim that its members have
suffered an informational injury. See EPIC II, 928 F.3d at 103. And EPIC makes the same
arguments that it made for itself. So some of the Court’s analysis of organizational standing also
applies here. True, EPIC’s members are individuals. But they still assert an informational
injury, which the D.C. Circuit explained is not the “harm Congress sought to prevent through
§ 208.” Id. Thus, EPIC’s members fail the second step of the test for an informational injury in
fact.
EPIC’s members also fail the first step. Section 208 does not on its face “require”
disclosure of a PIA. Jewell, 828 F.3d at 992. Instead, the statute mandates disclosure “if
practicable.” Act § 208(b)(1)(B)(iii). EPIC creatively responds that because Section 208
requires an agency to “conduct” a PIA, any PIA becomes an agency record disclosable under
FOIA, thus meeting the first step of the informational injury test. See Opp’n at 15.
But EPIC misunderstands FOIA, which “does not require the disclosure of any specific
information to anyone[.]” Pub. Citizen Health Rsrch. Grp. v. Pizzella, 513 F. Supp. 3d 10, 20
(D.D.C. 2021). FOIA instead requires “access to records when a request has been made and
[FOIA] exemptions are inapplicable.” Id. And as this Court has noted, FOIA also “does not
require the government to create documents.” Jud. Watch, Inc. v. ODNI, No. 1:17-cv-508
(TNM), 2018 WL 1440186 at *3 (D.D.C. Mar. 22, 2018); accord SafeCard Servs., Inc. v. SEC,
926 F.2d 1197, 1201 (D.C. Cir. 1991) (noting that FOIA does not require agencies to “recreate or
1
All page citations refer to the pagination generated by the Court’s CM/ECF system.
6
to reacquire a document that it no longer has”). FOIA thus would not mandate disclosure of
information in PIAs that do not exist. Indeed, if FOIA clears the first step for informational
standing, a plaintiff would always meet that step. Such a holding “would all but eviscerate the
requirement.” Pub. Citizen, 513 F. Supp. 3d at 20.
Waterkeeper Alliance v. EPA, 853 F.3d 527 (D.C. Cir. 2017), is not to the contrary.
There, organizations challenged a final EPA rule that exempted certain entities from a reporting
requirement in the Comprehensive Environmental Response, Compensation, and Liability Act
(CERCLA). See id. at 532. CERCLA contains no disclosure requirement. See id. at 533. So
the EPA argued that the organizations lacked standing because the CERCLA exemption did not
deprive them of any information. See id. The D.C. Circuit disagreed, however, because another
statute, the Emergency Planning and Community Right-to-Know Act (EPCRA), required public
disclosure of events when those events also merited a report to the EPA under CERCLA. See id.
In other words, EPCRA’s disclosure mandates were “piggybacked on the CERCLA mandates in
one form or another.” Id. Thus, exemptions from CERCLA reporting requirements “had the
automatic effect of cutting back on EPCRA reporting and disclosure requirements[,]” a
mechanism that deprived the organizations of information otherwise required for disclosure. Id.
at 534.
The E-Government Act and FOIA share none of the “complex interplay” present between
the two statutes in Waterkeeper. Id. at 533. That FOIA and the E-Government Act “seek to
achieve the same goal of public disclosure” does not matter. Opp’n at 16. Nothing in FOIA is
“expressly tied” to the E-Government Act, or vice versa. Waterkeeper, 853 F.3d at 533. The
“closer, direct connection” between CERCLA and EPCRA in Waterkeeper is thus “utterly
lacking” here. Jud. Watch, 2018 WL 1440186, at *3.
7
The Court holds that EPIC has not asserted on behalf of its members an informational
injury in fact. 2
2.
EPIC next argues that its members have suffered injuries to their privacy. See Opp’n at
16–18. For support, EPIC relies mainly on two declarations. Both members “maintain social
media profiles containing their images and personal information[]” and “were active on social
media in 2020” when iCOP allegedly patrolled those sites. Id. at 17. Based on that activity and
the “3 billion faces” in the Clearview AI database, EPIC says that its members are “highly
likely” to appear in that database. Id.; see Hartzog Decl. ¶ 9; Gropper Decl. ¶ 9. USPS thus,
EPIC says, used technology containing personal information without “first conduct[ing] a
required analysis of the resulting privacy risks[.]” Opp’n at 17.
EPIC labels that failure a “privacy injury sufficient for Article III standing.” Id. But
EPIC’s own words undermine that characterization. Nowhere does EPIC challenge USPS’s
mere use of the technology. Instead, the only alleged injury is that USPS did so without “first
conduct[ing] a required” PIA under § 208. Id. EPIC therefore “allege[s] a bare procedural
violation” of the Act. Spokeo, Inc. v. Robins, 578 U.S. 330, 341 (2016). Such a violation does
not create an injury in fact without an underlying concrete harm. See Summers v. Earth Island
Inst., 555 U.S. 488, 496 (2009). So to show a plausible privacy injury—which is the injury that
2
And even if EPIC has, that injury is not redressable. Section 208 requires disclosure of a PIA
only when “practicable.” Thus, if the Court granted EPIC’s request and ordered USPS to follow
§ 208, that provision does not require publication of the PIA. Without guaranteed disclosure of
the information allegedly withheld, EPIC cannot redress its informational injury. See Lawyers’
Comm. for 9/11 Inquiry, Inc. v. Wray, 848 F. App’x 428, 430 (D.C. Cir. 2021) (denying standing
for informational injury when statute “stop[ped] short of imposing” a public disclosure
requirement).
8
EPIC says its members suffered—“EPIC must allege harm that is distinct from a simple failure
to comply with the procedural requirements of § 208.” EPIC II, 928 F.3d at 102.
EPIC has not done so. Privacy injuries “ordinarily stem from the disclosure of private
information.” Id.; see In re SAIC Backup Tape Data Theft Litig., 45 F. Supp. 3d 14, 28 (D.D.C.
2014) (“For a person’s privacy to be invaded, their personal information must, at a minimum, be
disclosed to a third party.”). Indeed, the D.C. Circuit has recognized a privacy injury only when
personal information has been disclosed to third parties or there is a risk of such disclosure. See
In re U.S. OPM Data Sec. Breach Litig., 928 F.3d 42, 56 (D.C. Cir. 2019); Owner-Operator
Indep. Drivers Ass’n, Inc. v. DOT (OOIDA), 879 F.3d 339, 345 (D.C. Cir. 2018). In contrast,
EPIC makes no allegation that USPS has disclosed any personal information of EPIC’s members
or is likely to do so. That deficiency in the Complaint is fatal to EPIC’s assertion of a privacy
injury. See Stewart v. Kendall, — F. Supp. 3d —, No. 21-cv-1387 (RCL), 2022 WL 35642 at *5
(D.D.C. Jan. 4, 2022).
True, information gleaned from Clearview is now part of USPS’s internal records. That
arguably constitutes a disclosure. But D.C. Circuit precedent forecloses that argument, too. In
OOIDA, the Circuit held that the existence of inaccurate information in government databases,
“absent dissemination,” did not “amount[ ] to concrete injury.” 879 F.3d at 345; cf. EPIC v.
Dep’t of Educ., 48 F. Supp. 3d 1, 15 (D.D.C. 2014) (finding no injury in fact when, assuming
that school records included personal information, plaintiffs “failed to make any showing that it
is likely the schools will disclose the information to unregulated third parties”). “If the mere
maintenance of inaccurate information is not sufficient to confer standing, surely an agency’s
retention of prosaic personal information is not either.” Taylor v. FAA, 351 F. Supp. 3d 97, 104
(D.D.C. 2018).
9
In response, EPIC relies on the Supreme Court’s decisions in Americans for Prosperity
Foundation v. Bonta, 141 S. Ct. 2373 (2021), and Shelton v. Tucker, 364 U.S. 479 (1960).
According to EPIC, those cases show that “government collection of personal information can”
create concrete harm even without disclosure to the public. Opp’n at 17. Plaintiffs in those
cases, however, argued that state laws infringed on the First Amendment right to associate. See
Bonta, 141 S. Ct. at 2379; Shelton, 364 U.S. at 490. In contrast, EPIC asserts no similar
constitutional injury from the collection of its members’ information. 3 Those decisions are thus
inapt. EPIC cannot rely on them to find standing for a different alleged injury. See Lewis v.
Casey, 518 U.S. 343, 358 n. 6 (1996) (“[S]tanding is not dispensed in gross.”).
In sum, EPIC alleges a bare statutory violation that is “divorced from any concrete”
privacy injury. Spokeo, 578 U.S. at 341. EPIC has thus “failed to show that its members have
suffered, or imminently will suffer, a privacy injury” from USPS’s failure to conduct a PIA.
EPIC II, 928 F.3d at 103.
IV.
For these reasons, the Court holds that EPIC lacks standing for any of its claims. The
Court will therefore grant USPS’s motion to dismiss. A separate Order will issue.
2022.03.25
10:28:58 -04'00'
Dated: March 25, 2022 TREVOR N. McFADDEN, U.S.D.J.
3
Even if EPIC did, the D.C. Circuit has emphasized its “grave doubts” about “a constitutional
right of privacy in the nondisclosure of personal information, at least where the information is
collected by the government but not disseminated publicly.” EPIC II, 928 F.3d at 102 (cleaned
up).
10