Electronic Privacy Information Center v. United States Postal Service

UNITED STATES DISTRICT COURT
FOR THE DISTRICT OF COLUMBIA

ELECTRONIC PRIVACY
INFORMATION CENTER,

Plaintiff,
Case No. 1:21-cv-02156 (TNM)
v.

UNITED STATES POSTAL SERVICE, et
al.,

Defendants.

MEMORANDUM OPINION

The Electronic Privacy Information Center (EPIC) is a frequent litigant in this circuit.

Here, EPIC on its own behalf and on behalf of its members sues the U.S. Postal Service (USPS)

and its law enforcement component for failure to comply with the E-Government Act. USPS

disputes EPIC’s standing for these claims. Indeed, in EPIC’s prior actions the D.C. Circuit has

rejected some of the standing theories that EPIC advances now. For all other theories, the Court

agrees with USPS that EPIC has not met its burden to show a cognizable injury in fact. The

Court will therefore grant USPS’s motion to dismiss the Complaint.

I.

Congress passed the E-Government Act to improve the Government’s use of information

technology “in a manner consistent with laws regarding protection of personal privacy, national

security, . . . and other relevant laws.” Pub. L. No. 107-347, § 2(b)(11), 116 Stat. 2899, 2901

(2002) (Act), codified at 44 U.S.C. § 3501 note. Section 208 of the Act requires an agency to

conduct, review, and, “if practicable,” publish a privacy impact assessment (PIA). Id.

§ 208(b)(1)(B). The agency must take these steps before it collects “information in an
identifiable form permitting the physical or online contacting of a specific individual,” if the

agency imposes the same reporting requirements on “10 or more persons.” Id. § 208(b)(1).

Since “at least 2018,” USPS has operated a “surveillance program known as the Internet

Covert Operations Program (iCOP).” Am. Compl. ¶ 21, ECF No. 13 (Compl.). This program

facilitates the identification of individuals and organizations who use “the mail or USPS online

tools” for illegal purposes. Id. Through the program, USPS monitors social media posts to

“search for potential threats of violence,” id. ¶ 33, and identifies the users of the most worrisome

accounts, see id. ¶¶ 30–31. For that identification, USPS relies on facial recognition software.

Particularly relevant here is Clearview AI, which provides “a database of over 3 million

images scraped from Facebook and other social media sites.” Id. ¶ 24. When a user inputs a

person’s image, the software compares that image against others in the database. See id. If there

is a match, Clearview AI gives “links to the individual’s personal information, social media

profiles, and other related online material.” Id. Using iCOP, USPS has identified multiple

individuals. See id. ¶¶ 30, 34.

Enter EPIC, a nonprofit membership organization committed to “oversight and analysis

of government data collection activities.” Id. ¶ 6. In May 2021, EPIC submitted a FOIA request

seeking a PIA for the facial recognition and social media monitoring systems used by iCOP. See

id. ¶ 42. USPS conducted a search but found no PIA. See id. ¶ 43. EPIC renewed its request but

never received a response. See id. ¶¶ 50–56.

EPIC then filed this suit, making three claims. Count I alleges “unlawful agency action”

under the Administrative Procedure Act (APA) because USPS began using iCOP and its

attendant tools without conducting a PIA as required by the E-Government Act. See id. ¶¶ 58–

65. Similarly, Count II alleges “agency action unlawfully withheld” because USPS “failed to

2
conduct and publish” a PIA. Id. ¶ 67. And Count III seeks a writ of mandamus compelling

USPS “to conduct and publish” a PIA and, until then, to suspend iCOP and the use of its

software. Id. ¶ 78.

EPIC attached to its Complaint declarations from two of its members. See Hartzog Decl.,

ECF No. 13-5; Gropper Decl., ECF No. 13-6. Both members say that their personal data,

including their “name and/or image,” “are likely contained in Clearview AI’s database” because

both members habitually use social media and did so while iCOP “[was] known to have used

social media monitoring tools.” Hartzog Decl. ¶¶ 9–10; Gropper Decl. ¶¶ 9–10.

USPS moves to dismiss EPIC’s Complaint, arguing that EPIC lacks standing and has

failed to properly state a claim. See Defs.’ Mot. to Dismiss, ECF No. 14-1 (MTD). That motion

is now ripe for decision.

II.

The Court begins and ends with standing. “[T]here is no justiciable case or controversy

unless the plaintiff has standing.” West v. Lynch, 845 F.3d 1228, 1230 (D.C. Cir. 2017). As the

party seeking federal jurisdiction, EPIC bears the burden to show standing. See Lujan v. Defs. of

Wildlife, 504 U.S. 555, 560 (1992). EPIC “must show (1) it has suffered a concrete and

particularized injury (2) that is fairly traceable to the challenged action of the defendant and (3)

that is likely” redressable by a favorable decision from the Court. EPIC v. Pres. Advisory

Comm’n on Election Integrity (EPIC I), 878 F.3d 371, 377 (D.C. Cir. 2017) (cleaned up).

When ruling on a motion to dismiss under Rule 12(b)(1), the Court “assume[s] the truth

of all material factual allegations in the complaint and construe[s] the complaint liberally,

granting [the] plaintiff the benefit of all inferences that can be derived from the facts alleged.”

Am. Nat’l Ins. Co. v. FDIC, 642 F.3d 1137, 1139 (D.C. Cir. 2011) (cleaned up). The Court “may

3
consider materials outside the pleadings in deciding whether to grant a motion to dismiss for lack

of jurisdiction.” Cal. Cattlemen’s Ass’n v. U.S. Fish and Wildlife Serv., 315 F. Supp. 3d 282,

285 (D.D.C. 2018) (cleaned up). And the Court treats any documents attached to the

Complaint—like the declarations from EPIC’s members—“as if they are part of the complaint.”

In re Cheney, 406 F.3d 723, 729 (D.C. Cir. 2005).

III.

EPIC argues that it has standing on two bases—organizational standing on its own behalf

and associational standing on behalf of its members. The Court takes those in turn.

A.

EPIC can assert standing on its own behalf “if the defendant’s actions cause a concrete

and demonstrable injury to [EPIC’s] activities that is more than simply a setback to the

organization’s abstract social interests.” ASPCA v. Feld Entm’t, Inc., 659 F.3d 13, 25 (D.C. Cir.

2011) (cleaned up). EPIC argues that it has suffered an informational injury because USPS’s

failure to publish a PIA “unlawfully denied [ ] EPIC access to information” otherwise required

by statute. Compl. ¶ 70, 75. For that informational gap to constitute an injury in fact, EPIC must

allege that “(1) it has been deprived of information that, on its interpretation, a statute requires

the government or a third party to disclose to it, and (2) it suffers, by being denied access to that

information, the type of harm Congress sought to prevent by requiring disclosure.” Friends of

Animals v. Jewell, 828 F.3d 989, 992 (D.C. Cir. 2016).

As a frequent filer in this circuit, EPIC is blessed and cursed with robust caselaw, some

of which is directly relevant to its current arguments. The D.C. Circuit has twice rejected EPIC’s

argument that failure to publish a PIA creates an informational injury sufficient for standing. See

4
EPIC v. Dep’t of Commerce (EPIC II), 928 F.3d 95, 101 (D.C. Cir. 2019); EPIC I, 878 F.3d at

378. The third time is not the charm.

Start with the most obvious. In EPIC I, the D.C. Circuit held that § 208 of the

E-Government Act “is intended to protect individuals.” 878 F.3d at 378 (emphasis in original).

Because EPIC was not—and still is not—an individual, it is “not the type of plaintiff [ ]

Congress had in mind.” Id. EPIC thus fails the second prong of the informational standing test.

More, in EPIC II, the Circuit held that “the lack of information itself is not the harm that

Congress sought to prevent through § 208.” 928 F.3d at 103. Instead, the statute prevented

against “harm to individual privacy.” Id. at 104. Thus, an asserted informational injury under

§ 208 “cannot satisfy the second step” of the test for an informational injury in fact. Id.

For these reasons already propounded to EPIC by the D.C. Circuit, the Court finds that

EPIC’s alleged informational injury from the lack of a PIA does not confer organizational

standing.

* * *

There is an old chestnut that insanity is doing the same thing over and over again and

expecting a different result. And at law, an attorney who repeatedly raises arguments that have

been squarely rejected in binding precedent risks sanctions. See, e.g., McLaughlin v. Bradlee,

803 F.2d 1197, 1205 (D.C. Cir. 1986). The Court reminds EPIC’s attorneys to scrupulously

adhere to their Rule 11 obligations in future cases.

B.

The Court turns next to EPIC’s assertion of associational standing. EPIC has

associational standing to sue on behalf of its members if, among other things, “at least one of

[EPIC’s] members has standing to sue in her or his own right[.]” EPIC II, 928 F.3d at 101.

5
EPIC says that its members have suffered informational and privacy injuries. See Pl.’s Opp’n to

MTD at 13, 16, ECF No. 15 (Opp’n). 1

1.

The Court applies the same two-pronged test to EPIC’s claim that its members have

suffered an informational injury. See EPIC II, 928 F.3d at 103. And EPIC makes the same

arguments that it made for itself. So some of the Court’s analysis of organizational standing also

applies here. True, EPIC’s members are individuals. But they still assert an informational

injury, which the D.C. Circuit explained is not the “harm Congress sought to prevent through

§ 208.” Id. Thus, EPIC’s members fail the second step of the test for an informational injury in

fact.

EPIC’s members also fail the first step. Section 208 does not on its face “require”

disclosure of a PIA. Jewell, 828 F.3d at 992. Instead, the statute mandates disclosure “if

practicable.” Act § 208(b)(1)(B)(iii). EPIC creatively responds that because Section 208

requires an agency to “conduct” a PIA, any PIA becomes an agency record disclosable under

FOIA, thus meeting the first step of the informational injury test. See Opp’n at 15.

But EPIC misunderstands FOIA, which “does not require the disclosure of any specific

information to anyone[.]” Pub. Citizen Health Rsrch. Grp. v. Pizzella, 513 F. Supp. 3d 10, 20

(D.D.C. 2021). FOIA instead requires “access to records when a request has been made and

[FOIA] exemptions are inapplicable.” Id. And as this Court has noted, FOIA also “does not

require the government to create documents.” Jud. Watch, Inc. v. ODNI, No. 1:17-cv-508

(TNM), 2018 WL 1440186 at *3 (D.D.C. Mar. 22, 2018); accord SafeCard Servs., Inc. v. SEC,

926 F.2d 1197, 1201 (D.C. Cir. 1991) (noting that FOIA does not require agencies to “recreate or

1
All page citations refer to the pagination generated by the Court’s CM/ECF system.

6
to reacquire a document that it no longer has”). FOIA thus would not mandate disclosure of

information in PIAs that do not exist. Indeed, if FOIA clears the first step for informational

standing, a plaintiff would always meet that step. Such a holding “would all but eviscerate the

requirement.” Pub. Citizen, 513 F. Supp. 3d at 20.

Waterkeeper Alliance v. EPA, 853 F.3d 527 (D.C. Cir. 2017), is not to the contrary.

There, organizations challenged a final EPA rule that exempted certain entities from a reporting

requirement in the Comprehensive Environmental Response, Compensation, and Liability Act

(CERCLA). See id. at 532. CERCLA contains no disclosure requirement. See id. at 533. So

the EPA argued that the organizations lacked standing because the CERCLA exemption did not

deprive them of any information. See id. The D.C. Circuit disagreed, however, because another

statute, the Emergency Planning and Community Right-to-Know Act (EPCRA), required public

disclosure of events when those events also merited a report to the EPA under CERCLA. See id.

In other words, EPCRA’s disclosure mandates were “piggybacked on the CERCLA mandates in

one form or another.” Id. Thus, exemptions from CERCLA reporting requirements “had the

automatic effect of cutting back on EPCRA reporting and disclosure requirements[,]” a

mechanism that deprived the organizations of information otherwise required for disclosure. Id.

at 534.

The E-Government Act and FOIA share none of the “complex interplay” present between

the two statutes in Waterkeeper. Id. at 533. That FOIA and the E-Government Act “seek to

achieve the same goal of public disclosure” does not matter. Opp’n at 16. Nothing in FOIA is

“expressly tied” to the E-Government Act, or vice versa. Waterkeeper, 853 F.3d at 533. The

“closer, direct connection” between CERCLA and EPCRA in Waterkeeper is thus “utterly

lacking” here. Jud. Watch, 2018 WL 1440186, at *3.

7
 The Court holds that EPIC has not asserted on behalf of its members an informational

injury in fact. 2

2.

EPIC next argues that its members have suffered injuries to their privacy. See Opp’n at

16–18. For support, EPIC relies mainly on two declarations. Both members “maintain social

media profiles containing their images and personal information[]” and “were active on social

media in 2020” when iCOP allegedly patrolled those sites. Id. at 17. Based on that activity and

the “3 billion faces” in the Clearview AI database, EPIC says that its members are “highly

likely” to appear in that database. Id.; see Hartzog Decl. ¶ 9; Gropper Decl. ¶ 9. USPS thus,

EPIC says, used technology containing personal information without “first conduct[ing] a

required analysis of the resulting privacy risks[.]” Opp’n at 17.

EPIC labels that failure a “privacy injury sufficient for Article III standing.” Id. But

EPIC’s own words undermine that characterization. Nowhere does EPIC challenge USPS’s

mere use of the technology. Instead, the only alleged injury is that USPS did so without “first

conduct[ing] a required” PIA under § 208. Id. EPIC therefore “allege[s] a bare procedural

violation” of the Act. Spokeo, Inc. v. Robins, 578 U.S. 330, 341 (2016). Such a violation does

not create an injury in fact without an underlying concrete harm. See Summers v. Earth Island

Inst., 555 U.S. 488, 496 (2009). So to show a plausible privacy injury—which is the injury that

2
And even if EPIC has, that injury is not redressable. Section 208 requires disclosure of a PIA
only when “practicable.” Thus, if the Court granted EPIC’s request and ordered USPS to follow
§ 208, that provision does not require publication of the PIA. Without guaranteed disclosure of
the information allegedly withheld, EPIC cannot redress its informational injury. See Lawyers’
Comm. for 9/11 Inquiry, Inc. v. Wray, 848 F. App’x 428, 430 (D.C. Cir. 2021) (denying standing
for informational injury when statute “stop[ped] short of imposing” a public disclosure
requirement).

8
EPIC says its members suffered—“EPIC must allege harm that is distinct from a simple failure

to comply with the procedural requirements of § 208.” EPIC II, 928 F.3d at 102.

EPIC has not done so. Privacy injuries “ordinarily stem from the disclosure of private

information.” Id.; see In re SAIC Backup Tape Data Theft Litig., 45 F. Supp. 3d 14, 28 (D.D.C.

2014) (“For a person’s privacy to be invaded, their personal information must, at a minimum, be

disclosed to a third party.”). Indeed, the D.C. Circuit has recognized a privacy injury only when

personal information has been disclosed to third parties or there is a risk of such disclosure. See

In re U.S. OPM Data Sec. Breach Litig., 928 F.3d 42, 56 (D.C. Cir. 2019); Owner-Operator

Indep. Drivers Ass’n, Inc. v. DOT (OOIDA), 879 F.3d 339, 345 (D.C. Cir. 2018). In contrast,

EPIC makes no allegation that USPS has disclosed any personal information of EPIC’s members

or is likely to do so. That deficiency in the Complaint is fatal to EPIC’s assertion of a privacy

injury. See Stewart v. Kendall, — F. Supp. 3d —, No. 21-cv-1387 (RCL), 2022 WL 35642 at *5

(D.D.C. Jan. 4, 2022).

True, information gleaned from Clearview is now part of USPS’s internal records. That

arguably constitutes a disclosure. But D.C. Circuit precedent forecloses that argument, too. In

OOIDA, the Circuit held that the existence of inaccurate information in government databases,

“absent dissemination,” did not “amount[ ] to concrete injury.” 879 F.3d at 345; cf. EPIC v.

Dep’t of Educ., 48 F. Supp. 3d 1, 15 (D.D.C. 2014) (finding no injury in fact when, assuming

that school records included personal information, plaintiffs “failed to make any showing that it

is likely the schools will disclose the information to unregulated third parties”). “If the mere

maintenance of inaccurate information is not sufficient to confer standing, surely an agency’s

retention of prosaic personal information is not either.” Taylor v. FAA, 351 F. Supp. 3d 97, 104

(D.D.C. 2018).

9
 In response, EPIC relies on the Supreme Court’s decisions in Americans for Prosperity

Foundation v. Bonta, 141 S. Ct. 2373 (2021), and Shelton v. Tucker, 364 U.S. 479 (1960).

According to EPIC, those cases show that “government collection of personal information can”

create concrete harm even without disclosure to the public. Opp’n at 17. Plaintiffs in those

cases, however, argued that state laws infringed on the First Amendment right to associate. See

Bonta, 141 S. Ct. at 2379; Shelton, 364 U.S. at 490. In contrast, EPIC asserts no similar

constitutional injury from the collection of its members’ information. 3 Those decisions are thus

inapt. EPIC cannot rely on them to find standing for a different alleged injury. See Lewis v.

Casey, 518 U.S. 343, 358 n. 6 (1996) (“[S]tanding is not dispensed in gross.”).

In sum, EPIC alleges a bare statutory violation that is “divorced from any concrete”

privacy injury. Spokeo, 578 U.S. at 341. EPIC has thus “failed to show that its members have

suffered, or imminently will suffer, a privacy injury” from USPS’s failure to conduct a PIA.

EPIC II, 928 F.3d at 103.

IV.

For these reasons, the Court holds that EPIC lacks standing for any of its claims. The

Court will therefore grant USPS’s motion to dismiss. A separate Order will issue.

2022.03.25
10:28:58 -04'00'
Dated: March 25, 2022 TREVOR N. McFADDEN, U.S.D.J.

3
Even if EPIC did, the D.C. Circuit has emphasized its “grave doubts” about “a constitutional
right of privacy in the nondisclosure of personal information, at least where the information is
collected by the government but not disseminated publicly.” EPIC II, 928 F.3d at 102 (cleaned
up).

10