Electronic Privacy Information Center v. United States Postal Service

UNITED STATES DISTRICT COURT FOR THE DISTRICT OF COLUMBIA ELECTRONIC PRIVACY INFORMATION CENTER, Plaintiff, Case No. 1:21-cv-02156 (TNM) v. UNITED STATES POSTAL SERVICE, et al., Defendants. MEMORANDUM OPINION The Electronic Privacy Information Center (EPIC) is a frequent litigant in this circuit. Here, EPIC on its own behalf and on behalf of its members sues the U.S. Postal Service (USPS) and its law enforcement component for failure to comply with the E-Government Act. USPS disputes EPIC’s standing for these claims. Indeed, in EPIC’s prior actions the D.C. Circuit has rejected some of the standing theories that EPIC advances now. For all other theories, the Court agrees with USPS that EPIC has not met its burden to show a cognizable injury in fact. The Court will therefore grant USPS’s motion to dismiss the Complaint. I. Congress passed the E-Government Act to improve the Government’s use of information technology “in a manner consistent with laws regarding protection of personal privacy, national security, . . . and other relevant laws.” Pub. L. No. 107-347, § 2(b)(11), 116 Stat. 2899, 2901 (2002) (Act), codified at 44 U.S.C. § 3501 note. Section 208 of the Act requires an agency to conduct, review, and, “if practicable,” publish a privacy impact assessment (PIA). Id. § 208(b)(1)(B). The agency must take these steps before it collects “information in an identifiable form permitting the physical or online contacting of a specific individual,” if the agency imposes the same reporting requirements on “10 or more persons.” Id. § 208(b)(1). Since “at least 2018,” USPS has operated a “surveillance program known as the Internet Covert Operations Program (iCOP).” Am. Compl. ¶ 21, ECF No. 13 (Compl.). This program facilitates the identification of individuals and organizations who use “the mail or USPS online tools” for illegal purposes. Id. Through the program, USPS monitors social media posts to “search for potential threats of violence,” id. ¶ 33, and identifies the users of the most worrisome accounts, see id. ¶¶ 30–31. For that identification, USPS relies on facial recognition software. Particularly relevant here is Clearview AI, which provides “a database of over 3 million images scraped from Facebook and other social media sites.” Id. ¶ 24. When a user inputs a person’s image, the software compares that image against others in the database. See id. If there is a match, Clearview AI gives “links to the individual’s personal information, social media profiles, and other related online material.” Id. Using iCOP, USPS has identified multiple individuals. See id. ¶¶ 30, 34. Enter EPIC, a nonprofit membership organization committed to “oversight and analysis of government data collection activities.” Id. ¶ 6. In May 2021, EPIC submitted a FOIA request seeking a PIA for the facial recognition and social media monitoring systems used by iCOP. See id. ¶ 42. USPS conducted a search but found no PIA. See id. ¶ 43. EPIC renewed its request but never received a response. See id. ¶¶ 50–56. EPIC then filed this suit, making three claims. Count I alleges “unlawful agency action” under the Administrative Procedure Act (APA) because USPS began using iCOP and its attendant tools without conducting a PIA as required by the E-Government Act. See id. ¶¶ 58– 65. Similarly, Count II alleges “agency action unlawfully withheld” because USPS “failed to 2 conduct and publish” a PIA. Id. ¶ 67. And Count III seeks a writ of mandamus compelling USPS “to conduct and publish” a PIA and, until then, to suspend iCOP and the use of its software. Id. ¶ 78. EPIC attached to its Complaint declarations from two of its members. See Hartzog Decl., ECF No. 13-5; Gropper Decl., ECF No. 13-6. Both members say that their personal data, including their “name and/or image,” “are likely contained in Clearview AI’s database” because both members habitually use social media and did so while iCOP “[was] known to have used social media monitoring tools.” Hartzog Decl. ¶¶ 9–10; Gropper Decl. ¶¶ 9–10. USPS moves to dismiss EPIC’s Complaint, arguing that EPIC lacks standing and has failed to properly state a claim. See Defs.’ Mot. to Dismiss, ECF No. 14-1 (MTD). That motion is now ripe for decision. II. The Court begins and ends with standing. “[T]here is no justiciable case or controversy unless the plaintiff has standing.” West v. Lynch, 845 F.3d 1228, 1230 (D.C. Cir. 2017). As the party seeking federal jurisdiction, EPIC bears the burden to show standing. See Lujan v. Defs. of Wildlife, 504 U.S. 555, 560 (1992). EPIC “must show (1) it has suffered a concrete and particularized injury (2) that is fairly traceable to the challenged action of the defendant and (3) that is likely” redressable by a favorable decision from the Court. EPIC v. Pres. Advisory Comm’n on Election Integrity (EPIC I), 878 F.3d 371, 377 (D.C. Cir. 2017) (cleaned up). When ruling on a motion to dismiss under Rule 12(b)(1), the Court “assume[s] the truth of all material factual allegations in the complaint and construe[s] the complaint liberally, granting [the] plaintiff the benefit of all inferences that can be derived from the facts alleged.” Am. Nat’l Ins. Co. v. FDIC, 642 F.3d 1137, 1139 (D.C. Cir. 2011) (cleaned up). The Court “may 3 consider materials outside the pleadings in deciding whether to grant a motion to dismiss for lack of jurisdiction.” Cal. Cattlemen’s Ass’n v. U.S. Fish and Wildlife Serv., 315 F. Supp. 3d 282, 285 (D.D.C. 2018) (cleaned up). And the Court treats any documents attached to the Complaint—like the declarations from EPIC’s members—“as if they are part of the complaint.” In re Cheney, 406 F.3d 723, 729 (D.C. Cir. 2005). III. EPIC argues that it has standing on two bases—organizational standing on its own behalf and associational standing on behalf of its members. The Court takes those in turn. A. EPIC can assert standing on its own behalf “if the defendant’s actions cause a concrete and demonstrable injury to [EPIC’s] activities that is more than simply a setback to the organization’s abstract social interests.” ASPCA v. Feld Entm’t, Inc., 659 F.3d 13, 25 (D.C. Cir. 2011) (cleaned up). EPIC argues that it has suffered an informational injury because USPS’s failure to publish a PIA “unlawfully denied [ ] EPIC access to information” otherwise required by statute. Compl. ¶ 70, 75. For that informational gap to constitute an injury in fact, EPIC must allege that “(1) it has been deprived of information that, on its interpretation, a statute requires the government or a third party to disclose to it, and (2) it suffers, by being denied access to that information, the type of harm Congress sought to prevent by requiring disclosure.” Friends of Animals v. Jewell, 828 F.3d 989, 992 (D.C. Cir. 2016). As a frequent filer in this circuit, EPIC is blessed and cursed with robust caselaw, some of which is directly relevant to its current arguments. The D.C. Circuit has twice rejected EPIC’s argument that failure to publish a PIA creates an informational injury sufficient for standing. See 4 EPIC v. Dep’t of Commerce (EPIC II), 928 F.3d 95, 101 (D.C. Cir. 2019); EPIC I, 878 F.3d at 378. The third time is not the charm. Start with the most obvious. In EPIC I, the D.C. Circuit held that § 208 of the E-Government Act “is intended to protect individuals.” 878 F.3d at 378 (emphasis in original). Because EPIC was not—and still is not—an individual, it is “not the type of plaintiff [ ] Congress had in mind.” Id. EPIC thus fails the second prong of the informational standing test. More, in EPIC II, the Circuit held that “the lack of information itself is not the harm that Congress sought to prevent through § 208.” 928 F.3d at 103. Instead, the statute prevented against “harm to individual privacy.” Id. at 104. Thus, an asserted informational injury under § 208 “cannot satisfy the second step” of the test for an informational injury in fact. Id. For these reasons already propounded to EPIC by the D.C. Circuit, the Court finds that EPIC’s alleged informational injury from the lack of a PIA does not confer organizational standing. * * * There is an old chestnut that insanity is doing the same thing over and over again and expecting a different result. And at law, an attorney who repeatedly raises arguments that have been squarely rejected in binding precedent risks sanctions. See, e.g., McLaughlin v. Bradlee, 803 F.2d 1197, 1205 (D.C. Cir. 1986). The Court reminds EPIC’s attorneys to scrupulously adhere to their Rule 11 obligations in future cases. B. The Court turns next to EPIC’s assertion of associational standing. EPIC has associational standing to sue on behalf of its members if, among other things, “at least one of [EPIC’s] members has standing to sue in her or his own right[.]” EPIC II, 928 F.3d at 101. 5 EPIC says that its members have suffered informational and privacy injuries. See Pl.’s Opp’n to MTD at 13, 16, ECF No. 15 (Opp’n). 1 1. The Court applies the same two-pronged test to EPIC’s claim that its members have suffered an informational injury. See EPIC II, 928 F.3d at 103. And EPIC makes the same arguments that it made for itself. So some of the Court’s analysis of organizational standing also applies here. True, EPIC’s members are individuals. But they still assert an informational injury, which the D.C. Circuit explained is not the “harm Congress sought to prevent through § 208.” Id. Thus, EPIC’s members fail the second step of the test for an informational injury in fact. EPIC’s members also fail the first step. Section 208 does not on its face “require” disclosure of a PIA. Jewell, 828 F.3d at 992. Instead, the statute mandates disclosure “if practicable.” Act § 208(b)(1)(B)(iii). EPIC creatively responds that because Section 208 requires an agency to “conduct” a PIA, any PIA becomes an agency record disclosable under FOIA, thus meeting the first step of the informational injury test. See Opp’n at 15. But EPIC misunderstands FOIA, which “does not require the disclosure of any specific information to anyone[.]” Pub. Citizen Health Rsrch. Grp. v. Pizzella, 513 F. Supp. 3d 10, 20 (D.D.C. 2021). FOIA instead requires “access to records when a request has been made and [FOIA] exemptions are inapplicable.” Id. And as this Court has noted, FOIA also “does not require the government to create documents.” Jud. Watch, Inc. v. ODNI, No. 1:17-cv-508 (TNM), 2018 WL 1440186 at *3 (D.D.C. Mar. 22, 2018); accord SafeCard Servs., Inc. v. SEC, 926 F.2d 1197, 1201 (D.C. Cir. 1991) (noting that FOIA does not require agencies to “recreate or 1 All page citations refer to the pagination generated by the Court’s CM/ECF system. 6 to reacquire a document that it no longer has”). FOIA thus would not mandate disclosure of information in PIAs that do not exist. Indeed, if FOIA clears the first step for informational standing, a plaintiff would always meet that step. Such a holding “would all but eviscerate the requirement.” Pub. Citizen, 513 F. Supp. 3d at 20. Waterkeeper Alliance v. EPA, 853 F.3d 527 (D.C. Cir. 2017), is not to the contrary. There, organizations challenged a final EPA rule that exempted certain entities from a reporting requirement in the Comprehensive Environmental Response, Compensation, and Liability Act (CERCLA). See id. at 532. CERCLA contains no disclosure requirement. See id. at 533. So the EPA argued that the organizations lacked standing because the CERCLA exemption did not deprive them of any information. See id. The D.C. Circuit disagreed, however, because another statute, the Emergency Planning and Community Right-to-Know Act (EPCRA), required public disclosure of events when those events also merited a report to the EPA under CERCLA. See id. In other words, EPCRA’s disclosure mandates were “piggybacked on the CERCLA mandates in one form or another.” Id. Thus, exemptions from CERCLA reporting requirements “had the automatic effect of cutting back on EPCRA reporting and disclosure requirements[,]” a mechanism that deprived the organizations of information otherwise required for disclosure. Id. at 534. The E-Government Act and FOIA share none of the “complex interplay” present between the two statutes in Waterkeeper. Id. at 533. That FOIA and the E-Government Act “seek to achieve the same goal of public disclosure” does not matter. Opp’n at 16. Nothing in FOIA is “expressly tied” to the E-Government Act, or vice versa. Waterkeeper, 853 F.3d at 533. The “closer, direct connection” between CERCLA and EPCRA in Waterkeeper is thus “utterly lacking” here. Jud. Watch, 2018 WL 1440186, at *3. 7 The Court holds that EPIC has not asserted on behalf of its members an informational injury in fact. 2 2. EPIC next argues that its members have suffered injuries to their privacy. See Opp’n at 16–18. For support, EPIC relies mainly on two declarations. Both members “maintain social media profiles containing their images and personal information[]” and “were active on social media in 2020” when iCOP allegedly patrolled those sites. Id. at 17. Based on that activity and the “3 billion faces” in the Clearview AI database, EPIC says that its members are “highly likely” to appear in that database. Id.; see Hartzog Decl. ¶ 9; Gropper Decl. ¶ 9. USPS thus, EPIC says, used technology containing personal information without “first conduct[ing] a required analysis of the resulting privacy risks[.]” Opp’n at 17. EPIC labels that failure a “privacy injury sufficient for Article III standing.” Id. But EPIC’s own words undermine that characterization. Nowhere does EPIC challenge USPS’s mere use of the technology. Instead, the only alleged injury is that USPS did so without “first conduct[ing] a required” PIA under § 208. Id. EPIC therefore “allege[s] a bare procedural violation” of the Act. Spokeo, Inc. v. Robins, 578 U.S. 330, 341 (2016). Such a violation does not create an injury in fact without an underlying concrete harm. See Summers v. Earth Island Inst., 555 U.S. 488, 496 (2009). So to show a plausible privacy injury—which is the injury that 2 And even if EPIC has, that injury is not redressable. Section 208 requires disclosure of a PIA only when “practicable.” Thus, if the Court granted EPIC’s request and ordered USPS to follow § 208, that provision does not require publication of the PIA. Without guaranteed disclosure of the information allegedly withheld, EPIC cannot redress its informational injury. See Lawyers’ Comm. for 9/11 Inquiry, Inc. v. Wray, 848 F. App’x 428, 430 (D.C. Cir. 2021) (denying standing for informational injury when statute “stop[ped] short of imposing” a public disclosure requirement). 8 EPIC says its members suffered—“EPIC must allege harm that is distinct from a simple failure to comply with the procedural requirements of § 208.” EPIC II, 928 F.3d at 102. EPIC has not done so. Privacy injuries “ordinarily stem from the disclosure of private information.” Id.; see In re SAIC Backup Tape Data Theft Litig., 45 F. Supp. 3d 14, 28 (D.D.C. 2014) (“For a person’s privacy to be invaded, their personal information must, at a minimum, be disclosed to a third party.”). Indeed, the D.C. Circuit has recognized a privacy injury only when personal information has been disclosed to third parties or there is a risk of such disclosure. See In re U.S. OPM Data Sec. Breach Litig., 928 F.3d 42, 56 (D.C. Cir. 2019); Owner-Operator Indep. Drivers Ass’n, Inc. v. DOT (OOIDA), 879 F.3d 339, 345 (D.C. Cir. 2018). In contrast, EPIC makes no allegation that USPS has disclosed any personal information of EPIC’s members or is likely to do so. That deficiency in the Complaint is fatal to EPIC’s assertion of a privacy injury. See Stewart v. Kendall, — F. Supp. 3d —, No. 21-cv-1387 (RCL), 2022 WL 35642 at *5 (D.D.C. Jan. 4, 2022). True, information gleaned from Clearview is now part of USPS’s internal records. That arguably constitutes a disclosure. But D.C. Circuit precedent forecloses that argument, too. In OOIDA, the Circuit held that the existence of inaccurate information in government databases, “absent dissemination,” did not “amount[ ] to concrete injury.” 879 F.3d at 345; cf. EPIC v. Dep’t of Educ., 48 F. Supp. 3d 1, 15 (D.D.C. 2014) (finding no injury in fact when, assuming that school records included personal information, plaintiffs “failed to make any showing that it is likely the schools will disclose the information to unregulated third parties”). “If the mere maintenance of inaccurate information is not sufficient to confer standing, surely an agency’s retention of prosaic personal information is not either.” Taylor v. FAA, 351 F. Supp. 3d 97, 104 (D.D.C. 2018). 9 In response, EPIC relies on the Supreme Court’s decisions in Americans for Prosperity Foundation v. Bonta, 141 S. Ct. 2373 (2021), and Shelton v. Tucker, 364 U.S. 479 (1960). According to EPIC, those cases show that “government collection of personal information can” create concrete harm even without disclosure to the public. Opp’n at 17. Plaintiffs in those cases, however, argued that state laws infringed on the First Amendment right to associate. See Bonta, 141 S. Ct. at 2379; Shelton, 364 U.S. at 490. In contrast, EPIC asserts no similar constitutional injury from the collection of its members’ information. 3 Those decisions are thus inapt. EPIC cannot rely on them to find standing for a different alleged injury. See Lewis v. Casey, 518 U.S. 343, 358 n. 6 (1996) (“[S]tanding is not dispensed in gross.”). In sum, EPIC alleges a bare statutory violation that is “divorced from any concrete” privacy injury. Spokeo, 578 U.S. at 341. EPIC has thus “failed to show that its members have suffered, or imminently will suffer, a privacy injury” from USPS’s failure to conduct a PIA. EPIC II, 928 F.3d at 103. IV. For these reasons, the Court holds that EPIC lacks standing for any of its claims. The Court will therefore grant USPS’s motion to dismiss. A separate Order will issue. 2022.03.25 10:28:58 -04'00' Dated: March 25, 2022 TREVOR N. McFADDEN, U.S.D.J. 3 Even if EPIC did, the D.C. Circuit has emphasized its “grave doubts” about “a constitutional right of privacy in the nondisclosure of personal information, at least where the information is collected by the government but not disseminated publicly.” EPIC II, 928 F.3d at 102 (cleaned up). 10