                              UNITED STATES DISTRICT COURT
                              FOR THE DISTRICT OF COLUMBIA

 ELECTRONIC PRIVACY
 INFORMATION CENTER,

                        Plaintiff,                  Case No. 15-cv-00667 (CRC)

                        v.

 UNITED STATES DRUG
 ENFORCEMENT ADMINISTRATION,

                        Defendant.

                                     MEMORANDUM OPINION

       Before developing or procuring new information technology that involves the collection

of identifiable personal information, federal agencies must assess how that technology will affect

citizens’ civil liberties and privacy. Plaintiff Electronic Privacy Information Center (“EPIC”)

submitted a two-part Freedom of Information Act request to the Drug Enforcement

Administration to obtain all such privacy assessments prepared by the agency. After

considerable back-and-forth on search parameters and results, EPIC eventually received ten

pages of responsive records from the DEA and 13 pages of records from the Department of

Justice’s Office of Privacy and Civil Liberties (“OPCL”), which coordinates privacy assessments

for all DOJ components including the DEA. Believing that it has fulfilled its FOIA obligations,

the DEA has moved for summary judgment. EPIC has challenged the adequacy of the DEA’s

searches in its own cross-motion for summary judgment. Because the DEA’s declarations

establish the reasonableness of its initial searches but not its supplemental search for four

specific programs, the Court will grant in part and deny in part the DEA’s motion, deny in part

and reserve judgment in part on EPIC’s cross-motion, and direct the DEA to conduct a limited

additional search.
       I.      Background

       EPIC is a public-interest research organization based in Washington, D.C. Pl.’s Compl.

(“Compl.”) ¶ 4. Through its print and online publications, EPIC distributes reports “analyz[ing]

the impact of government programs on civil liberties and privacy interests.” Id. In February

2015, EPIC submitted a FOIA request to the DEA seeking the following records:

       Part 1: All Privacy Impact Assessments (“PIAs”) the DEA has conducted that are not
       publicly available at http://www.dea.gov/FOIA/PIA.shtml; and

       Part 2: All Privacy Threshold Analysis (“PTA”) documents and Initial Privacy
       Assessments (“IPAs”) the DEA has conducted since 2007 to present.

Def.’s Statement of Material Facts (“DSOF”) ¶ 1. Agencies must generate a Privacy Impact

Assessment (“PIA”) when “initiating a new collection of information” or “developing or

procuring information technology that collects, maintains, or disseminates information that is an

identifiable form.” E-Government Act of 2002, Pub. L. 107-347, § 208, 116 Stat. 2899, 2921

(2002). The OPCL assists DOJ components, like the DEA, “by assessing the need to conduct a

PIA through the Initial Privacy Assessment (“IPA”) process.” Pl.’s Opp’n & Cross-Mot. Summ

J. (“Pl.’s Opp’n”), Ex. 2 at 4. This initial assessment, previously known as the Privacy

Threshold Analysis (“PTA”), identifies privacy concerns surrounding the technology and

informs the decision of whether additional privacy assessments, like a final PIA, will be

necessary before the agency can implement a data collection program or IT system. Compl.

¶ 11. If the OPCL determines a PIA is needed, the agency must submit the assessment for final

OPCL approval and, if practicable, publicly post it before the system is operational. Id. ¶¶ 13,

15. The PIA remains online as long as the program is in use. Decl. Katherine L. Myrick Supp.

Def.’s Mot. Summ. J (“First Myrick Decl.”) ¶ 16.




                                                 2
       The Chief Information Officer Support Unit (“CIOSU”)—housed in the DEA’s Office of

Information Systems—manages the “day-to-day implementation of and compliance” with the

agency’s privacy assessment requirements. Decl. Katherine L. Myrick Supp. Def.’s Reply Mot.

Summ. J. (“Second Myrick Decl.”) ¶ 6. The CIOSU is the DEA’s point-of-contact for the OPCL

and acts as a liaison between the OPCL and the DEA’s Senior Component Official for Privacy

(“SCOP”). The SCOP is responsible for approving PIAs before the CIOSU submits them to the

OPCL for final authorization. First Myrick Decl. ¶ 10. The CIOSU then “transmit[s],

publish[es] online, and store[s] record copies of final DEA PIAs.” Second Myrick Decl. ¶ 6.

       DEA, accordingly, charged the CIOSU with leading the search for the requested records

and providing responsive records to EPIC. Def.’s Mem. Supp. Mot. Summ. J. 2. The CIOSU

reached out to EPIC to clarify if EPIC sought only final privacy assessments, or draft versions as

well. First Myrick Decl. ¶ 11. EPIC responded that it was only interested in the final versions.

Id. The CIOSU then crafted a search tailored to EPIC’s request: For Part 1 of the request, the

CIOSU searched its paper files; its SharePoint site—a network drive shared by DEA components

with IT responsibilities; relevant staff email; and its Share Drive—another network drive

containing the CIOSU’s most comprehensive collection of records and where privacy

assessments are typically stored. Id. ¶ 18. It used the search terms “Privacy Impact Assessment”

and “PIA” for all of the electronic databases; then, it winnowed the results by adding the search

term “final.” The Share Drive search—and no others—yielded responsive records. Id. ¶ 19. As

an added precaution, the CIOSU ran individual searches using terms derived from the letter

containing EPIC’s FOIA request.1 Id. All but one of the PIAs uncovered were already public.



       1
          The additional search terms included: Hemisphere, National License Plate Reader
Initiative, LPR, DEA Internet Connectivity Endeavor, DICE, Special Operations Division, SOD,

                                                3
The remaining PIA, for a program called Avue Digital Services, was released to EPIC. Id. ¶¶

20–22.

         The CIOSU followed the same methodology for Part 2 of EPIC’s request, searching the

same databases in a similar manner. It used search terms—“Privacy Threshold Analysis,”

“PTA,” “Initial Privacy Assessment,” “IPA,” and “privacy@usdoj.gov,” the OPCL’s email

address—with “final” as an additional filter. Id. ¶ 24. And, again, it ran independent searches

using the program names listed above. No final PTAs or IPAs turned up. Id. The CIOSU did

find, however, 13 OPCL determination letters. Id. ¶ 25. The DEA told EPIC that IPAs and

PTAs were essentially “working drafts” and that the final products from discussions with the

OPCL were the determination letters themselves, which stated whether a final privacy

assessment was needed before the system could be implemented. Id. EPIC chose to accept the

OPCL determination letters in lieu of the PTAs and IPAs. Id. ¶ 26. Because the OPCL drafted

these letters, the CIOSU sent the letters to the OPCL to review and release. The OPCL released

13 minimally redacted determination letters to EPIC in August 2015. Id. ¶¶ 30–32; see also Pl.’s

Opp’n, Ex. 3. EPIC does not challenge these redactions. Joint Status Report 1, ECF No. 16.

         After reviewing the determination letters, EPIC challenged the sufficiency of the DEA’s

initial search. The determination letters showed that the OPCL had requested four PIAs from

DEA that were not available online and had not been uncovered by the DEA’s initial search.

EPIC asked the DEA to locate them. First Myrick Decl. ¶ 32. The CIOSU re-ran its initial

search, using the terms “PIA” and “final” to search its electronic databases; no new PIAs were

uncovered. Id. ¶ 33.




telecommunications metadata, telecommunications, and metadata. First Myrick Decl. ¶ 19.
None of these searches produced responsive records. Id.

                                                 4
       The DEA now moves for summary judgment on the grounds that it conducted a

reasonable search and produced responsive records, thus fulfilling its obligations under FOIA.

EPIC’s cross-motion for summary judgment raises three main objections to the DEA’s search:2

(1) The DEA’s search methodology was incomplete and not comprehensive, (2) the agency

improperly limited the scope of its search by using unsuitable search terms, and (3) it should

have altered its search approach when EPIC provided it evidence of unaccounted-for PIAs. Pl.’s

Opp’n 7–8.

       II.     Standard of Review

       Organizations invoke FOIA “to pierce the veil of administrative secrecy and to open

agency action to the light of public scrutiny.” Am. Civil Liberties Union v. U.S. Dep’t of

Justice, 655 F.3d 1, 5 (D.C. Cir. 2011). The statute imposes a general obligation on the

government to provide records to the public. 5 U.S.C. § 552(a). FOIA carves out explicit

exceptions to this disclosure obligation, 5 U.S.C. § 552(b), but “[t]he basic purpose of FOIA is to

ensure an informed citizenry, vital to the functioning of a democratic society, needed to check

against corruption and to hold the governors accountable to the governed,” NLRB v. Robbins

Tire & Rubber Co., 437 U.S. 214, 242 (1978). Congress did not intend, however, “to reduce

government agencies to full-time investigators on behalf of requesters.” Judicial Watch v.

Export-Import Bank, 108 F. Supp. 2d 19, 27 (D.D.C. 2000).

       FOIA cases are appropriately resolved at summary judgment. See Brayton v. Office of

U.S. Trade Rep., 641 F.3d 521, 527 (D.C. Cir. 2011). In deciding a motion for summary




       2
          EPIC originally challenged the sufficiency of the DEA’s searches for responsive records
to Part 1 and Part 2 of its FOIA request. It has since dropped its challenge to the DEA’s search
for responsive records to Part 2 of its request. Pl.’s Reply Supp. Cross-Mot. Summ. J. 2.

                                                5
judgment, the Court assumes the truth of the non-movant’s evidence and draws all reasonable

inferences in the non-movant’s favor. See Anderson v. Liberty Lobby, Inc., 477 U.S. 242, 255

(1986). When an agency’s search is questioned, it must show “beyond material doubt that its

search was reasonably calculated to uncover all relevant documents.” Ancient Coin Collectors

Guild v. U.S. Dep’t of State, 641 F.3d 504, 514 (D.C. Cir. 2011) (quoting Valencia-Lucena v.

U.S. Coast Guard, 180 F.3d 321, 325 (D.C. Cir. 1999)) (internal quotation marks omitted). An

agency’s search is judged by the individual circumstances of each case. See Truitt v. Dep’t of

State, 897 F.2d 540, 542 (D.C. Cir. 1990). The central question is whether the search itself was

reasonable, regardless of the results. See Cunningham v. U.S. Dep’t of Justice, 40 F. Supp. 3d

71, 83–84 (D.D.C. 2014). Agencies need not scour every database, but rather should conduct a

“good faith, reasonable search of those systems of records likely to possess requested records.”

Id. (quoting SafeCard Servs., Inc. v. SEC, 926 F.2d 1197, 1201 (D.C. Cir. 1991)). Agency

declarations, especially from individuals coordinating the search, are accorded “a presumption of

good faith, which cannot be rebutted by purely speculative claims about the existence and

discoverability of other documents.” SafeCard, 926 F.2d at 1200.

       Courts can decide—and award—summary judgment solely based on agency affidavits

and declarations that are “relatively detailed and non-conclusory.” Id. Important details include

what records were searched, who did the search, and what search terms or processes were used.

See Judicial Watch., Inc. v. Dep’t of the Navy, 971 F. Supp. 2d 1, 2 (D.D.C. 2013). A plaintiff

can rebut an agency declaration by raising “substantial doubt[s] as to the reasonableness of the

search, especially in light of ‘well-defined requests and positive indications of overlooked

materials.’” Cunningham, 40 F. Supp. 3d at 84 (quoting Founding Church of Scientology of

Washington, D.C. v. NSA, 610 F.2d 824, 837 (D.C. Cir. 1979)).


                                                 6
       III.    Analysis

       As noted, EPIC contends the DEA’s search for final PIAs was unreasonable because it

initially used an incomplete search methodology, unnecessarily limited the scope of the search,

and did not modify its search once EPIC provided evidence of potentially additional PIAs.

               A.     Initial Search Methodology

       EPIC first maintains that performing a keyword search was unnecessary. In EPIC’s

view, the DEA should have instead spoken with OPCL, CIOSU, and SCOP employees to

determine the number and location of completed PIAs. The DEA—rightly—responds that

conducting a reasonable search does not require involving external agencies or departments.

Def.’s Reply Supp. Mot. Summ. J. 3–4. Even though both are parts of the Justice Department,

the OPCL exists outside of the DEA. Thus, a search of the OPCL’s records is best initiated by

directing a FOIA request to the OPCL itself, which EPIC did not do. See Campbell v. U.S.

Dep’t of Justice, 133 F. Supp. 3d 58, 65 (D.D.C. 2015) (holding that the DOJ’s Criminal

Division was not required to search the DEA for responsive records).

       More to the point, an agency’s search is reasonable if it is designed and likely to produce

responsive records. See id. at 64. The agency’s declarations show that the DEA’s initial search

was just that. DEA chose the CIOSU to lead the search because of its familiarity and expertise

with the agency’s compliance efforts and privacy documents. First Myrick Decl. ¶ 10. The

CIOSU drafts, stores, and discusses privacy assessments with the OPCL. Second Myrick Decl. ¶

6. Conversely, the SCOP only signs off on final PIAs before they are submitted to the OPCL.

Id. Thus, the “CIOSU knows the locations where responsive [PIAs] are likely to be found.”

First Myrick Decl. ¶ 10. The CIOSU searched its paper files, its Share Drive, its SharePoint site,

and relevant staff electronic mail. And the search it designed was successful: It found PIAs, one


                                                7
of which was not already posted online. Furthermore, the DEA explained why the CIOSU did

not consult with the SCOP: “[T]here [was] no reasonable basis to believe that the SCOP would

be able to identify the location of any additional final DEA PIAs that CIOSU personnel did not

locate through the searches they already conducted based on their knowledge of, and experience

with, privacy documentation requirements. . . .” Second Myrick Decl. ¶ 6. The DEA, not its

FOIA requestors, is charged with determining the most effective way to search its records. EPIC

has not provided any evidence undermining the DEA’s initial, good-faith assessment of how and

where to search for responsive records.

               B.      Scope of Search

       EPIC next asserts that adding “final” as a search term resulted in underinclusive search

results. EPIC’s main concern is that some requested records would not have “final” in the body

of the text or in the attached message. It points to public PIAs that do not include “final” in the

name or content. Pl.’s Opp’n 9–10. But the DEA had clarified with EPIC that it wanted only the

final PIAs. First Myrick Decl. ¶ 11. And the CIOSU’s initial set of search terms included the

words “Privacy Impact Assessment” and “PIA,” which yielded too many results including all

draft PIAs and any document that mentioned a PIA in passing. Second Myrick Decl. ¶ 5. To

find responsive records, the CIOSU added the term “final” because “[i]t is the customary

practice of the CIOSU to use the word ‘final’ in the electronic file names of final, as opposed to

draft, PIAs [in the Share Drive and SharePoint site].” Id. The CIOSU also typically uses “final”

in “electronic mail message[s] transmitting a final PIA.” Id. Finally, the CIOSU conducted

specific searches based on program names provided by EPIC without adding “final” as a search

term. These searches yielded no additional results. Id. This bolsters the DEA’s justification

because searches without “final” as a search term did not generate different results. EPIC does


                                                 8
not respond to this argument and, in any event, has not raised substantial doubts about the scope

of the DEA’s search.

               C.      Supplemental Search for Missing PIAs

       The final issue before the Court is what obligations DEA was under to continue searching

once EPIC provided evidence of missing PIAs. EPIC reviewed the 13 OPCL determination

letters and found that the OPCL had required the DEA to perform a PIA for four technology

systems.3 These (potential) PIAs were not online and had not previously been provided to EPIC.

Pl.’s Opp’n 10–11. EPIC requested that the DEA perform a supplemental search to uncover

them. The CIOSU re-ran its initial search with the same results. EPIC rejects this latter search

as unreasonable.

       A FOIA plaintiff can undermine the adequacy of an agency’s search if it shows that the

agency failed to follow a “clear and certain” lead. See Mobley v. C.I.A., 806 F.3d 568, 582

(D.C. Cir. 2015). “Such leads may indicate, for example, other offices that should have been

searched, additional search terms that should have been used, or records custodians who should

have been consulted.” Coleman v. DEA, 134 F. Supp. 3d 294, 301 (D.D.C. 2015) (quoting

Rollins v. U.S. Dep’t of State, 70 F. Supp. 3d 546, 550 (D.D.C. 2014)). An initially reasonable

search can also become “‘untenable’ once [the agency] discover[s] information suggesting the

existence of other responsive material.” Coleman, 134 F. Supp. 3d at 302 (quoting Campbell v.

DOJ, 164 F.3d 20, 28 (D.C. Cir. 1998)). Here, the relevant OPCL determination letters—

addressed to the DEA’s SCOP and Operational Support Division and dated from 2010 to 2011—

stated that “the DEA must complete a privacy impact assessment . . . for this system.” Pl.’s



       3
        The four unaccounted-for PIAs relate to the LIMS, DrugSTAR, NVNS, and WebOCTS
systems. See Pl.’s Opp’n, Ex. 3 at 3, 4, 12, 13.

                                                9
Opp’n 10. The E-Government Act mandates that PIAs be approved prior to a technology system

being implemented. See Pub. L. 107-347, § 208, 116 Stat. 2899, 2921 (2002). Thus, if the DEA

implemented or is operating any of these systems, a PIA should have existed for it. This is a

“clear and certain” lead about four specific PIAs. And while the DEA is not required to account

for specific records, it must “reasonably attempt[] to locate them.” West v. Spellings, 539 F.

Supp. 2d 55, 62 (D.D.C. 2008).

       Yet it does not appear that the DEA took reasonable steps to locate these four PIAs.

First, it failed to justify why re-running its original search would suddenly uncover new PIAs for

programs that were years old. Second, the CIOSU apparently did not run any independent

searches using the program names as search terms—as it did with earlier searches. What is

more, the OPCL letters were directed to the SCOP, but no efforts were made to search the

SCOP’s records. In the DEA’s own words, the SCOP “reviews, approves, and signs final PIAs.”

Second Myrick Decl. ¶ 6. If the SCOP had reviewed and approved a final PIA without returning

it to the CIOSU, a final version of the PIA might remain with the SCOP. The CIOSU did not

explain why searching the SCOP, once EPIC presented evidence of potential additive PIAs, was

not likely to uncover responsive records. The OPCL letters provide a “lead” that the CIOSU

failed to reasonably follow. Thus, the Court finds that EPIC has raised a substantial doubt as to

the sufficiency of the DEA’s supplemental search for PIAs covering the four identified

programs. It will therefore order the agency either to conduct a supplemental search consistent

with this opinion or explain in a supplemental declaration why such a search would not be likely

to uncover the remaining records in question.

       Apart from the DEA’s failure to run down the lead discussed above, the Court finds that

the DEA undertook a good-faith, initial search that was reasonably calculated to uncover


                                                10
responsive records. The affidavits offered by the DEA explain and justify where, why, and how

the agency searched its files. Neither FOIA nor this Court demands more of it.

       IV.    Conclusion

       For the foregoing reasons, the Court will grant in part and deny in part Defendant’s

Motion for Summary Judgment, and will deny in part and reserve judgment in part on Plaintiff’s

Cross-Motion for Summary Judgment. An Order accompanies this Memorandum Opinion.




                                                           CHRISTOPHER R. COOPER
                                                           United States District Judge

Date: September 13, 2016




                                               11
