
    ELECTRONIC PRIVACY INFORMATION CENTER, Plaintiff, v. UNITED STATES DRUG ENFORCEMENT ADMINISTRATION, Defendant.
    Case No. 15-cv-00667 (CRC)
    United States District Court, District of Columbia.
    Signed 09/13/2016
    
      Jeramie D. Scott, Alan Jay Butler, Marc Rotenberg, Washington, DC, for Plaintiff.
    Kathryn L. Wyer, U.S. Department of Justice, Washington, DC, for Defendant.
   MEMORANDUM OPINION

CHRISTOPHER R. COOPER, United States District Judge

Before developing or procuring new information technology that involves the collection of identifiable personal information, federal agencies must assess how that technology will affect citizens’ civil liberties and privacy. Plaintiff Electronic Privacy Information Center (“EPIC”) submitted a two-part Freedom of Information Act request to the Drug Enforcement Administration to obtain all such privacy assessments prepared by the agency. After considerable back-and-forth on search parameters and results, EPIC eventually received ten pages of responsive records from the DEA and 13 pages of records from the Department of Justice’s Office of Privacy and Civil Liberties (“OPCL”), which coordinates privacy assessments for all DOJ components including the DEA. Believing that it has fulfilled its FOIA obligations, the DEA has moved for summary judgment. EPIC has challenged the adequacy of the DEA’s searches in its own cross-motion for summary judgment. Because the DEA’s declarations establish the reasonableness of its initial searches but not its supplemental search for four specific programs, the Court will grant in part and deny in part the DEA’s motion, deny in part and reserve judgment in part on EPIC’s cross-motion, and direct the DEA to conduct a limited additional search.

I. Background

EPIC is a public-interest research organization based in Washington, D.C. PL’s Compl. (“Compl.”) ¶4. Through its print and online publications, EPIC distributes reports “analyzing] the impact of government programs on civil liberties and privacy interests.” Id. In February 2015, EPIC submitted a FOIA request to the DEA seeking the following records:

Part 1: All Privacy Impact Assessments (“PIAs”) the DEA has conducted that are not publicly available at http://www. dea.gov/FOIA/PIA.shtml; and
Part 2: All Privacy Threshold Analysis (“PTA”) documents and Initial Privacy Assessments (“IPAs”) the DEA has conducted since 2007 to present.

Def.’s Statement of Material Facts (“DSOF”) ¶ 1. Agencies must generate a Privacy Impact Assessment (“PIA”) when “initiating a new collection of information” or “developing or procuring information technology that collects, maintains, or disseminates information that is an identifiable form.” E-Government Act of 2002, Pub. L. 107-347, § 208, 116 Stat. 2899, 2921 (2002). The OPCL assists DOJ components, like the DEA, “by assessing the need to conduct a PIA through the Initial Privacy Assessment (“IPA”) process.” Pl.’s Opp’n & Cross-Mot. Summ J. (“Pl.’s Opp’n”), Ex. 2 at 4. This initial assessment, previously known as the Privacy Threshold Analysis (“PTA”), identifies privacy concerns surrounding the technology and informs the decision of whether additional privacy assessments, like a-final PIA, will be necessary before the agency can implement a data collection program or IT system. Compl. ¶ 11. If the OPCL determines a PIA is needed, the agency must submit the assessment for final OPCL approval and, if practicable, publicly post it before the system is operational. Id ¶¶ 13, 15. The PIA remains online as long as the program is in use. Decl. Katherine L. Myr-ick Supp. Def.’s Mot. Summ. J (“First Myrick Deck”) ¶ 16.

The Chief Information Officer Support Unit (“CIOSU”)—housed in the DEA’s Office of Information Systems—manages the “day-to-day implementation of and compli-anee” with the agency’s privacy assessment requirements. Deck Katherine L. Myrick Supp. Def.’s Reply Mot. Summ. J. (“Second Myrick Deck”) ¶ 6. The CIOSU is the DEA’s point-of-contact for the OPCL and acts as a liaison between the OPCL and the DEA’s Senior Component Official for Privacy (“SCOP”). The SCOP is responsible for approving PIAs before the CIOSU submits them to the OPCL for final authorization. First Myrick Deck ¶ 10. The CIOSU then “transmitís], publish[es] online, and store[s] record copies of final DEA PIAs.” Second Myrick Deck ¶ 6.

DEA, accordingly, charged the CIOSU with leading the search for the requested records and providing responsive records to EPIC. Defi’s Mem. Supp. Mot. Summ. J. 2. The CIOSU reached out to EPIC to clarify if EPIC sought only final privacy assessments, or draft versions as well. First Myrick Deck ¶ 11. EPIC responded that it was only interested in the final versions. Id The CIOSU then crafted a search tailored to EPIC’s request: For Part 1 of the request, the CIOSU searched its paper files; its SharePoint site—a network drive shared by DEA components with IT responsibilities; relevant staff email; and its Share Drive—another network drive containing the CIOSU’s most comprehensive collection of records and where privacy assessments are typically stored. Id. ¶ 18. It used the search terms “Privacy Impact Assessment” and “PIA” for all of the electronic databases; then, it winnowed the results by adding the search term “final.” The Share Drive search—and no others—yielded responsive records. Id ¶ 19. As an added precaution, the CIOSU ran individual searches using terms derived from the letter containing EPIC’s FOIA request. Id. All but one of the PIAs uncovered were already public. The remaining PIA, for a program called Avue Digital Services, was released to EPIC. Id. ¶¶ 20-22.

The CIOSU followed the same methodology for Part 2 of EPIC’s request, searching the same databases in a similar manner. It used search terms—“Privacy Threshold Analysis,” “PTA,” “Initial Privacy Assessment,” “IPA,” and “privacy@ usdoj.gov,” the OPCL’s email address— with “final” as an additional filter. Id. ¶ 24. And, again, it ran independent searches using the program names listed above. No final PTAs or IPAs turned up. Id. The CIOSU did find, however, 13 OPCL determination letters. Id. ¶ 25. The DEA told EPIC that IPAs and PTAs were essentially “working drafts” and that the final products from discussions with the OPCL were the determination letters themselves, which stated whether a final privacy assessment was needed before the system could be implemented. Id. EPIC chose to accept the OPCL determination letters in lieu of the PTAs and IPAs. Id ¶ 26. Because the OPCL drafted these letters, the CIOSU sent the letters to the OPCL to review and release. The OPCL released 13 minimally redacted determination letters to EPIC in August 2015. Id. ¶¶ 30-32; see also PL’s Opp’n, Ex. 3. EPIC does not challenge these redactions. Joint Status Report 1, ECF No. 16.

After reviewing the determination letters, EPIC challenged the sufficiency of the DEA’s initial search. The determination letters showed that the OPCL had requested four PIAs from DEA that were not available online and had not been uncovered by the DEA’s initial search. EPIC asked the DEA to locate them. First Myr-ick Decl. ¶ 32. The CIOSU re-ran its initial search, using the terms “PIA” and “final” to search its electronic databases; no new PIAs were uncovered. Id. ¶ 33.

The DEA now moves for summary judgment on the grounds that it conducted a reasonable search and produced responsive records, thus fulfilling its obligations under FOIA. EPIC’s cross-motion for summary judgment raises three main objections to the DEA’s search: (1) The DEA’s search methodology was incomplete and not comprehensive, (2) the agency improperly limited the scope of its search by using unsuitable search terms, and (3) it should have altered its search approach when EPIC provided it evidence of unaccounted-for PIAs. Pl.’s Opp’n 7-8.

II. Standard of Review

Organizations invoke FOIA “to pierce the veil of administrative secrecy and to open agency action to the light of public scrutiny.” Am. Civil Liberties Union v. U.S. Dep’t of Justice, 655 F.3d 1, 5 (D.C.Cir.2011). The statute imposes a general obligation On the government to provide records to the public. 5 U.S.C. § 552(a). FOIA carves out explicit exceptions to this disclosure obligation, 5 U.S.C. § 552(b), but “[t]he basic purpose of FOIA. is to ensure an informed citizenry, vital to the functioning of a democratic society, needed to check against corruption and to hold the governors accountable to the governed,” NLRB v. Robbins Tire & Rubber Co., 437 U.S. 214, 242, 98 S.Ct. 2311, 57 L.Ed.2d 159 (1978). Congress did not intend, however, “to reduce government agencies to full-time investigators on behalf of requesters.” Judicial Watch v. Export-Import Bank, 108 F.Supp.2d 19, 27 (D.D.C.2000).

FOIA cases are appropriately resolved at summary judgment. See Brayton v. Office of U.S. Trade Rep., 641 F.3d 521, 527 (D.C.Cir.2011). In deciding a motion for summary judgment, the Court assumes the truth of the non-movant’s evidence and draws all reasonable inferences in the non-movant’s favor. See Anderson v. Liberty Lobby, Inc., 477 U.S. 242, 255, 106 S.Ct. 2505, 91 L.Ed.2d 202 (1986). When an agency’s search is questioned, it must show “beyond material doubt that its search was reasonably calculated to uncover all relevant documents.” Ancient Coin Collectors Guild v. U.S. Dep’t of State, 641 F.3d 504, 514 (D.C.Cir.2011) (quoting Valencia-Lucena v. U.S. Coast Guard, 180 F.3d 321, 325 (D.C.Cir.1999)) (internal quotation marks omitted). An agency’s search is judged by the individual circumstances of each case. See Truitt v. Dep’t of State, 897 F.2d 540, 542 (D.C.Cir.1990). The central question is whether the search itself was reasonable, regardless of the results. See Cunningham v. U.S. Dep’t of Justice, 40 F.Supp.3d 71, 83-84 (D.D.C.2014). Agencies need not scour every database, but rather should conduct a “good faith, reasonable search of those systems of records likely to possess requested records.” Id. (quoting SafeCard Servs., Inc. v. SEC, 926 F.2d 1197, 1201 (D.C.Cir.1991)). Agency declarations, especially from individuals coordinating the search, are accorded “a presumption of good faith, which cannot be rebutted by purely speculative claims about the existence and discoverability of other documents.” SafeCard 926 F.2d at 1200.

Courts can decide—and award— summary judgment solely based on agency affidavits and declarations that are “relatively detailed and non-conclusory.” Id. Important details include what records were searched, who did the search, and what search terms or processes were used. See Judicial Watch., Inc. v. Dep’t of the Navy, 971 F.Supp.2d 1, 2 (D.D.C.2013). A plaintiff can rebut an agency declaration by raising “substantial doubt[s] as to the reasonableness of the search, especially in light of ‘well-defined requests and positive indications of overlooked materials.’ ” Cunningham, 40 F.Supp.3d at 84 (quoting Founding Church of Scientology of Washington, D.C. v. NSA, 610 F.2d 824, 837 (D.C.Cir.1979)).

III. Analysis

As noted, EPIC contends the DEA’s search for final PIAs was unreasonable because it initially used an incomplete search methodology, unnecessarily limited the scope of the search, and did not modify its search once EPIC provided evidence of potentially additional PIAs.

A. Initial Search Methodology

EPIC first maintains that performing a keyword search was unnecessary. In EPIC’s view, the DEA should have instead spoken with OPCL, CIOSU, and SCOP employees to determine the number and location of completed PIAs. The DEA— rightly—responds that conducting a reasonable search does not require involving external agencies or departments. Def.’s Reply Supp. Mot. Summ. J. 3-4. Even though both are parts of the Justice Department, the OPCL exists outside of the DEA. Thus, a search of the OPCL’s records is best initiated by directing a FOIA request to the OPCL itself, which EPIC did not do. See Campbell v. U.S. Dep’t of Justice, 133 F.Supp.3d 58, 65 (D.D.C.2015) (holding that the DOJ’s Criminal Division was not required to search the DEA for responsive records).

More to the point, an agency’s search is reasonable if it is designed and likely to produce responsive records. See id. at 64. The agency’s declarations show that the DEA’s initial search was just that. DEA chose the CIOSU to lead the search because of its familiarity and expertise with the agency’s compliance efforts and privacy documents. First Myrick Decl. ¶ 10. The CIOSU drafts, stores, and discusses privacy assessments with the OPCL. Second Myrick Decl. ¶ 6. Conversely, the SCOP only signs off on final PIAs before they are submitted to the OPCL. Id. Thus, the “CIOSU knows the locations where responsive [PIAs] are likely to be found.” First Myrick Decl. ¶ 10. The CIO-SU searched its paper files, its Share Drive, its SharePoint site, and relevant staff electronic mail. And the search it designed was successful: It found PIAs, one of which was not already posted online. Furthermore, the DEA explained why the CIOSU did not consult with the SCOP: “[T]here [was] no reasonable basis to believe that the SCOP would be able to identify the location of any additional final DEA PIAs that CIOSU personnel did not locate through the searches they already conducted based on their knowledge of, and experience with, privacy documentation requirements.... ” Second Myrick Decl. ¶ 6. The DEA, not its FOIA request-ors, is charged with determining the most effective way to search its records. EPIC has not provided any evidence undermining the DEA’s initial, good-faith assessment of how and where to search for responsive records.

B. Scope of Search

EPIC next asserts that adding “final” as a search term resulted in underinclusive search results. EPIC’s main concern is that some requested records would not have “final” in the body of the text or in the attached message. It points to public PIAs that do not include “final” in the name or content. PL’s Opp’n 9-10. But the DEA had clarified with EPIC that it wanted only the final PIAs. First Myrick Decl. ¶ 11. And the CIOSU’s initial set of search terms included the words “Privacy Impact Assessment” and “PIA,” which yielded too many results including all draft PIAs and any document that mentioned a PIA in passing. Second Myrick Decl. ¶ 5. To find responsive records, the CIOSU added the term “final” because “[i]t is the customary practice of the CIOSU to use the word ‘final’ in the electronic file names of final, as opposed to draft, PIAs [in the Share Drive and SharePoint site].” Id. The CIO-SU also typically uses “final” in “electronic mail message[s] transmitting a final PIA.” Id. Finally, the CIOSU conducted specific searches based on program names provided by EPIC without adding “final” as a search term. These searches yielded no additional results. Id. This bolsters the DEA’s justification because searches without “final” as a search term did not generate different results. EPIC does not respond to this argument and, in any event, has not raised substantial doubts about the scope of the DEA’s search.

C. Supplemental Search for Missing PIAs

The final issue before the Court is what obligations DEA was under to continue searching once EPIC provided evidence of missing PIAs. EPIC reviewed the 13 OPCL determination letters and found that the OPCL had required the DEA to perform a PIA for four technology systems. These (potential) PIAs were not online and had not previously been provided to EPIC. PL’s Opp’n 10-11. EPIC requested that the DEA perform a supplemental search to uncover them. The CIOSU re-ran its initial search with the same results. EPIC rejects this latter search as unreasonable.

A FOIA plaintiff can undermine the adequacy of an agency’s search if it shows that the agency failed to follow a “clear and certain” lead. See Mobley v. C.I.A., 806 F.3d 568, 582 (D.C.Cir.2015). “Such leads may indicate, for example, other offices that should have been searched, additional search terms that should have been used, or records custodians who should have been consulted.” Coleman v. PEA, 134 F.Supp.3d 294, 301 (D.D.C.2015) (quoting Rollins v. U.S. Dep’t of State, 70 F.Supp.3d 546, 550 (D.D.C.2014)). An initially reasonable search can also become “ ‘untenable’ once [the agency] discovers] information suggesting the existence of other responsive material.” Coleman, 134 F.Supp.3d at 302 (quoting Campbell v. DOJ, 164 F.3d 20, 28 (D.C.Cir.1998)). Here, the relevant OPCL determination letters—addressed to the DEA’s SCOP and Operational Support Division and dated from 2010 to 2011—stated that “the DEA must complete a privacy impact assessment ... for this system.” Pl.’s Opp’n 10. The E-Government Act mandates that PIAs be approved prior to a technology system being implemented. See Pub. L. 107-347, § 208, 116 Stat. 2899, 2921 (2002). Thus, if the DEA implemented or is operating any of these systems, a PIA should have existed for it. This is a “clear and certain” lead about four specific PIAs. And while the DEA is not required to account for specific records, it must “reasonably attempt[] to locate them.” West v. Spellings, 539 F.Supp.2d 55, 62 (D.D.C.2008).

Yet it does not appear that the DEA took reasonable steps to locate these four PIAs. First, it failed to justify why rerunning its original search would suddenly uncover new PIAs for programs that were years old. Second, the CIOSU apparently did not run any independent searches using the program names as search terms— as it did with earlier searches. What is more, the OPCL letters were directed to the SCOP, but no efforts were made to search the SCOP’s records. In the DEA’s own words, the SCOP “reviews, approves, and signs final PIAs.” Second Myrick Deck ¶ 6. If the SCOP had reviewed and approved a final PIA without returning it to the CIOSU, a final version of the PIA might remain with the SCOP. The CIOSU did not explain why searching the SCOP, once EPIC presented evidence of potential additive PIAs, was not likely to uncover responsive records. The OPCL letters provide a “lead” that the CIOSU failed to reasonably follow. Thus, the Court finds that EPIC has raised a substantial doubt' as to the sufficiency of the DEA’s supplemental search for PIAs covering the four identified programs. It will therefore order the agency either to conduct a supplemental search consistent with this opinion or explain in a supplemental declaration why such a search would not be likely to uncover the remaining records in question.

Apart from the DEA’s failure to run down the lead discussed above, the Court finds that the DEA undertook a good-faith, initial search that was reasonably calculated to uncover responsive records. The affidavits offered by the DEA explain and justify where, why, and how the agency searched its files. Neither FOIA nor this Court demands more of it.

IV. Conclusion

For the foregoing reasons, the Court will grant in part and deny in part Defendant’s Motion for Summary Judgment, and will deny in part and reserve judgment in part on Plaintiffs Cross-Motion for Summary Judgment. An Order accompanies this Memorandum Opinion. 
      
      . The additional search terms included: Hemisphere, National License Plate Reader Initiative, LPR, DEA Internet Connectivity Endeavor, DICE, Special Operations Division, SOD, telecommunications metadata, telecommunications, and metadata. First Myrick Decl. ¶ 19. None of these searches produced responsive records. IA
     
      
      . EPIC originally challenged the sufficiency of the DEA’s searches for responsive records to Part 1 and Part 2 of its FOIA request. It has since dropped its challenge to the DEA’s search for responsive records to Part 2 of its request. Pl.’s Reply Supp. Cross-Mot. Summ. J. 2.
     
      
      . The four unaccounted-for PIAs relate to the LIMS, DrugSTAR, NVNS, and WebOCTS systems. See Pl.’s Opp’n, Ex. 3 at 3, 4, 12, 13.
     