In the FWIW department (or should that be the Beating a Dead Horse Department?):
Out of curiousity, I just checked a couple of the previous birfer FOIA fails to refresh my memory on what legal rationales were used to dismiss them.Allen
(that’s “Allen I” in TFB parlance) sought, among other things, Obama’s passport records. In its motion for partial dismissal
, the government argued at P.4:
In keeping with this balanced scheme of disclosure and privacy protection, both agency defendants here have promulgated regulations aimed at protecting individual privacy and, specifically, information protected by the Privacy Act against unwarranted intrusion. These regulations dictate that FOIA requesters seeking records regarding living third party individuals obtain authorization from those individuals to obtain their records. The relevant Department of State regulation requires that “requests for records pertaining to another individual shall be processed under the FOIA and must be accompanied by a written authorization for access by the individual...”
In the order granting partial dismissal
, the Court grabbed the lowest hanging fruit. Specifically, because Allen had not provided “a waiver from the subject third party to obtain the pertinent documents”, he had failed to comply with agency regulations governing release of individualized data to a third party. The regulation at issue (22 C.F.R. §171.12(a)
) harmonizes FOIA processing with Privacy Act requirements..
The Court wrote:
The FOIA specifies that an agency’s obligation to search for records is only triggered upon a FOIA request “made in accordance with published rules stating procedures to be followed”; there is no dispute or allegation that Plaintiff actually obtained a waiver from President Obama or “Barry Soetoro” for the records at issue as required by the applicable regulations. See 5 U.S.C. §552(a)(3)(A). Furthermore, there is case law reflecting that the failure to comply with FOIA agency regulations subjects such non-perfected FOIA requests to dismissal.
So, Allen didn’t follow the regs implementing the Privacy Act requirement to obtain a waiver, and he was toast.
And then there’s Strunk. Where do you begin with Mr. In Esse? Well, in Strunk v. Dep’t of State, et al
, his fail unfolded in essentially the identical way. From the government’s Partial Motion to Dismiss
In keeping with this balanced scheme of disclosure and privacy protection, both agency defendants here have promulgated regulations aimed at protecting individual privacy – and, specifically, information protected by the Privacy Act – against unwarranted intrusion. These regulations dictate that FOIA requesters seeking records regarding third party individuals obtain authorization from those individuals to obtain their records.
Different court, different day; same argument, same result. In this case, the regulations of two agencies were involved --DoS and DHS. (The DoS reg is the same one referenced in Allen
above.) Applying the DHS regulation, the Court’s order granting partial dismissal
DHS’s regulations likewise state that “If you are making a request for records about another individual, either a written authorization signed by that individual permitting disclosure of those records to you or proof that that individual is deceased (for example, a copy of a death certificate or an obituary) must be submitted.” 6 C.F.R. § 5.3; see also id. § 5.21(f) (“If you are making a request for records concerning an individual on behalf of that individual, you must provide a statement from the individual verifying the identity of the individual as provided in paragraph (d) of this section.
So, I’m thinking, that’ll probably be the government’s litigation strategy in this one -- either you submit a Privacy Act waiver or fuggedaboudit. And that’s still my bet in the pool to predict the government’s primary defense tack.
Since SSA is the defendant in Orly's latest, I think I’d start with this SSA reg for background:
20 CFR §401.105 Disclosure of personal information without the consent of the subject of the record.
(a) SSA maintains two categories of records which contain personal information:
(1) Nonprogram records, primarily administrative and personnel records which contain information about SSA's activities as a government agency and employer, and
(2) Program records which contain information about SSA's clients that it keeps to administer benefit programs under Federal law.
(b) We apply different levels of confidentiality to disclosures of information in the categories in paragraphs (a) (1) and (2) of this section. For administrative and personnel records, the Privacy Act applies. To the extent that SSA has physical custody of personnel records maintained as part of the Office of Personnel Management's (OPM) Privacy Act government-wide systems of records, these records are subject to OPM's rules on access and disclosure at 5 CFR parts 293 and 297. For program records, we apply somewhat more strict confidentiality standards than those found in the Privacy Act. The reason for this difference in treatment is that our program records include information about a much greater number of persons than our administrative records, the information we must collect for program purposes is often very sensitive, and claimants are required by statute and regulation to provide us with the information in order to establish entitlement for benefits.
So it would appear that the SSA’s regs imply something that might, for want of a better term, be called “Privacy Act Plus”. Interesting. I'm not sure I understand what that really means, but it’s at least interesting.
20 C.F.R. §401.105 Relationship between the FOIA and the Privacy Act of 1974.
(a) Coverage. The FOIA and the rules in this part apply to all SSA records. The Privacy Act, 5 U.S.C. 552a, applies to records that are about individuals, but only if the records are in a system of records. "Individuals" and "system of records" are defined in the Privacy Act and in 20 CFR 401.25.
(b) Requesting your own records. If you are an individual and request records, then to the extent you are requesting your own records in a system of records, we will handle your request under the Privacy Act. If there is any record that we need not release to you under those provisions, we will also consider your request under the FOIA and this rule, and we will release the record to you if the FOIA requires it.
(c) Requesting another individual's record. Whether or not you are an individual, if you request records that are about an individual (other than yourself) and that are in a system of records, we will handle your request under the FOIA and the rules in this part. However, if our disclosure in response to your request would be permitted by the Privacy Act's disclosure provision, (5 U.S.C. 552a(b)), for reasons other than the requirements of the FOIA, and if we decide to make the disclosure, then we will not handle your request under the FOIA and the rules in this part. For example, when we make routine use disclosures pursuant to requests, we do not handle them under the FOIA and the rules in this part. ("Routine use" is defined in the Privacy Act and in 20 CFR 401.25.) If we handle your request under the FOIA and the rules in this part and the FOIA does not require releasing the record to you, then the Privacy Act may prohibit the release and remove our discretion to release.
Ya think they could they have made this a little more obtuse? But moving along…
20 C.F.R. §401.100 Disclosure of records with the written consent of the subject of the record.Bingo!
(a) General. Except as permitted by the Privacy Act and the regulations in this part, or when required by the FOIA, we will not disclose your records without your written consent.
(b) Disclosure with written consent. The written consent must clearly specify to whom the information may be disclosed, the information you want us to disclose (e.g., social security number, date and place of birth, monthly Social Security benefit amount, date of entitlement), and, where applicable, during which timeframe the information may be disclosed (e.g., during the school year, while the subject individual is out of the country, whenever the subject individual is receiving specific services).
In the absence of a FOIA exemption that expressly
prohibits disclosure of social security numbers data without potentially invoking a balancing test, that’s the reg I’d hang my hat on. Simply put, Orly did not file a written consent as required by both regulation and statute. Having failed to comply with administrative procedures, the suit can be summarily dismissed.
But that still leaves one question unanswered. If the Privacy Act is the more bulletproof and direct approach, why did Sherman v. U.S. Dep't of the Army
(the case that Judge Lamberth used in his footnote above) turn on an interpretation of Exemption 6?
, the plaintiff made a FOIA request for a large set of records containing SSN data on many individuals – a computer tape consisting of a whole file – such that obtaining written consents waivers from each and every person amounted to an impossibility. Further, the plaintiff was not specifically seeking the disclosure of numbers identifying or targeting individuals; the issue was the costs of having the social security numbers redacted. (At $350,000, it wasn't chump change.) But, even so, the Sherman Court
offered this dicta:
The Army has not argued that the Privacy Act bars disclosure of the SSNs in this case. We note that incorporation of the Privacy Act into our analysis would not alter our resolution of the case. The Privacy Act bars a government agency from disclosing SSNs unless, inter alia, disclosure is required by the FOIA. See 5 U.S.C. 552a (b)(2). The FOIA requires disclosure of Sherman's entire request unless an exemption supports redaction of SSNs. Hence, even starting from the Privacy Act, the focus of our analysis properly falls on the applicability of exemption 6 of the FOIA.
Soo...from the standpoint of litigation strategy, it seems to me that when the case involves a plaintiff who is targeting specific individual(s), it's easiest to get them on the way in the door for not following agency procedures requiring written waivers from the subject(s). For broader requests, or requests for data that are kept outside of a "system of records", Exemption 6 is the route to go.
(I know, I know...with Orly at the wheel, it doesn't matter. It just doesn't matter.)