Federal Court Dismisses Litigation Challenging U.S. Postal Service’s Use of Facial Recognition and Related Technologies

A federal court at the end of last week dismissed litigation challenging the U.S. Postal Service’s (“USPS”) use of facial recognition and related technologies to collect personal data, finding that the group which filed the claims lacked standing. Electronic Privacy Information Center v. the United States Postal Service et al., Case No. 1:21-cv-02156 (D.D.C.).

As it is anticipated the use of facial recognition and AI will continue to be challenged by plaintiffs and other parties in privacy litigations going forward, the resolution in this particular dispute is relevant for other cases, particularly insofar as government activity in this space is concerned. 

In August of last year, the Electronic Privacy Information Center (“EPIC”) filed on behalf of itself and its members alleging that the USPS failed to comply with the E-Government Act. This law, which was enacted in 2002, was designed to improve the Government’s use of information technology “in a manner consistent with laws regarding the protection of personal privacy, national security . . . and other relevant laws.” 116 Stat. 2899, 2901 (2002) (Act), codified at 44 U.S.C. § 3501.

As relevant to this litigation, Section 208 of the E-Government Act requires an agency to conduct, review, and, “if practicable,” publish a privacy impact assessment (“PIA”). The agency must take these steps before it collects “information in an identifiable form permitting the physical or online contacting of a specific individual,” if the agency imposes the same reporting requirements on “10 or more persons.”

As reported elsewhere publicly, since at least 2018 USPS has had in place the Internet Covert Operations Program (“iCOP”). iCOP facilitates the identification of individuals and organizations who use “the mail or USPS online tools” for illegal purposes. As part of iCOP, USPS monitors social media posts for threats of violence and uses facial recognition to identify potential threat actors.

In May 2021, EPIC submitted a Freedom of Information Act request seeking a PIA for the facial recognition and social media monitoring systems used by iCOP. USPS conducted a search but failed to locate a PIA. EPIC renewed its request but never received a response.

EPIC subsequently filed suit under the Administrative Procedure Act alleging that USPS began using iCOP without conducting a PIA as EPIC claimed was required under the E-Government Act. Similarly, EPIC also asserted claims for “agency action unlawfully withheld” for the same conduct and additionally sought a writ of mandamus compelling USPS to “conduct and publish” a PIA and suspect iCOP until such an assessment was completed.

USPS moved to dismiss the litigation for lack of standing and for failure to state a cognizable claim. The Court agreed, finding that “[t]he Court begins and ends with standing” as “[t]here is no justiciable case or controversy unless the plaintiff has standing.”

Article III standing is required to establish a federal court’s subject matter jurisdiction over a particular dispute. This requires that a plaintiff  “must show

  1. it has suffered a concrete and particularized injury
  2. that is fairly traceable to the challenged action of the defendant and
  3. that is likely” redressable by a favorable decision from the Court.

In this instance, EPIC argues that it had organizational standing on its own behalf and additionally associational standing on behalf of its members. The Court found either bases inadequate.

First, EPIC can claim organizational standing in the case, the Court found, only if “if [USPS’] actions cause concrete and demonstrable injury to [EPIC’s] activities that is more than simply a setback to the organization’s abstract social interests.” More specifically, the Court held, for a purported informational gap to constitute an injury in fact, EPIC must allege that “(1) it has been deprived of information that, on its interpretation, a statute requires the government or a third party to disclose to it, and (2) it suffers, by being denied access to that information, the type of harm Congress sought to prevent by requiring disclosure.”

Consistent with its rulings in two other cases, the Court held that failure to publish a PIA does not create an informational injury sufficient for standing. This included, among other reasons, that Section 208 of the E-Government Act is intended to protect individuals (by protecting individual privacy). As such, the Court held, an asserted informational injury under Section 208 “cannot satisfy the second step” of the test for an informational injury in fact. Noting that EPIC’s position had already been twice rejected in two related cases, the Court chastised EPIC’s attorneys stating that “[t]he Court reminds EPIC’s attorneys to scrupulously adhere to their Rule 11 obligations in future cases.”

Second, the Court held that the same analysis likewise precluded individual EPIC members from establishing Article III standing. This was because, the Court explained, an informational injury is “not the “harm Congress sought to prevent through Section 208,” among other reasons. Nor was the Court convinced that EPIC members had suffered injuries to their privacy—particularly when, as here, EPIC was merely alleging a bare procedural violation of the E-Government Act. This was because, the Court explained, privacy injuries “ordinarily stem from the disclosure of private information.” Here, by contract, EPIC made no allegation whatsoever that USPS has disclosed any information of EPIC members or was likely to do so at some future point in time.

The Court dismissed EPIC’s claims for lack of standing. This case is a reminder that regardless of context, the requirement that a plaintiff establish at all stages of a proceeding Article III standing in data privacy and cybersecurity litigations is burdensome. Moreover, this litigation is yet another example of mere procedural violations of a privacy statute cannot suffice for purposes of Article III. Federal courts have shown a willingness to dismiss data privacy cases at the pleadings stage for lack of standing and this most recent ruling is another example of this trend.