Postal service

Federal Court Dismisses Litigation Challenging U.S. Postal Service’s Use of Facial Recognition and Related Technologies

Late last week, a federal court dismissed a lawsuit challenging the United States Postal Service’s (“USPS”) use of facial recognition and related technologies to collect personal data, finding that the group that filed the claims did not have standing. Electronic Privacy Information Center c. United States Postal Service et al., Case No. 1:21-cv-02156 (DDC). As it is anticipated that the use of facial recognition and AI will continue to be challenged by plaintiffs and other parties in privacy disputes in the future, the resolution of this particular dispute is relevant to other cases, particularly with regard to government activity in this space. Keep reading to learn more.

In August of last year, the Electronic Privacy Information Center (“EPIC”) filed on its behalf and on behalf of its members alleging that the USPS failed to comply with the Electronic Government Act. This law, which was enacted in 2002, was designed to improve the government’s use of information technology “in a manner consistent with laws relating to privacy, national security. . . and other relevant laws. 116 Statistics 2899, 2901 (2002) (Act), codified at 44 USC § 3501.

With respect to this litigation, Section 208 of the eGovernment Act requires an agency to conduct, review and, “if possible,” publish a Privacy Impact Assessment (“PIA”). ). The agency must take these steps before collecting “information in an identifiable form capable of physically or online contacting a specific person,” if the agency imposes the same reporting requirements on “10 or more people.” As publicly stated elsewhere, since at least 2018 the USPS has had the Internet Covert Operations (“iCOP”) Program in place. iCOP facilitates the identification of individuals and organizations that use “USPS mail or online tools” for unlawful purposes. As part of iCOP, the USPS monitors social media posts for threats of violence and uses facial recognition to identify potential threat actors.

In May 2021, EPIC submitted a Freedom of Information Act request requesting a PIA for the facial recognition and social media monitoring systems used by iCOP. The USPS conducted a search but was unable to locate a PIA. EPIC renewed its request but never received a response. EPIC later filed an action under the Administrative Procedure Act, alleging that the USPS began using iCOP without conducting a PIA, as EPIC had asserted as required by the law on electronic government. Similarly, EPIC also argued allegations of “unlawfully withheld agency action” for the same conduct and further sought a mandamus warrant requiring the USPS to “perform and publish” a PIA and suspect iCOP until such evaluation is completed.

The USPS decided to dismiss the litigation for lack of standing and for failure to declare a valid claim. The Court agreed, holding that “[t]a Court begins and ends by standing” as “[t]there is no justiciable case or controversy unless the plaintiff has standing.

Standing under Article III is required to establish the jurisdiction of a federal court over a particular dispute. This requires that a plaintiff “must demonstrate (1) that he has suffered concrete and specific harm (2) which is sufficiently attributable to the defendant’s impugned action and (3) which is capable” of being repaired by a favorable decision of the Court.

In this case, EPIC argues that it had organizational status in its own name and additionally associational status in the name of its members. The Court found that either basis was inadequate.

First, EPIC can only claim organizational status in the case, the Court found, if “if [USPS’] actions cause concrete and demonstrable harm to [EPIC’s] activities that is more than just a setback to the abstract social interests of the organization. Specifically, the Court held that, for an alleged information deficiency to constitute factual harm, EPIC must allege that “(1) it was deprived of information that, according to its interpretation, a statute requires the government or a third party to disclose to him, and (2) he suffers, by being denied access to such information, the type of harm that Congress sought to prevent by requiring disclosure.

Consistent with its decisions in two other cases, the Court held that the failure to publish a PIA does not create sufficient informational harm to have standing. This included, among other reasons, that Section 208 of the eGovernment Act aims to protect individuals (by protecting the privacy of individuals). As such, the Court held that an informational injury alleged under Section 208 “cannot pass the second stage” of the test for factual informational injury. Noting that EPIC’s position had already been rejected twice in two related cases, the Court chastised EPIC’s lawyers stating that “[t]The Court reminds EPIC’s attorneys to strictly adhere to their obligations under Rule 11 in future cases.

Second, the Court held that the same analysis also precluded individual EPIC members from establishing Article III standing. Indeed, the Court explained, informational injury is “not the ‘harm that Congress sought to prevent through Section 208,’ among other reasons. The Court was also not persuaded that EPIC members had suffered invasions of their privacy, particularly when, as here, EPIC was merely alleging a mere procedural violation of e-Government law. Indeed, the Court explained, breaches of privacy “generally stem from the disclosure of private information”. Here, by contract, EPIC made no allegation that the USPS disclosed information about EPIC members or was likely to do so at a later time.

The Court dismissed EPIC’s claims for lack of standing. This case is a reminder that, whatever the context, the requirement that a complainant establish at all stages of a proceeding Article III standing in disputes over data privacy and cybersecurity is binding. Besides, this litigation is another example of mere procedural violations of a privacy law not being sufficient for the purposes of Article III. Federal courts have shown a willingness to dismiss data privacy cases at the pleadings stage for lack of standing and this most recent decision is another example of that trend.