Standing for Privacy Impact Assessments


Today the D.C. Circuit Court issued a decision in Elec. Privacy Info. Ctr. v. Presidential Advisory Comm'n on Election Integrity, No. 17-5171, 2017 U.S. App. LEXIS 26535 (D.C. Cir. Dec. 26, 2017), affirming the denial of preliminary injunction to the Electronic Privacy Information Center (EPIC) to prohibit the Presidential Advisory Commission on Election Integrity from collecting voter data without completing a privacy impact assessment under the E-Government Act of 2002. The court determined that EPIC did not have standing.

Section 208 of the Act requires that an assessment be completed if, "information in an identifiable form permitting the physical or online contacting of a specific individual, if identical questions have been posed to, or identical reporting requirements imposed on, 10 or more persons." The Commission has promised to 'de-identify' any voter data before it is made publicly available.

The D.C. Circuit ruling found that EPIC could not show a particularized and concrete injury traceable to the Commission's conduct that was capable of redress. While the denial of information can be an injury in fact, EPIC was not the kind of plaintiff the Act seeks to prevent from being harmed - it is an organization - not an individual that can vote.

In her decision, Judge Henderson concluded that, "Nor is EPIC's asserted harm—an inability to 'ensure public oversight of record systems,' Appellant's Reply Br. 9—the kind the Congress had in mind. Instead, section 208 is directed at individual privacy, which is not at stake for EPIC." [Id. at 10].