You are viewing an archived webpage. The information on this page may be out of date. Learn about EPIC's recent work at epic.org.

EPIC v. Presidential Election Commission

Challenging the unlawful collection of personal voter data by the Presidential Advisory Commission on Election Integrity

EPIC v. Commission is a lawsuit to block the (now defunct) Presidential Election Commission and associated federal agencies from unlawfully collecting and retaining millions of state voter records. The Commission failed to publish a Privacy Impact Assessment—as required by the E-Government Act of 2002—prior to obtaining names, addresses, voter histories, and other personal voter data from state election officials. The collection of detailed voter records by the Commission also violated the constitutional privacy rights of millions of Americans. The Commission committed multiple egregious security blunders in its short existence, including directing election officials to send voter records to an unsecure web site and proposing to publish partial social security numbers that would enable identity theft and financial fraud. Since EPIC filed suit in July 2017, the Commission was disbanded by the President, the collection of state voter data was halted, and the voter data obtained by the Commission was deleted in full. EPIC currently has a petition for certiorari in the case pending before the Supreme Court.

Overview

The Presidential Advisory Commission on Election Integrity was created by Executive Order on May 11, 2017. The Commission, which consisted of members appointed by the President, was charged with "study[ing] the registration and voting processes used in Federal elections" and preparing a report on various election issues. On June 28, 2017, Kris Kobach, the Vice Chair of the Commission, sent a letter to election officials in all fifty states and the District of Columbia seeking a wide array of personal voter information, including names, addresses, dates of birth, political affiliations, voter histories, criminal records, military statuses, and partial social security numbers. The Commission did not conduct and publish a Privacy Impact Assessment prior to seeking this personal data, despite a requirement in the E-Government Act of 2002 that it do so.

EPIC's Lawsuit

On July 3, 2017—five days after the Commission sent its letter—EPIC filed a complaint and motion for a temporary restraining order to halt the collection of voter information. The case was captioned EPIC v. Commission, No. 17-1320 (D.D.C. filed July 3, 2017). Judge Colleen Kollar-Kotelly of the U.S. District Court for the District of Columbia held an initial teleconference that day and set an expedited briefing schedule. After EPIC and the Commission filed additional briefs, the Court held an in-person hearing on July 7. On July 10, the Commission announced that it would suspend the collection of voter data pending the Court's decision, discontinue the use of an unsafe computer server, and delete the data it had already obtained.

Three days later, on July 13, 2017, EPIC filed an amended motion for a temporary restraining order and preliminary injunction. The Commission responded on July 17, and EPIC filed a reply later that day. On July 24, the Court denied EPIC's motion for an injunction, concluding that neither the Commission nor the other government actors involved in collecting state voter data were subject to judicial review under the Administrative Procedure Act. Shortly after the Court's decision, the Commission resumed its collection of state voter data.

On July 25, 2017, EPIC appealed the District Court's preliminary decision to the U.S. Court of Appeals for the District of Columbia Circuit. The appeal was captioned EPIC v. Commission, No. 17-5171 (D.C. Cir. docketed July 27, 2017). EPIC filed an opening brief on August 18. The Commission filed a response on September 15, and EPIC filed a reply on September 22. Oral arguments were held before a three-judge panel of the D.C. Circuit on November 21. On December 26, the panel affirmed the District Court's order on the view that EPIC lacked Article III standing to bring suit for violations of the E-Government Act's Privacy Impact Assessment provisions.

On January 3, 2018—six months to the day after EPIC filed suit—President Trump terminated the Commission via executive order. The White House cited "endless legal battles" and the refusal of many state election officials to provide personal voter data. On January 11, EPIC asked the three-judge panel of the D.C. Circuit to vacate its December 26 decision, as the demise of the Commission had rendered the appeal moot and prevented EPIC from obtaining further review of the panel's decision. The Government filed a response to the motion, and EPIC filed a reply. On February 9, EPIC also petitioned the full ("en banc") D.C. Circuit to rehear the case and/or to vacate the panel's decision. On February 22, the Court ordered the Government to file a response to EPIC's en banc petition, which it did on March 9. On April 2, the D.C. Circuit denied both the motion and the petition.

EPIC has now petitioned the United States Supreme Court to review the D.C. Circuit's decision through a writ of certiorari. On June 21, 2018, EPIC asked the Court to extend the time to file a petition through August 30. The Court granted that application on June 26. On August 30, EPIC filed its petition, which argues that the D.C. Circuit's opinion is wrongly decided and should be vacated because the case is moot. The Government filed a brief in opposition on November 30, and EPIC filed a reply brief on December 12. EPIC's petition is captioned EPIC v. Commission, No. 18-267 (U.S. docketed Aug. 31, 2018).

Proceedings also continued in the District Court during the pendency of EPIC's appeal. The Commission filed a motion to dismiss EPIC's complaint on September 5, 2017. EPIC filed an opposition on September 19, and the Commission filed a reply on September 26. Following the disclosure and discovery of new facts concerning the Commission's agency status, EPIC moved for leave to file a revised complaint on October 12. The revised complaint explained that the Commission was part of—and subject to the authority of—the General Services Administration.

On June 28, 2018—roughly six months after the Commission was disbanded—the District Court asked the remaining defendants for an update on the status of the voter data collected by the Commission. On July 17, the Government informed the Court that it was "ready to destroy the state voter data." On July 19, following a response from EPIC, the Court denied the parties' pending motions and ordered the Government to notify the Court when "all state voter data collected by the Commission has been deleted." The Court added that “[u]pon Defendants’ confirmation of deletion, the Court expects that this case can be dismissed." On August 20, the Government announced that it had deleted the voter data and all backups thereof. On August 22, the Court dismissed the case, finding that "no further adjudication of this action is necessary."

The Commission's Collection of State Voter Data

The Commmission's June 28, 2017 letter to state election officials was unprecedented. Such a request for sensitive voter data had never been made by a federal official in the history of the country. The Commission sought "voter roll data" including:

  • the full first and last names of all registrants, middle names or initials if available
  • addresses
  • dates of birth
  • political party (if recorded in your state)
  • last four digits of social security number if available
  • voter history (elections voted in) from 2006 onward
  • active/inactive status, cancelled status
  • information regarding any felony convictions
  • information regarding voter registration in another state
  • information regarding military status, and
  • overseas citizen information.

According to the U.S. Census Bureau, state voter rolls include the names, addresses, and other personally identifiable information of at least 157 million registered voters.

The Commission's letter to state officials warned that "any documents that [we]re submitted to the full Commission w[ould] also be made available to the public." The Commission asked for a response by July 14, 2017.

Notably, the "SAFE" URL provided by the Commission for the submission of voter data led election officials to a unsecure website. When the URL was loaded in Google Chrome, a security warning appeared stating: "Your connection is not private. Attackers may be trying to steal your information from [the site proposed by the Commission] (for example, passwords, messages, or credit cards)."

The Commission's Unlawful Failure to Publish a Privacy Impact Assessment

Under the E-Government Act of 2002, any agency "initiating a new collection of information that (I) will be collected, maintained, or disseminated using information technology; and (II) includes any information in an identifiable form permitting the physical or online contacting of a specific individual" is required to complete a Privacy Impact Assessment ("PIA") before initiating such collection. The agency must "(i) conduct a privacy impact assessment; (ii) ensure the review of the privacy impact assessment by the Chief Information Officer, or equivalent official, as determined by the head of the agency; and (iii) if practicable, after completion of the review under clause (ii), make the privacy impact assessment publicly available through the website of the agency, publication in the Federal Register, or other means."

A Privacy Impact Assessment for a "new collection of information" must be "commensurate with the size of the information system being assessed, the sensitivity of information that is in an identifiable form in that system, and the risk of harm from unauthorized release of that information." The PIA must specifically address "(I) what information is to be collected; (II) why the information is being collected; (III) the intended use of the agency of the information; (IV) with whom the information will be shared; (V) what notice or opportunities for consent would be provided to individuals regarding what information is collected and how that information is shared; [and] (VI) how the information will be secured."

Under the Federal Advisory Committee Act ("FACA"), "records, reports, transcripts, minutes, appendixes, working papers, drafts, studies, agenda, or other documents which were made available to or prepared for or by [an] advisory committee shall be available for public inspection and copying at a single location in the offices of the advisory committee or the agency to which the advisory committee reports until the advisory committee ceases to exist."

Despite the clear requirements of the E-Government Act and the FACA, the Commission denies that it has any obligation to conduct and publish a Privacy Impact Assessment before collecting personal voter data. The Commission's failure to do so is the basis for EPIC's statutory claims.

The Commission's Violation of the Constitutional Right to Informational Privacy

The Supreme Court has long recognized that individuals have a constitutionally protected interest in "avoiding disclosure of personal matters." Whalen v. Roe (1977); see also Nixon v. Administrator of General Services (1977). As the U.S. Court of Appeals for the D.C. Circuit explained in AFGE v. HUD (1997), the "individual interest in protecting the privacy of information sought by the government" is even greater where that information will be "disseminated publicly." The Supreme Court most recently explored the right to informational privacy in NASA v. Nelson (2011), holding that the Government could perform background checks on employees because the information sought was both "reasonable" and protected by Privacy Act safeguards.

In seeking to aggregate personal voter data from tens of millions of Americans, the Commission has created informational privacy risks comparable to those in NASA v. Nelson—yet with none of the corresponding privacy safeguards or practices and little evidence that the request is "reasonable." To the contrary: the Commission has expressly disclaimed any obligation to undertake a Privacy Impact Assessment and has committed basic security errors such as referring state election officials to an unsecure website. These are the circumstances where a claim of informational privacy is most compelling. If there is any information worthy of a constitutional shield from collection and disclosure, it is personal information shared for the limited purpose of exercising of the right to vote.

EPIC's Expert Letter and FOIA Requests

EPIC's lawsuit followed a letter from 50 voting experts and 20 privacy organizations urging state election officials to oppose the Commission's demand. EPIC also filed three Freedom of Information Act requests to the Department of Homeland Security, the Executive Office for U.S. Attorneys, and the Social Security Administration seeking details of the Commission's attempts to obtain sensitive personal data from other federal agencies.

EPIC v. Commission Litigation Documents


EPIC v. Commission, No. 1:17-cv-01320-CKK (D.D.C. filed July 3, 2017)

EPIC v. Commission, No. 17-5171 (D.C. Cir. docketed July 27, 2017)

EPIC v. Commission, No. 18-267 (U.S. docketed Aug. 31, 2018)

EPIC Letter to State Election Officials

On July 3, 2017, EPIC—joined by more than 50 privacy experts and 20 civil liberties organizations—sent a letter to the National Association of State Secretaries urging state election officials to oppose the Commission's request for state voter data.

EPIC Freedom of Information Act Requests

On September 11, 2017, EPIC filed three Freedom of Information Act requests to the Department of Homeland Security, the Executive Office for U.S. Attorneys, and the Social Security Administration seeking details of the Commission's attempts to obtain sensitive, personal data from other federal agencies. At the Commission's first meeting, Vice Chair Kris W. Kobach tasked Commission staff with "trying to collect whatever data there is that's already in the possession of the federal government that might be helpful to us," including data protected by the Privacy Act.

Related Litigation

At least fourteen other lawsuits have been filed concerning the work of the Commission, nine of those in federal court and five in state court.

Lasky v. Gardner, No. 226-2017-cv-00340 (N.H. Sup. Ct. filed July 10, 2017)

On July 6, 2017, the ACLU of New Hampshire and two state legislators filed suit against New Hampshire Secretary of State William Gardner to block the state from unlawfully disclosing voter information to the Commission. On August 7, 2017, Gardner announced that New Hampshire would submit scanned images of voter rolls to the Commission rather than a digitally searchable index.

ACLU v. Trump, No. 17-1351 (D.D.C. filed July 10, 2017)

On July 10, 2017, the ACLU filed suit against President Trump and the Presidential Election Commission for violating the Commission's transparency requirements and failing to ensure an ideologically balanced membership. The ACLU also moved for a preliminary injunction to force the Commission to comply with its legal obligations as an advisory committee. The Court denied that motion on July 18, 2017. A stay was granted in the case on September 8, 2017.

Lawyers' Committee v. Commission (D.D.C. filed July 10, 2017; D.C. Cir. appeal docketed July 21, 2017)

On July 10, 2017, the Lawyers' Committee for Civil Rights Under Law filed suit against the Presidential Election Commission for violating the Commission's transparency requirements. The Lawyers' Committee also moved for a preliminary injunction to force the Commission to comply with its legal obligations as an advisory committee. The Court denied that motion on July 18, 2017. The Lawyers' Committee appealed the Court's decision on July 19, 2017. Proceedings are also continuing in the District Court. On September 29, 2017, the Government—following a discovery motion by the Lawyers' Committee—filed a document index and two declarations with key information about the Commission's records.

 Case No. 17-1354 (D.D.C. filed July 10, 2017)  Case No. 17-5167 (D.C. Cir. appeal docketed July 21, 2017)

Public Citizen v. Army, No. 17-1355 (D.D.C. filed July 10, 2017)

On July 10, 2017, Public Citizen filed suit against the U.S. Department of the Army to block the Commission's collection of voter data using the Army's "Safe Access File Exchange" (SAFE). After the Commission announced that it would no longer use the SAFE system to collect voter data, Public Citizen voluntarily dismissed its complaint on July 25, 2017.

Joyner v. Commission, No. 17-22568 (S.D. Fla. filed July 10, 2017)

On July 10, 2017, the ACLU of Florida, the Florida Immigrant Coalition, two Florida elected officials, and three Florida voters filed suit against the Floriday the Commission for failing to meet its statutory obligations as an advisory committee, for breaching the constitutional separation of powers, and for violating several other federal statutes. The plaintiffs also sued Florida Secretary of State Ken Detzner for violating state law. The plaintiffs moved for a temporary restraining order against the Commission to block it from collecting state voter data. The Court denied that motion on July 20, 2017. Detzner filed a motion to dismiss on Aug. 14, 2017, and the plaintiffs filed a response on Sep. 28, 2017. The Commission filed a separate motion to dismiss on Oct. 20, 2017.

Marley v. Denney, No. CV01-17-12594 (Idaho Dist. Ct. filed July 11, 2017)

On July 11, 2017, the Idaho Democratic Party filed suit against Idaho Secretary of State Lawerence Denney to block the state from transferring voter data to the Commission. The parties reached a settlement under which Idaho would (1) decline to respond to the Commission's initial data request, and (2) give the Idaho Democratic Party 10 days' notice before responding to any subsequent Commission requests for state voter data.

League of Women Voters of Indiana v. Lawson, No. 45D02-1707-PL-00047 (Ind. Sup. Ct. filed July 11, 2017)

On July 11, 2017, the League of Women Voters of Indiana and the Indiana NAACP, working with the Brennan Center for Justice, filed suit against Indiana Secretary of State Connie Lawson to block the state from unlawfully transferring voter data to the Commission.

Common Cause v. Commission, No. 17-1398 (D.D.C. filed July 14, 2017)

On July 14, 2017, Common Cause filed suit against the Commission, the Department of Homeland Security, and the Social Security Administration arguing that the Commission's collection of voter data violated the Privacy Act's prohibition on maintaining records related to the exercise of First Amendment rights. Common Cause also moved for a temporary restraining order and/or preliminary injunction to block the Commission from obtaining any voter information. The Court denied that motion on August 1, 2017. Common Cause filed an amended complaint on September 13, 2017.

NAACP Legal Defense Fund v. Trump, No. 17-5427 (S.D.N.Y. filed July 18, 2017)

On July 18, 2017, the NAACP Legal Defense Fund and the Ordinary People Society filed suit against President Trump and the Commission for violations of the Fifth Amendment right to Equal Protection; the Fifteenth Amendment prohibition on race-based denials of voting rights; legal limits on the President's powers; the Federal Advisory Committee Act; and the Administrative Procedure Act.

League of Women Voters of Texas v. Pablos (Tex. Dist. Ct. filed July 20, 2017; Tex. App. appeal filed Oct. 10, 2017)

On July 20, 2017, the League of Women Voters of Texas and Texas NAACP, working with the Brennan Center for Justice, filed suit against Texas Secretary of State Rolando Pablos and others to block the state from unlawfully transferring voter data to the Commission. On October 3, 2017, the Travis County District Court granted the plaintiffs' motion for a temporary restraining order and halted the state's planned data transfer. On October 10, 2017, the defendants petitioned for a writ of mandamus from the Texas Court of Appeals and sought temporary relief from that court. The Court of Appeals stayed proceedings in the district court but extended the Temporary Restraining Order against the transfer of voter data.

 Case No. D-1-GN-17-003451 (Tex. Dist. Ct. filed July 20, 2017)  Case No. 03-17-00662-CV (Tex. App. appeal filed Oct. 10, 2017)

League of United Latin American Citizens of Utah v. Cox (Utah Dist. Ct. filed July 26, 2017)

On July 26, 2017, the League of United Latin American Citizens of Utah and the League of Women Voters of Utah, working with the Brennan Center for Justice, filed suit against Utah Lieutenant Governor Spencer Cox to block the state from unlawfully transferring voter data to the Commission.

Brennan Center v. Department of Justice, No. 17-6335 (S.D.N.Y. filed Aug. 21, 2017)

On August 21, 2017, the Brennan Center for Justice and the Protect Democracy Project filed a Freedom of Information Act (FOIA) suit against the Department of Justice, the Department of Homeland Security, and the Office of Management and Budget to compel the disclosure of records pertaining to the Commission.

United to Protect Democracy v. Commission, No. 17-2016 (D.D.C. filed Sep. 29, 2017)

On September 29, 2017, United to Protect Democracy filed suit against the Commission, the Office of Management and Budget (OMB), and OMB Director Mick Mulvaney. The suit alleges that the Commission and OMB violated the Paperwork Reduction Act (PRA) and Administrative Procedure Act by failing to follow procedures regulating the government's collection of data. On October 11, 2017, Protect Democracy moved for a preliminary injunction to halt the Commission's collection and use of data until the Commission complies with the PRA.

Dunlap v. Commission, No. 17-2361 (D.D.C. filed Nov. 9, 2017)

On November 9, 2017, Maine Secretary of State and Commission Member Matthew Dunlap filed suit against the Commission and nine related government defendants seeking—among other remedies—"any and all correspondence between Commission members in the possession of the Commission[.]" The suit follows an October 17, 2017 letter from Dunlap to Commission Designated Federal Officer Andrew Kossack seeking the same records—a letter to which Dunlap did not receive a reply. Dunlap alleges that the Commission has violated the Federal Advisory Committee Act and Administrative Procedure Act by denying him meaningful participation in Commission proceedings, by refusing to disclose Commission records, and by conducting activities prior to the filing of the Commission's charter on June 23, 2017. On November 16, 2017, Dunlap moved for a preliminary injunction to compel the Commission to comply with its FACA obligations.

Other Documents

News

EPIC Resources

Other Resources

Share this page:

Defend Privacy. Support EPIC.
US Needs a Data Protection Agency
2020 Election Security