On May 11, 2012, the U.S. Court of Appeals for the District of Columbia Circuit ruled that the National Security Agency (NSA) properly refused to confirm or deny whether records exist regarding the alleged cyber-security collaboration between NSA and Google in response to a Freedom of Information Act (FOIA) request for such records by the Electronic Privacy Information Center (EPIC). The D.C. Circuit ruling identified the extent of deference given to intelligence agencies to withhold information regarding their activities under applicable FOIA exemptions.
Although FOIA provides for the public disclosure of government records, it exempts records in nine categories, such as classified information (Exemption 1), matters exempted from disclosure by another statute (Exemption 3), and trade secrets or confidential business information (Exemption 4). 5 U.S.C. § 552(b). Where an agency’s acknowledgement that records do or do not exist would itself disclose FOIA-exempt information, an agency can issue what is known as a Glomar response, as the NSA did here, in which it refuses to confirm or deny whether such records exist. Glomar responses are proper where the agency supports the cited FOIA exemption with reasonable specificity and the agency’s justification is logical or plausible.
Here, the NSA invoked a Glomar response under FOIA Exemption 3, which exempts “matters specifically exempted from disclosure by statute,” 5 U.S.C. § 552(b)(3), relying in turn on the National Security Agency Act of 1959 as amended, which broadly exempts from disclosure “the organization or any function of the National Security Agency” and “any information with respect to [NSA’s] activities.” Pub. L. No. 86-36, § 6(a), 73 Stat. 63, 64 (1959). EPIC brought suit in the D.C. District Court challenging the NSA’s Glomar response, and subsequently appealed to the D.C. Circuit.
The D.C. Circuit’s ruling illustrates the breadth of protections afforded the NSA under the NSA Act. First, the NSA Act presumes harm from disclosure of NSA activities, relieving the agency of the typical requirement to show that responding to the FOIA inquiry would cause harm. Therefore, NSA’s burden in invoking Exemption 3 is simply to support its Glomar response with affidavit(s) identifying the implicated organization, function, or activity of NSA that would be disclosed in acknowledging whether requested documents exist. Second, the court clarified that the range of NSA activities or functions that justify a Glomar response extends far beyond classified intelligence gathering activities to include records that implicate any NSA activity, such as monitoring commercial technologies through a partnership with Google. Finally, the D.C. Circuit explained that media articles publicizing limited information on the purported clandestine collaboration between NSA and Google does not waive the NSA’s right to withhold all related information absent an official, voluntary disclosure or acknowledgement by NSA.
The DC Circuit’s deference to NSA under Exemption 3 differs significantly from the application of other FOIA exemptions, such as the Exemption 4 protection for trade secrets and confidential business information. Under Exemption 4, the burden on an agency and a private enterprise seeking to protect confidential business information it submitted to the government is higher in several ways. First, the NSA Act broadly protects any information related to the agency, whereas Exemption 4 requires demonstrating that the specific information at issue constitutes a trade secret or confidential business information. Second, the NSA does not have to demonstrate potential harm to raise a Glomar response under Exemption 3, whereas Exemption 4 generally requires a showing that disclosure would likely cause substantial competitive harm to the party that submitted the FOIA-requested information. Finally, while intelligence agencies like the NSA can generally issue a blanket Glomar response without searching for requested documents and undertaking a line-by-line analysis of any responsive records, under Exemption 4 the agency and record submitter must redact confidential business information from all responsive records, and the agency must disclose all non-exempt portions of those records.
Companies that interact and share information with government agencies should consider that protection from unwanted disclosure of information under FOIA differs widely based on the nature of the exemption and the agency involved. While the D.C. Circuit clarified the extent to which one FOIA exemption calls for deference to intelligence agencies like the NSA, private enterprises will continue to meet distinct FOIA challenges in other contexts.
Todd Overman is a Partner in the Government Contracts Practice of Hogan Lovells. His practice includes a combination of transactional issues, litigation, and regulatory advice. Daniel Greenspahn is an Associate in the Government Contracts Practice of Hogan Lovells. David Robbins is a 2012 Summer Associate at Hogan Lovells.