The Nine FOIA Exemptions

Exemption 1 protects records that have been classified under an executive order in the interest of national defense or foreign policy. To qualify, the information must be properly classified and the classification must follow the procedures established by executive order — currently Executive Order 13526.

Agencies most likely to invoke this exemption: CIA, NSA, DOD, State Department, and the intelligence community. It is rarely used by domestic agencies like BOP or SSA.

Exemption 2 covers records related solely to the internal personnel rules and practices of an agency. After the Supreme Court's 2011 decision in Milner v. Department of the Navy, this exemption was significantly narrowed. It now applies only to truly internal human resources matters — things like employee parking policies, sick leave procedures, and internal conduct rules.

Prior to Milner, agencies often used a broad "high b2" interpretation to withhold law enforcement sensitive materials. That interpretation was rejected. If an agency invokes b(2) for anything other than mundane personnel matters, it is likely doing so improperly.

Exemption 3 incorporates other federal laws that specifically prohibit disclosure of certain information. When Congress passes a statute that restricts disclosure — either by leaving no agency discretion or establishing specific withholding criteria — that statute qualifies as a "b(3) statute" and the information is exempt from FOIA.

Common b(3) statutes include: the National Security Act (intelligence sources and methods), 26 U.S.C. § 6103 (tax return information), Rule 6(e) of the Federal Rules of Criminal Procedure (grand jury materials), and 13 U.S.C. § 9 (Census Bureau data). Agencies must specifically identify which statute they are relying on.

Exemption 4 protects trade secrets and commercial or financial information obtained from a person outside the government that is privileged or confidential. After the Supreme Court's 2019 decision in Food Marketing Institute v. Argus Leader Media, the definition of "confidential" was broadened: information is confidential if the provider customarily and actually treats it as private and if it was provided to the government under assurance of privacy.

This exemption is most commonly used by agencies that collect business information — like the FDA, SEC, EPA, and DOD contracting offices. Third parties (the businesses whose information is at issue) may have "reverse FOIA" rights, meaning they can sue to prevent disclosure.

Exemption 5 is one of the most commonly invoked — and most commonly abused — exemptions. It protects inter-agency or intra-agency memoranda or letters that would not be available to a party in litigation with the agency. In practice this means three main privileges apply: the deliberative process privilege (drafts, recommendations, opinions that are pre-decisional and deliberative), the attorney-client privilege, and the attorney work-product doctrine.

Important limitation: The FOIA Improvement Act of 2016 added a 25-year rule — agencies cannot invoke b(5) to withhold records that are more than 25 years old. Also, factual information must be separated and released even if it appears in a deliberative document.

Exemption 6 protects personnel files, medical files, and similar files whose disclosure would constitute a clearly unwarranted invasion of personal privacy. Courts apply a balancing test: the privacy interest of the individual in the records versus the public interest in disclosure. The privacy interest must be substantial and the harm from disclosure must clearly outweigh the public benefit.

This exemption is most relevant when requesting records about other individuals. When requesting your own records, the Privacy Act (which runs parallel to FOIA) gives you broader access rights. Always invoke both FOIA and the Privacy Act when requesting your own records.

Exemption 7 is the broadest and most frequently invoked exemption, particularly by law enforcement agencies like the FBI, DEA, USMS, BOP, and ICE. It protects law enforcement records, but only if disclosure would cause one of six specific harms:

• b(7)(A) — Could reasonably be expected to interfere with enforcement proceedings
• b(7)(B) — Would deprive a person of a right to a fair trial or impartial adjudication
• b(7)(C) — Could reasonably be expected to constitute an unwarranted invasion of personal privacy
• b(7)(D) — Could reasonably be expected to disclose the identity of a confidential source
• b(7)(E) — Would disclose techniques, procedures, or guidelines for investigations if disclosure could reasonably be expected to risk circumvention of the law
• b(7)(F) — Could reasonably be expected to endanger the life or physical safety of any individual

The agency must first establish that the records were compiled for law enforcement purposes — this threshold requirement is often overlooked but can be challenged.

Exemption 8 protects records contained in or related to examination, operating, or condition reports prepared by or for a federal agency responsible for regulating or supervising financial institutions — such as banks, credit unions, and insurance companies.

This exemption is primarily relevant to agencies like the FDIC, Federal Reserve, OCC, NCUA, and similar banking regulators. It will almost never appear in a typical FOIA request from an advocate, journalist, or private individual seeking personal or agency records.

Exemption 9 is the narrowest and least-used exemption. It protects geological and geophysical information and data, including maps, concerning wells. It exists primarily to protect oil, gas, and mineral exploration data submitted to the federal government — primarily relevant to the Department of the Interior and the Bureau of Land Management.

The vast majority of FOIA requesters will never encounter this exemption. If an agency cites b(9) in response to a request that does not involve geological survey or well data, something has gone wrong.