Today, EPIC filed a friend of the court brief with the Fifth Circuit Court of Appeals, urging the Court to enforce federal privacy protections for Facebook users who rented videos from Blockbuster, a Facebook business partner. The Video Privacy Protection Act prohibits companies from revealing consumers' video rental histories. EPIC wrote, "Congress established a private right of action to ensure that there would be a meaningful remedy when companies failed to safeguard the data they collected" and warned, "absent a private right of action, there would be no effective enforcement, no remedy for violations, and no way to ensure that companies complied with the intent of the Act." The lawsuit was filed by Cathryn Harris and other Facebook users after Blockbuster made public their private video rental information. Blockbuster, a participant in Facebook's Beacon program, claimed that consumers cannot sue the company and must submit to mandatory arbitration. EPIC's brief, which includes a detailed history of the video privacy law, urges the appeals court to uphold a lower court ruling, which held that the plaintiffs are allowed to pursue their claim that a federal law was violated. For more information, see EPIC Harris v. Blockbuster, EPIC The Video Privacy Protection Act, and EPIC Facebook Privacy.
In a crisply worded declaration, over 100 civil society organizations and privacy experts from more than 40 countries have set out an expansive statement on the future of privacy. The Madrid Declaration affirms that privacy is a fundamental human right and reminds "all countries of their obligations to safeguard the civil rights of their citizens and residents." The Madrid Declaration warns that "privacy law and privacy institutions have failed to take full account of new surveillance practices." The Declaration urges countries "that have not yet established a comprehensive framework for privacy protection and an independent data protection authority to do so as expeditiously as possible." The civil society groups and experts recommend a "moratorium on the development or implementation of new systems of mass surveillance." Finally, the Declaration calls for the "establishment of a new international framework for privacy protection, with the full participation of civil society, that is based on the rule of law, respect for fundamental human rights, and support for democratic institutions." The Madrid Declaration was released at the Public Voice conference in Madrid on Global Privacy Standards. Multiple translations of the Declaration are available.
Almost two hundred privacy experts, advocates, and governments officials from around the world gathered in Madrid for the "Global Privacy Standards" conference, organized by the Public Voice. The event features panel discussions on “Privacy and Human Rights: The Year in Review,” "Privacy Activism: Major Campaigns," “Your Data in the Cloud: What if it Rains?,” "Transborder Data Flow: Bridges, Channels or Walls?," and "“Toward International Privacy Standards." Leading privacy officials from Spain, the European Union, the European Parliament, the OECD, and Canada are participating. The event is being held in conjunction with the annual meeting of the Privacy and Data Protection Commissioners, which is expected to draw more than 1,000 participants from over fifty countries. The Public Voice event will also be cybercast and tweeted. @thepublicvoice #globalprivacy.
A Fordham Law School study found that state educational databases across the country ignore key privacy protections for the nation’s school children. The study reports that at least 32% of states warehouse children’s social security numbers; at least 22% of states record student pregnancies; and at least 46% of the states track mental health, illness, and jail sentences as part of the children’s educational records. Some states outsource the data processing without any restrictions on use or confidentiality for children’s information. Access to this information and the disclosure of personal data may occur for decades and follow children well into their adult lives. These findings come as Congress is considering the Student Aid and Financial Responsibility Act, which would expand and integrate the 43 existing state databases without taking into account the critical privacy failures in the states’ electronic warehouses of children’s information. For more information on children’s privacy issues see EPIC Children’s Online Privacy Protection Act and EPIC DOD Recruiting Database.
Facebook released a revised privacy policy. The updated policy provides a more concise description of the privacy practices of the developers of third-party applications. Facebook also announced that it will evaluate the collection of user data by application developers. According to a blog post, the revised policy is a response to a complaint filed by Canadian Internet Policy and Public Interest Clinic in 2008, and attempts to “[fulfill] our commitment to the Privacy Commissioner of Canada to update our privacy policy to better describe a number of practices.” Concerns remain about the use of Facebook users' data. For more information, see EPIC Facebook Privacy.
The European Commission announced that the UK government has failed to comply with Europe's ePrivacy Directive and Data Protection Directive. European laws state that EU countries must ensure the confidentiality of electronic communications by prohibiting unlawful interception and surveillance. The EC statement specifically cited unlawful interception under the UK Regulation of Information Powers Act. This marks the second phase of an infringement proceeding that was filed earlier this year against the UK. The case follows complaints about the use of Phorm's Deep Packet Inspection technology. For more information, see EPIC Deep Packet Inspection and Privacy and Human Rights Report.
EPIC joined the Privacy Coalition letter sent to the House Committee on Homeland Security urging them to investigate the Department of Homeland Security's (DHS) Chief Privacy Office. DHS is unrivaled in its authority to develop and deploy new systems of surveillance. The letter cited DHS use of Fusion Center, Whole Body Imaging, funding of CCTV Surveillance, and Suspicionless Electronic Border Searches as examples of where the agency is eroding privacy protections. EPIC Fusion Centers, EPIC Whole Body Imaging, and EPIC CCTV.
EPIC has signed on to a letter from Public Knowledge to the Federal Communications Commission supporting the FCC's decision to begin public proceedings on preserving an open internet. EPIC joins many other public interest groups who have also expressed support for the FCC's initiative. The FCC's proceedings will focus on proposed rulemaking policies that would preserve open internet. EPIC favors the general principles of "network neutrality" and has called on the FCC to preserve privacy safeguards against measures that Internet Service Providers may use to limit access to the internet. For more information, see also EPIC Deep Packet Inspection.
Representatives Conyers, Nadler, and Scott introduced two bills today that would amend the PATRIOT Act and the Foreign Intelligence Surveillance Act. The Patriot Amendments Act of 2009 will enhance reporting and judicial oversight of law enforcement powers, including the National Security Letter process. The FISA Amendments Act of 2009 will place new limits on the government's ability to collect and store Americans' communications without a warrant and repeals retroactive immunity. For more information, see EPIC FISA, EPIC PATRIOT Act.
Today, EPIC filed a "friend of the court" brief with the Fourth Circuit Court of Appeals, urging the court to hold that the First Amendment protects the speech of Betty Ostergren, a privacy advocate. Ostergren runs a Website that republishes Social Security Numbers, collected from public records, to persuade Virginia lawmakers to stop releasing documents that reveal Social Security Numbers. Under Virginia law, Ostergren could be prosecuted for publishing SSNs, even though Virginia makes the numbers widely available. A lower court held that the law violated Ostergren's First Amendment rights. Virginia appealed. EPIC's brief urges the appeals court to uphold the lower court's ruling. For more information, see EPIC Ostergren v. McDonnell, EPIC Social Security Numbers, and EPIC Identity Theft.
Governor Schwarzenegger has terminated S.B. 20, a bill that would have strengthened California's data breach laws by requiring that consumers be notified every time their privacy was compromised. But the Governor and "Terminator" star signed A.B. 524, an amendment to California's current anti-paparazzi law that will protect the privacy of celebrities by making it easier to sue photographers and media outlets for taking or purchasing unauthorized pictures. For more information about privacy in California, see the California Office of Information Security and Privacy Protection.
The Department of Health and Human Services plans to modify sections of the federal Privacy Rule, issued under HIPAA. The proposed changes would clarify the scope of privacy and confidentiality of genetic information. More specifically, HHS proposes to modify the Privacy Rule, taking into account the Genetic Information Nondiscrimination Act, to prohibit health plans from using or disclosing personally identifiable health information, which would explicitly include genetic information, for underwriting purposes. Public comments on the proposed rule are due December 7, 2009. EPIC is recommending that HHS pay particular attention to the problem of data reidentification. For more information, see EPIC's Genetic Privacy Page.
EPIC FOIA Note #16: 
