EPIC Alert 25.24

1. Privacy Year in Review

With 2018 coming to a close, EPIC look backs on the year in privacy and considers the year ahead.

Top Privacy Stories in 2018

GDPR Comes Into Force
The General Data Protection Regulation, or GDPR, took effect in May 2018. Europe's comprehensive data protection update includes a 72-hour data breach notification, algorithmic transparency, privacy enhancing techniques, stronger penalties, a European Data Protection Board, and measures to promote privacy innovation. In 2018 EPIC launched the PrivacyNow! campaign calling for similar legislation in the United States. U.S. and European NGOs also urged companies to apply the GDPR globally. And regulators began using their new powers under the GDPR— the UK Information Commissioner sanctioned Facebook for the Cambridge Analytica scandal.

Universal Guidelines on Artificial Intelligence Unveiled
In October 2018, the Public Voice unveiled the Universal Guidelines for Artificial Intelligence at the Privacy Commissioner's conference in Brussels. The Universal Guidelines were endorsed by over 250 experts and 50 international organizations, including the American Association for the Advancement of Science, the world's leading scientific association. The Guidelines set forth twelve principles to guide the design, development, and deployment of AI. Grounded in fundamental principles of human rights protection, the UGAI are intended to maximize the benefits and minimize the risk of AI.

Facebook Comes Under FTC Investigation – What Happens Next?
In March 2018, Facebook admitted to the unlawful transfer of 87 million user profiles to data analytics firm Cambridge Analytica. Although the Federal Trade Commission announced an investigation, at year end there have been no findings, no report, and no fine by the FTC. But the District of Columbia Attorney General filed a complaint against Facebook, making D.C. the first U.S. jurisdiction to take action against the company.

Supreme Court Protects Privacy of Cell Phone Location Data
The U.S. Supreme Court issued a landmark ruling in Carpenter v. United States, holding that the Fourth Amendment protects location records. EPIC filed an amicus brief in Carpenter, signed by thirty-six technical experts and legal scholars, arguing that "Cell phones are now as necessary to the life of Americans as they are ubiquitous." EPIC said that users expect their location data to remain private. The Supreme Court agreed.

Presidential Election Commission Shut Down, Voter Data Deleted
The Presidential Election Commission, which tried to collect personal voter data from across the country, was disbanded in January. The Commission faced a lawsuit by EPIC over its failure to conduct a privacy impact assessment. Later, in response to a court order in EPIC's case against the Commission, the White House confirmed that it had destroyed all copies of the voter data unlawfully collected by the Commission.

States Update Privacy Laws
A statewide referendum that gathered over 600,000 supporters led to enactment of a new privacy law in California. Vermont also enacted a new privacy law. And New Hampshire voters overwhelmingly approved a ballot measure that guarantees a constitutional right to information privacy.

2019 Privacy Issues to Watch

Creation of U.S. Data Protection Agency
Congress is set to pass privacy legislation, but the big question may be whether Congress finally establishes a U.S. data protection agencies. With growing frustration about the FTC's failure to safeguard personal data in the U.S., expect lawmakers to explore alternatives. Consumer organizations have urged Congress to (1) enact baseline federal data protection legislation, (2) limit government access to personal data, (3) establish algorithmic transparency and end discriminatory profiling, (4) prohibit "take it or leave it" and other unfair terms, (5) ensure robust enforcement; (6) promote privacy innovation, and (7) establish a data protection agency.

Constitutional Right to Information Privacy?
A federal appeals court is set to rule in a case concerning the 2015 OPM data breach that affected 22 million federal employees, their friends, and their family members. As EPIC argued in an amicus brief to the Court, "when personal data is collected by a government agency, that agency has a constitutional obligation to protect the personal data it has obtained." At oral arguments in November, the Court expressed skepticism over the government's claim that victims of the OPM data breach lacked "standing" to sue.

Privacy of Census Data
In 2018, the Census Bureau abruptly announced that it would add a citizenship question to the census for the first time since 1950. EPIC filed suit in November to block the citizenship question, charging that the Census Bureau failed to complete privacy impact assessments. (See outcome above in EPIC's case against the Presidential Election Commission.) EPIC's suit revealed that personal data provided to the Census Bureau could be used "for criminal law enforcement activities," contrary to agency policy.

Privacy Class Action Fairness
In 2019, the Supreme Court is set to rule in Frank v. Gaos. At issue are collusive class action settlements that provide no benefit to consumers. In an amicus brief for the Supreme Court, EPIC explained the settlement was not "fair, reasonable, and adequate." A ruling is expected by mid-year.

2. Facebook Violated FTC Consent Order. Again.

The New York Times reported that Facebook gave big tech companies access to personal data in violation of the terms of service and public statements. The companies include Amazon, Sony, Microsoft, Yahoo, Spotify, and Netflix, as well as two companies considered security threats to the U.S.: Chinese smartphone manufacturer Huawei and Russian search engine Yandex.

Facebook even allowed these companies to read users' private messages and access friend lists. According to the Times, Facebook "permitted Amazon to obtain users' names and contact information through their friends, and it let Yahoo view streams of friends' posts as recently as this summer, despite public statements that it had stopped that type of sharing years earlier."

EPIC and several consumer privacy organizations established the 2011 consent order against Facebook, following a public campaign and extensive complaints in 2009 and 2010. In March 2018, the FTC said it would reopen the Facebook investigation, but there is still no report, no findings, and no fine.

In response to an EPIC Freedom of Information Act lawsuit, the FTC has released agency emails about the 2011 Facebook Consent Order. Several related EPIC complaints regarding Facebook are also pending at the FTC, including facial recognition.

3. EPIC Urges Congress to Pursue Trump's Tax Returns

EPIC has asked Congress to obtain the public release of President Trump's tax returns. As EPIC explained, "By custom and tradition, candidates for the Presidency have routinely made available to the public their personal tax returns to ensure that there are no conflicts of interest that might jeopardize the public trust."

EPIC told Congress that there are "specific concerns around possible misrepresentations by the President about his financial relations with Russia" and "widespread public support for the release of the President's returns." EPIC stated that "If the Freedom of Information Act means anything, it means that the American public has the right to know whether records exist in a federal agency which reveal that the U.S. President has financial dealings with a foreign adversary."

EPIC's request to Congress follows the D.C. Circuit's decision in EPIC v. IRS, a Freedom of Information Act case for the release of the President's tax returns. EPIC had argued that the IRS has the authority, under a legal provision known as "(k)(3)," to disclose the President's returns to correct numerous misstatements of fact concerning his financial ties to Russia. For example, President Trump falsely tweeted that "Russia has never tried to use leverage over me. I HAVE NOTHING TO DO WITH RUSSIA - NO DEALS, NO LOANS, NO NOTHING."

Although the D.C. Circuit wrote that the IRS "misunderstands its FOIA disclosure obligations" and rebuked the IRS for "disregard[ing] the plain statutory text" of FOIA, the Court ruled that EPIC could not obtain the returns under "(k)(3)." But the Court emphasized that the law at issue in EPIC v. IRS II—EPIC's pending FOIA suit for President Trump's business tax records—"does allow the public to inspect certain return information."

EPIC will continue to pursue the release of the President's tax records, which may reveal whether the President's private financial interests conflict with the national interests of the United States.

4. EPIC Amicus: Unlawful Collection of Biometric Data Establishes Standing

EPIC has filed an amicus brief in Patel v. Facebook, a case concerning Facebook's collection of facial images in violation of the Illinois Biometric Information Privacy Act.

EPIC argued that the violation of the biometric privacy law was sufficient for Facebook users to sue the company. EPIC told the Ninth Circuit that the law "simply requires plaintiffs to demonstrate that a defendant has invaded a concrete interest protected by the law—nothing more."

EPIC also explained that the "collection of biometric information presents profound risks to privacy, safety, and security." EPIC warned that "Judicial second-guessing of statutory protections for biometric data established by the state legislature, following a careful weighing of the public safety concerns, will come at an enormous cost to the privacy of Illinois residents."

Earlier in 2018, EPIC filed an amicus brief in Rosenbach v. Six Flags, another case about the Illinois biometric privacy law. EPIC routinely submits briefs in support of users in privacy case. EPIC has also long advocated for limits on the use of biometric data and has opposed Facebook's use of facial recognition software.

5. EPIC Asks Congress to Nominate AI Commission Members Who Support the Universal Guidelines

EPIC has urged members of Congress responsible for a new National Commission on Artificial Intelligence to nominate experts and public interest representatives who have endorsed the Universal Guidelines for Artificial Intelligence.

The National Security Commission on AI, which was quietly established by Congress in August, is charged with reviewing "advances in artificial intelligence, related machine learning developments, and associated technologies." The Commission will be composed of 15 members and is slated to prepare an initial public report in 2019.

EPIC told Congress that "it is vitally important that the National Security Commission include members who can represent the interests of the American public on AI." EPIC previously urged Congress and the Office of Science and Technology Policy to ensure public participation in the Select Committee on Artificial Intelligence, a separate committee charged with coordinating AI policies between federal agencies.

The Universal Guidelines for Artificial Intelligence were unveiled in Brussels in October. Leading computer scientists and scientific societies, including the American Association for the Advancement of Science, have endorsed the Universal Guidelines.

News in Brief

Appeals Court: IRS 'Misunderstands' FOIA Obligations in EPIC Case, But Trump's Tax Returns Still Withheld

The D.C. Circuit recently ruled that the IRS "misunderstands its FOIA disclosure obligations" in EPIC v. IRS, EPIC's Freedom of Information Act case to obtain public release of President Trump's tax returns. EPIC argued that the IRS has the authority, under a legal provision known as "(k)(3)," to disclose the President's returns to correct numerous misstatements of fact concerning his financial ties to Russia. For example, President Trump falsely tweeted that "Russia has never tried to use leverage over me. I HAVE NOTHING TO DO WITH RUSSIA - NO DEALS, NO LOANS, NO NOTHING." Although the D.C. Circuit ruled that EPIC could not compel the IRS to use "(k)(3)," the Court rebuked the IRS for "disregard[ing] the plain statutory text" of FOIA and held that EPIC's request was wrongly "met with a closed door." The Court also emphasized that the law at issue in EPIC v. IRS II—EPIC's separate FOIA suit for President Trump's business tax records—"does allow the public to inspect certain return information." EPIC will continue to pursue the release of the President's tax records, which will reveal whether and how the President's private financial interests conflict with the national interests of the United States.

Congress Passes Foundations for Evidence-Based Policymaking Act of 2018

Congress has passed the Foundations for Evidence-Based Policymaking Act of 2018. The legislation, championed by House Speaker Paul Ryan (R-WI) and Senator Patty Murray (D-WA), includes new requirements for federal agencies to establish senior leaders for program evaluation and data coordination to help agencies produce and use evidence, strengthens privacy protections for confidential data, and directs government to make secure access to data more available to generate evidence. In a statement to Congress last year, EPIC expressed support for the findings of the Commission on Evidence-Based Policymaking — Congress established the Commission to study how data across the federal government could be combined to improve public policy while protecting privacy. EPIC filed comments with the Commission urging adoption of Privacy Enhancing Techniques, such as anonymization, that minimize or eliminate the collection of personal data. The National Academies of Sciences released a report last year that examined how disparate federal data sources can be used for policy research while protecting privacy.

D.C. Attorney General Sues Facebook

The D.C. Attorney General filed a complaint against Facebook under the D.C. Consumer Protection Procedures Act, making D.C. the first U.S. jurisdiction to take action against the company for the mishandling of user data that led to Cambridge Analytica. The AG's complaint alleges that Facebook failed to monitor third-party use of personal data and failed to ensure users' data was deleted. The D.C. lawsuit seeks financial penalties, and an injunction to ensure Facebook puts in place protocols and safeguards to protect users' data and easier for users to control their privacy settings. AG Karl Racine said: "Facebook put users at risk of manipulation by allowing companies like Cambridge Analytica and other third-party applications to collect personal data without users' permission. Today's lawsuit is about making Facebook live up to its promise to protect its users' privacy." EPIC filed a D.C. Consumer Protection Procedures Act lawsuit challenging the unlawful collection, use, and disclosure of personal location data by AccuWeather through its mobile iOS app.

EU-U.S. Privacy Shield Renewed, Privacy Commitments Ignored

The European Commission has renewed the EU-U.S. Privacy Shield, a framework permitting the flow of European consumers' personal data to the U.S. Oddly, the Commission cited the FTC investigation into the Cambridge Analytica scandal (which has produced no outcome) and the appointment of three members to the PCLOB as support for renewal. The report also overlooked the failure of the FTC to enforce the 2011 Consent Order against Facebook, which ultimately compromised the personal data of several hundred million Europeans. And the Commission had little concerns with passage of the CLOUD Act, renewal of Section 702 of FISA (permitting bulk surveillance of Europeans), and other shortcomings cited by EPIC comments and the European Parliament. The Commission did recommend an Ombudsperson for Privacy Shield (which was required in the original agreement), and encouraged the U.S. to ratify the International Privacy Convention.

Senate Reports Detail Russian Russian Interference in 2016 Election

In a pair of reports released this month, the Senate Intelligence Committee provided fresh details on the extent of Russian interference in the 2016 election. Committee Chairman Richard Burr explained: "This newly released data demonstrates how aggressively Russia sought to divide Americans by race, religion and ideology, and how the IRA actively worked to erode trust in our democratic institutions. Most troublingly, it shows that these activities have not stopped." Shortly after the 2016 presidential election, EPIC filed a series of Freedom of Information Act lawsuits to determine the extent of Russian interference: EPIC v. FBI, EPIC v. ODNI, EPIC v. IRS I, and EPIC v. DHS. As EPIC President Marc Rotenberg explained in an op-ed in March 2017: "The public has a right to know the details when a foreign government attempts to influence the outcome of a U.S. presidential election. And the public has a right to know what steps have been taken to prevent future attacks."

EPIC in the News

• America Needs a Privacy Law, New York Times, Dec. 25, 2018
• Data Privacy Concerns with Search Engines, CPO Magazine, Dec. 25, 2018
• Why the F.T.C. Is Taking a New Look at Facebook Privacy, New York Times, Dec. 22, 2018
• Is the FTC to Blame for Facebook Scandals?, Law.com, Dec. 21, 2018
• EU Sets Feb. 28 Deadline For US To Fill Privacy Shield Job, Law360, Dec. 21, 2018
• The top 10 law and tech news stories of 2018, ABA Journal, Dec. 21, 2018
• After Latest Facebook Fiasco, Focus Falls on Federal Commission, Techonomy, Dec. 21, 2018
• Smart Toys Under The Tree Raise Privacy Concerns, Law360, Dec. 20, 2018
• Data privacy: failing to address critical issues 20 years on, Irish Times, Dec. 20, 2018
• Consumer Rating Algorithms Score Big with Businesses, Governments, Communications of the ACM, Dec. 20, 2018
• Facebook gave tech companies 'intrusive' access to users' private messages and personal data, internal documents reveal, Fox News, Dec. 19, 2018
• You Can't Use FOIA to Get Someone's Tax Returns, Reason, Dec. 19, 2018
• FTC Should Probe Google Play Store Over Kids' Privacy Violations, Watchdogs Say, MediaPost, Dec. 19, 2018
• Momentum Builds for a National Privacy Law in the United States, Lexology, Dec. 19, 2018
• Judge rejects request to release Trump's tax returns under freedom of information laws, CNN, Dec. 18, 2018
• DC Circuit Won't Force IRS to Release Trump's Tax Returns, National Law Journal, Dec. 18, 2018
• DC Circuit Judge Turns Down FOIA Request For Trump Tax Records, Daily Caller, Dec. 18, 2018
• 'The Answer Is No': Judge Slaps Down Attempt to Expose Trump's Tax Returns, Law & Crime, Dec. 18, 2018
• Trump Tax Returns Can't Be Obtained by EPIC, Court Says, Bloomberg, Dec. 18, 2018
• Facebook photo API bug exposed users' unpublished photos, Naked Security, Dec. 18, 2018
• Fresh Off GDPR, Companies Puzzle Over Complying With California's Privacy Law, Morning Consult, Dec. 18, 2018
• DC court dismisses lawsuit seeking Trump's tax returns, The Hill, Dec. 18, 2018
• As Facebook Raised a Privacy Wall, It Carved an Opening for Tech Giants, New York Times, Dec. 18, 2018
• DC Circ. Won't Revive FOIA Suit Over Trump Tax Returns, Law360, Dec. 18, 2018
• Facebook Row Fair Game For Ill. Privacy Law, 9th Circ. Told, Law360, Dec. 18, 2018

EPIC Bookstore

EPIC publications and books by members of the EPIC Advisory Board, distinguished experts in law, technology and public policy are available at the EPIC Bookstore.

Recent EPIC Publications

The Privacy Law Sourcebook 2018, edited by Marc Rotenberg (2018)

The Privacy Law Sourcebook is the leading resource for students, attorneys, and policymakers interested in privacy law in the United States and around the world. The Sourcebook includes major US privacy laws such as the Fair Credit Reporting Act, the Privacy Act, the Family Educational Rights and Privacy Act, the Video Privacy Protection Act, and the Electronic Communications Privacy Act. The Sourcebook also includes key international privacy frameworks such as the EU General Data Protection Regulation and the revised OECD Privacy Guidelines. The Privacy Law Sourcebook 2018 has been updated and expanded to include the modernized Council of Europe Convention on Privacy, the Judicial Redress Act, the CLOUD Act, and new materials from the United Nations. The Sourcebook also includes an extensive resources section with useful websites and contact information for privacy agencies, organizations, and publications.

Communications Law and Policy: Cases and Materials, 5th Edition, by Jerry Kang and Alan Butler. Direct Injection Press (2016).

This teachable casebook provides an introduction to the law and policy of modern communications. The book is organized by analytic concepts instead of current industry lines, which are constantly made out-of-date by technological convergence. The basic ideas—power, entry, pricing, access, classification, bad content, and intermediary liability—equip students with a durable and yet flexible intellectual structure that can help parse a complex and ever-changing field.

Privacy Law and Society, 3rd Edition, by Anita Allen, JD, PhD and Marc Rotenberg, JD, LLM. West Academic (2015).

The Third Edition of "Privacy Law and Society" is the most comprehensive casebook on privacy law ever produced. It traces the development of modern privacy law, from the early tort cases to present day disputes over drone surveillance and facial recognition. The text examines the philosophical roots of privacy claims and the significant court cases and statues that have emerged. The text provides detailed commentary on leading cases and insight into emerging issues. The text includes new material on developments in the European Union, decisions grounded in fundamental rights jurisprudence, and exposes readers to current debates over cloud computing, online profiling, and the role of the Federal Trade Commission. Privacy Law and Society is the leading and most current text in the privacy field.

Privacy in the Modern Age: The Search for Solutions, edited by Marc Rotenberg, Julia Horwitz and Jeramie Scott. The New Press (2015). Price: $25.95.

The threats to privacy are well known: The National Security Agency tracks our phone calls; Google records where we go online and how we set our thermostats; Facebook changes our privacy settings when it wishes; Target gets hacked and loses control of our credit card information; our medical records are available for sale to strangers; our children are fingerprinted and their every test score saved for posterity; and small robots patrol our schoolyards while drones may soon fill our skies.

The contributors to this anthology don't simply describe these problems or warn about the loss of privacy—they propose solutions.

Contributors include: Steven Aftergood, Ross Anderson, Christine L. Borgman (coauthored with Kent Wada and James F. Davis), Ryan Calo, Danielle Citron, Simon Davies, A. Michael Froomkin, Deborah Hurley, Kristina Irion, Jeff Jonas, Harry Lewis, Anna Lysyanskaya, Gary T. Marx, Aleecia M. McDonald, Dr. Pablo G. Molina, Peter G. Neumann, Helen Nissenbaum, Frank Pasquale, Dr. Deborah Peel, MD, Stephanie E. Perrin, Marc Rotenberg, Pamela Samuelson, Bruce Schneier, and Christopher Wolf.

Upcoming Conferences and Events

OECD AI Experts Meeting. Jan. 16–17, 2019. MIT, Cambridge, MA. Marc Rotenberg, EPIC President.

DLD Munich 19. Jan. 19–21, 2019. Munich, Germany. Marc Rotenberg, EPIC President.

International Cybersecurity Forum (FIC). Jan. 22, 2019. Lille, France. Eleni Kyriakides, EPIC International Counsel.

Collective Action Workshop. Jan. 29, 2019. Brussels, Belgium. Marc Rotenberg, EPIC President.

European Area of Freedom, Security, and Justice. Jan. 29, 2018. FREE Group. Rome, Italy. Marc Rotenberg, EPIC President.

EPIC International Champion of Freedom Award. Jan. 30, 2019. Les Halles de Schaerbeek, Brussels, Belgium.

CPDP2019: Data Protection and Democracy. Jan. 30–Feb. 1, 2019. Les Halles de Schaerbeek, Brussels, Belgium.

OECD AI Meeting. Feb. 7­–9, 2019. Dubai, UAE. Marc Rotenberg, EPIC President.

Aspen Roundtable on AI. Feb. 11-13, 2019. Santa Barbara, CA. Marc Rotenberg, EPIC President

'Going Digital.' Mar. 11-12, 2019. OECD, Paris. Marc Rotenberg, EPIC President.

EPIC Champions of Freedom Awards Dinner. June 5, 2019. National Press Club, Washington, DC.