The Irish Data Protection Commission (DPC) fined Facebook’s WhatsApp €225 million ($266 million) for privacy violations following a GDPR investigation that began in 2018. In the decision, the data privacy regulator explained that WhatsApp breached the GDPR’s rules about data transparency, including when it processed user information between WhatsApp and other Facebook companies. While the €225 million fine is a record for the DPC and the second largest fine ever issued under the GDPR, privacy advocate and EPIC Advisor Max Schrems noted “[t]he DPC also proposed an initial € 50 million fine and was forced by the other European data protection authorities to move towards € 225 million, which is still only 0.08% of the turnover of the Facebook Group. The GDPR foresees fines of up to 4% of the turnover.” EPIC has long urged the Federal Trade Commission to block or unwind Facebook's acquisitions of Instagram and WhatsApp. In 2014, EPIC and the Center for Digital Democracy warned the FTC that Facebook incorporates user data from companies it acquires, and that WhatsApp users objected to the acquisition. Despite these problems, the FTC allowed the merger to go forward.
EPIC has joined with several international privacy and human rights advocacy groups in a statement calling for privacy reform in the wake of allegations that the Indian government used Pegasus to surveil activists, journalists, and opponents. The statement highlights the fundamental right to privacy established under both the Indian Constitution and international human rights law, condemns the illegal use of spyware, and calls for (i) an independent investigation into allegations of Pegasus use; (ii) surveillance reform ensuring independent judicial oversight and providing for judicial remedy; and (iii) establishing a data protection framework that will respect privacy rights. EPIC has previously filed suit against the U.S. Department of Homeland Security to obtain records of a system designed to surveil journalists—the surveillance effort was subsequently suspended. In addition, EPIC has previously joined coalition letters calling for surveillance reform within the U.S. and has testified before Congress regarding the risks of commercial spyware.
In a new report, the Government Accountability Office (GAO) surveyed 24 federal agencies on their use of facial recognition technology. The report reveals that 18 of those agencies are using facial recognition for purposes including law enforcement, physical security/surveillance, and digital access. Ten of those agencies, including the Department of Homeland Security, the Department of Justice, and the State Department plan to expand their use of facial recognition in the near future by acquiring new systems. According to the GAO, 27 states and 6 municipalities currently allow federal agencies to access non-federal facial recognition systems. The GAO's report follows the office's June report that 42 federal law enforcement agencies are using facial recognition technology with little to no oversight. According to the report, many agencies were unaware that employees were using the technology. The report also reveals that the Department of the Interior accessed the DC-area NCR-FRILS facial recognition system. EPIC organized a coalition opposing the system, leading to its shutdown in July of this year. EPIC recently filed suit against the U.S. Postal Service for using of facial recognition and social media monitoring technology without completing statutorily required Privacy Impact Assessments.
