The top EU Court has struck down an EU-Canada agreement on the processing of airline passenger records. The Passenger Name Record agreement mandated data retention and permitted the bulk transfer of personal data provided by passengers booking a flight. The Court of Justice of the EU explained "the PNR agreement may not be concluded in its current form because several of its provisions are incompatible with the fundamental rights recognised by the EU." The data can reveal "a complete travel itinerary, travel habits, relationships existing between two or more individuals, and information on the financial situation of air passengers, their dietary habits or their state of health." The European Digital Rights Initiative praised the outcome. The EU and US have a similar agreement that permits retention of personal data for 15 years. EPIC has criticized overbroad passenger data transfers, and argued the EU-US agreement violates the EU data protection directive.
EPIC has opposed the Director of National Intelligence’s refusal to release a critical government report about Russian interference with the 2016 Presidential election. In EPIC v. ODNI, EPIC seeks the public release of the agency’s report on the Russian interference. EPIC filed suit after the ODNI published only a limited, declassified version of the report. In filings in federal district court, EPIC explained that the ODNI’s failure to provide EPIC partial information cannot satisfy the Agency’s obligations under the FOIA. EPIC stated that release is “necessary for the public to evaluate the Intelligence Community response to the Russian interference, assess threats to democratic institutions, and ensure that agencies are taking appropriate measures to protect U.S. electoral institutions against future attack.” Long after the attack on U.S. democratic institutions, “significant information asymmetry between the public and its government remains,” EPIC said. EPIC v. ODNI is a part of the EPIC Cybersecurity and Democracy Project, which focuses on US cyber policies, threats to election systems and foreign attempts to influence American policymaking.
EPIC has appealed the decision of a federal district court which declined to block the collection of sensitive voter data by the Presidential Election Commission. EPIC had argued that the Commission failed to complete a Privacy Impact Assessment before collecting voter data and violated the constitutional right to information privacy. Though the district court agreed that EPIC had standing to bring the lawsuit, the court concluded that it couldn't halt the data collection because, according to the court's opinion, the Commission is exempt from the obligation to undertake a privacy assessment. EPIC's case, which led the Commission to suspend the collection of voter data two weeks ago, will now be reviewed on an expedited basis by the U.S. Court of Appeals for the District of Columbia. "Absent expedited review," EPIC warned, "the Commission will be allowed to systematically amass the sensitive, personal information of the nation's voters without establishing any procedures to protect voter privacy or the security and integrity of the data." The case is EPIC v. Commission, No. 17-1320 (D.D.C. filed July 3, 2017).
