EPIC Alert 23.08

EPIC Alert logo

1. FOIA Ombudsman Examines "Still Interested?" Agency Procedure

In response to a letter from EPIC and open government advocates, the FOIA ombudsman has issued the first part of a report on the use of administrative closure (so-called "still interested?") letters by federal agencies. EPIC raised the issue with the Office of Government Information Services (OGIS) in an October 2014 letter signed by 14 open government groups. The groups found that many federal agencies, including DOJ, EPA, TSA, and DHS were impermissibly threatening to "close" FOIA matters unless the requestor responded within 20 days. The groups found that the use of these "still interested" letters has become pervasive.

In the interim report, OGIS determined that there is no "guidance or standard for reporting requests that agencies close" through "still interested" letters, and therefore no way to know how often agencies are using these letters. OGIS admits that it does not yet understand the impact such letters have on FOIA requesters. DOJ first issued guidance on the need to "limit 'still interested' letters" in 2010, noting that the method might be used "on occasion" after a request has lagged for a long time if the agency does so "judiciously." The DOJ issued additional guidance in 2015 after EPIC and other groups submitted the coalition letter to OGIS, noting that "it is critical that agencies employ safeguards to limit the number and impact of" the letters. DOJ made clear that "if the agency does not have reason to believe that the requestor's interest in the request has waned, it should not send a 'still interested' inquiry."

But as EPIC and other groups highlighted in the 2014 OGIS letter agencies are routinely issuing these letters after long delays in processing FOIA requests and without any reason to believe that the requestor's interest in the records has changed. As EPIC noted, "We know of no provision in the Act that allows for administrative closure simply due to lack of time." And this approach "runs the risk [that] legitimate FOIA requests will be improperly closed because the requestor fails to respond within an arbitrary time period" selected by the agency. The dynamic is fundamentally unfair where an agency can seek to "close" a request due to its own failure to promptly respond and produce records, but expects FOIA requestors to respond promptly within 20 days if they want to keep their request alive.

2. EPIC Updates EU Officials on US Data Protection Developments

EPIC recently participated in the 59th meeting of the International Working Group on Data Protection in Telecommunications (IWG) in Oslo, Norway. The Berlin-based IWG consists of representatives from European Data Protection Authorities and other key regulators from around the world who work together to protect online privacy.

EPIC presented a comprehensive country report outlining recent developments and issues of interest related to privacy in the United States. EPIC provided an overview of proposed and enacted legislation, important U.S. Supreme Court cases, and other issues including the American debate over encryption. EPIC emphasized that, according to public opinion polls , American attitudes toward privacy are comparable to those of Europeans, with 74% saying it is "very important" to be in control of who can get information about them, and 65% saying it is "very important" to control what information is collected about them

The IWG adopted an updated paper on "Privacy and Security Issues in Internet Telephony (VoIP)" at the meeting. The Working Group will also continue its work on a report about E-learning Platforms, which is based on work to protect student privacy . Several other items relevant to EPIC's mission were discussed, such as always-on devices and the " right to be forgotten ."

The next meeting of the IWG will take place in Berlin in November 2016.

3. EPIC Urges FCC to Fully Enforce Cable Privacy, Extend Rules to All Set-Top Boxes

In comments filed with the FCC on a proposal to unlock the set-top box market to retail manufacturers, EPIC urged the Commission to apply the Cable Act's privacy rules directly to all companies with access to cable subscriber data.

The FCC's proposal would require cable companies to provide video programming content to retail navigation devices, on the condition that manufacturers of these devices self-certify compliance with cable subscriber privacy rules and other consumer protection requirements. According to the Commission's plan, cable companies would not be required to provide video programming content "unless they receive this certification" and "are prohibited from providing the [content] to a Navigation Device that does not have such a certification." The proposal further explains that cable companies "cannot withhold the [content] if they have received such certification and do not have a good faith reason to doubt its validity."

EPIC argued that the FCC must directly enforce compliance with the Cable Act's privacy rules for all set-top box providers, including retail navigation device manufacturers. EPIC explained that the self-certification proposal fails to protect consumer privacy because it lacks effective oversight and enforcement mechanisms and "appears to deputize cable companies to enforce privacy rules on retail device manufacturers." Additionally, the proposal fails to clearly provide a private right of action for customers whose privacy rights have been violated by retail navigation devices.

EPIC explained that the Cable Subscriber Privacy Rules are "an effective model for privacy rules in the commercial sector, particularly concerning the collection of data about cable programming." However, the FCC must clarify and enhance enforcement of these rules to address current business practices . Consumer tracking and targeting no longer requires use of an individual's name or address; instead, persistent identifiers are used to build detailed profiles on individuals' viewing habits and online activity. Thus, EPIC urged the FCC to clarify enforcement of the Cable Subscriber Privacy Rules to include Internet Protocol (IP) addresses and other persistent identifiers as "personally identifiable information" subject to privacy protections.

EPIC has defended consumer privacy at the FCC for almost 20 years . Most recently, EPIC filed a petition in August of 2015 calling for a repeal of FCC regulations mandating retention of telephone toll records. This petition is still pending before the Commission.

4. EPIC Defends Right of Data Breach Victims to Bring Suit

EPIC has filed an amicus brief urging a federal appeals court to permit data breach victims to bring suit against entities that fail to adequately secure their personal information. The case involves Paytime , a national payroll service company that collected employees' full names, addresses, bank account data, Social Security numbers, and birthdates. In 2014, hackers gained access to Paytime's computer systems and stole the personal information of more than 233,000 individuals. The data breach victims sued Paytime for lax data security, but the lower court dismissed the case because the plaintiffs had not yet suffered identity theft or fraud.

In its brief, EPIC argued that the downstream consequences of a data breach--such as mitigating the increased risk of fraud, untangling a stolen identity, recovering unauthorized payments, or repairing damaged credit--are irrelevant to determining whether the data breach victims have suffered an injury. The injury-in-fact necessary to bring suit is the data breach itself. EPIC explained that American consumers face an epidemic of data breaches that cause pernicious and long-lasting harms. If courts do not permit data breach victims whose personal information has been obtained by criminals to pursue redress, the problems of data breach and identity theft will only intensify. Companies collecting consumer information are best positioned to prevent data breaches, and must be held accountable for inadequate data security.

EPIC regularly files amicus briefs defending consumer privacy.EPIC has also launched Data Protection 2016 , a nonpartisan campaign to make data protection an issue in the 2016 election. The campaign advocates for reduced identity theft and financial fraud and for investigations into the misuse of personal data.

5. European Parliament Adopts Comprehensive Data Protection Regulation

The European Parliament has finalized a historic reform of EU data protection legislation , which will have legal force in July 2018.

Negotiations over the new General Data Protection Regulation started in January 2012 and involved national governments, Members of the European Parliament, the business sector, academics, and civil society. This process was intended "to design new rules that uphold the fundamental right to data protection guaranteed by the EU's Charter of Fundamental Rights, bring benefits for citizens, businesses, and public administrations alike, and are future-proof and open to innovation". "The new General Data Protection Regulation will enable people to regain control of their personal data in the digital age," said Parliament Member Jan Philipp Albrecht .

The new rules, which providefor a long list of users' rights and a clear set of obligations for companies, will ensure individuals are in control of their own data. The provisions include data breach notification, coordinated enforcement by national data protection authorities, clarifications of the right to be forgotten, data portability, enhanced penalties, strengthened consent, appointment of data protection officers, and new measures to promote privacy innovation. The text, however, still has some shortcomings .

EPIC and other consumer groups have supported the European data protection law, stating that it provides "important new protections for the privacy and security of consumers."

EPIC awarded the 2014 International Champion of Freedom Award to European Parliament Member Jan Philipp Albrecht and the 2016 International Champion of Freedom Award to former EU Justice Minister Viviane Reding. Ms. Reding led efforts in the European Commission to adopt the new European data protection law and Mr. Albrecht was the rapporteur for the European Parliament. The US EPIC Champion of Freedom Awards will be presented on June 6, 2016 in Washington, DC.

EPIC Book Review: "Ctrl+Z"

" Ctrl+Z: The Right to be Forgotten ," by Meg Leta Jones

Meg Leta Jones, Associate Professor of Communications, Culture, and Technology at Georgetown University, has written a thoughtful, yet accessible, exploration of the so-called "right to be forgotten." In Ctrl+Z, Jones describes the origins of the right to be forgotten (what she refers to more broadly as "digital redemption"), explores its possibilities and potential, and proposes persuasive paths forward.

In 2014, the European Court of Justice (CJEU) ruled that European citizens have the right, in certain circumstances, to have a website removed from the results of search engine queries for their name. A website can be removed under the right to be forgotten if it contains information that is "inadequate, irrelevant or excessive in relation to" the information's original purpose. In so ruling, the CJEU concluded that the fundamental right to privacy is greater than the economic interest of the website operator and, in some circumstances, the public interest in access to the information.

Jones begins Ctrl+Z by describing how the digital age, where "forgetting has become the exception, and remembering the default," has made it increasingly difficult for people to "detach themselves from humiliating or embarrassing past moments." This "digital memory," she argues, "prevents society from moving beyond" a past it cannot forget. And a digital society's inability to forget, she concludes, begets a society's inability to forgive.

Of particular interest is Jones's chapter on the prospects of digital redemption in the United States. What does a US forgiveness law look like? Jones posits that there are three common factors shared by this type of legal framework: (1) time, (2) oversight, and (3) relief from accountability. Whether it's a parole board issuing a certificate of good behavior or the sealing and expungement of a juvenile record, US forgiveness laws require some passage of time to ensure that any forgiveness is "earned." Similarly, these laws require a degree of oversight by a decision maker (e.g., a parole board or court). Lastly, any US forgiveness law, Jones argues, must provide relief from accountability. In the bankruptcy or juvenile context, for example, this is achieved by expunged or sealed record.

After building this conceptual framework, Jones explores possible forms of digital redemption in the US and then argues in favor of her preferred approach. She first rejects the application of a European-style right to be forgotten for lack of foundation in American law. She then considers, but ultimately dismisses, a more limited right that would allow a person to object to information that identifies himself. Most viable, she argues, would be a scheme that would permit harmed data subjects to add information to the record to mitigate the ill effects of the outdated information by increasing "context and accuracy." One method, proposes Jones, would be through false-light claims that would allow plaintiffs to demand that outdated information be marked accordingly. A drawback to this method, however, is that US law would consider outdated information that is not marked as outdated to be a misrepresentation about that individual. It is also uncertain whether providing additional information for context would actually solve the larger problem. Jones acknowledges this drawback, noting that an addendum would merely add "conflicting information to the pile."

In Ctrl-Z, Leta Jones thoughtfully tackles the right to be forgotten from a number of perspectives with an eye towards a workable solution. It is a must-read for any student of society, privacy, and forgiveness in the digital age.

--John Tran

News in Brief

Senate Commerce Committee Approves FCC Reauthorization, Internet of Things Bill

The Senate Committee on Commerce, Science, and Transportation has voted in favor of reauthorization for the Federal Communications Commission and other bills, including proposed legislation on the Internet of Things. The "Developing Innovation and Growing the Internet of Things Act" calls for a national strategy on the Internet of Things , which would include a working group to study the impact of connected technology. Also approved was the FCC Process Reform Act of 2015 , intended to improve transparency and accountability at the independent commission. EPIC consistently recommends privacy and security protections for the Internet of Things.

Supreme Court Approves Remote Computer Hacking by Police

The U.S. Supreme Court has voted to approve proposed changes to Rule41 of the Federal Rules of Criminal Procedure, which will allow judges to issue "remote access" warrants. These warrants authorize mass computer searches, even when the targets are outside the jurisdiction of the court.EPIC criticized the proposal in a statement last year,arguing that the procedure enables searches outside traditional Fourth Amendment requirements and would not provide adequate notice to those subject to search. Congress can amend or reject the proposal. Senator Ron Wyden said today he would introduce legislation to reverse the proposal.

FTC Increases Scrutiny of Google's Practices, Implicating Antitrust and Privacy Interests

The FTC has reportedly expanded its investigation into Google's use of the Android operating system to exclude or demote competing services. The Commission's increased scrutiny comes shortly after the European Commission filed formal antitrust charges against Google. Last fall, the FTC began looking at whether Google unfairly prioritizes its own products after earlier ending a similar investigation in 2012 though staff recommended litigation . EPIC previously urged the Senate and the FTC to investigate Google's dominance of essential Internet services, warning that monopoly practices implicate privacy interests. EPIC had opposed Google's acquisition of online advertiser Doubleclick, which the FTC approved over the objection of Commissioner Pamela Harbor, who cited the connection between monopoly practices and privacy violations.

House Passes Narrow ECPA Update

The Email Privacy Act of 2016 has passed the House 419-0 The Act amends the Electronic Communications Privacy Act of 1986 to extend the warrant requirement to communications stored for more than 180 days. An earlier version of the the Act would have required notice of email searches to the user, with some exceptions. Senator Leahy tweeted that "Long past time to protect American people's emails & info stored in the cloud from warrantless searches." EPIC has recommended several other ECPA updates, including protections for location data, data minimization requirements, and end-to-end encryption for commercial e-mail services.

Google Wants User Data, Opposes FCC Privacy Rules

Google has opposed new privacy rules for consumer data even as it backed the FCC's proposal to open up the set-top box. Google described new privacy safeguards as "unnecessary." The FCC's proposal would allow Google to gain access to the TV market and consumer viewing data . EPIC has urged the FCC to enforce strong privacy rules for all companies seeking access to user data.

TSA Releases New Body Scanner Document to EPIC

In response to an EPIC FOIA request , the Transportation Security Administration has released a document describing the technical capabilities of the airport body scanners. EPIC previously obtained documents from TSArevealing that body scanners can record, store, and transmit digital strip search images of airline passengers. Last month, the TSA issued a regulation on airport body scanners, nearly five years after a federal appeals court ordered the agency to "promptly" undertake a rule making.In 2011, EPIC successfully challenged the TSA's unlawful deployment of airport body scanners. Despite public comments that overwhelmingly favor less invasive security screenings, the TSA plans to use invasive body scanners at US airports.The TSA also said it may mandate airport body scanners, even though the agency previously told the D.C. Circuit that the body scanner program was optional and the federal appeals court upheld the program, relying on the agency's statements.

Intelligence Court Orders Government to Report on PRISM Collection

Three decisions by the Foreign Intelligence Surveillance Court (FISC) were made public this week. The Court identified serious "compliance and implementation issues" related to the Section 702 (" PRISM ") surveillance program. The FISC found that the NSA did not purge personal data as required by minimization procedures, and also that the FBI failed to exclude attorney-client communications. In 2012, EPIC testified before Congress and recommended the publication of FISC opinions to facilitate public oversight .

EPIC in the News

EPIC Bookstore

EPIC publications and books by members of the EPIC Advisory Board, distinguished experts in law, technology and public policy are available at the EPIC Bookstore .

Recent EPIC publications:

Privacy Law and Society, 3rd Edition, by Anita Allen, JD, PhD and Marc Rotenberg, JD, LLM. West Academic (Dec.2015).


The Third Edition of "Privacy Law and Society" is the most comprehensive casebook on privacy law ever produced. It traces the development of modern privacy law, from the early tort cases to present day disputes over drone surveillance and facial recognition. The text examines the philosophical roots of privacy claims and the significant court cases and statues that have emerged. The text provides detailed commentary on leading cases and insight into emerging issues. The text includes new material on developments in the European Union, decisions grounded in fundamental rights jurisprudence, and exposes readers to current debates over cloud computing, online profiling, and the role of the Federal Trade Commission. Privacy Law and Society is the leading and most current text in the privacy field.

Privacy in the Modern Age: The Search for Solutions, edited by Marc Rotenberg, Julia Horwitz and Jeramie Scott. The New Press (May 2015). Price: $25.95.


The threats to privacy are well known: The National Security Agency tracks our phone calls; Google records where we go online and how we set our thermostats; Facebook changes our privacy settings when it wishes; Target gets hacked and loses control of our credit card information; our medical records are available for sale to strangers; our children are fingerprinted and their every test score saved for posterity; and small robots patrol our schoolyards while drones may soon fill our skies.

The contributors to this anthology don't simply describe these problems or warn about the loss of privacy -- they propose solutions

Contributors include: Steven Aftergood, Ross Anderson, Christine L. Borgman (coauthored with Kent Wada and James F. Davis), Ryan Calo, Danielle Citron, Simon Davies, A. Michael Froomkin, Deborah Hurley, Kristina Irion, Jeff Jonas, Harry Lewis, Anna Lysyanskaya, Gary T. Marx, Aleecia M. McDonald, Dr. Pablo G. Molina, Peter G. Neumann, Helen Nissenbaum, Frank Pasquale, Dr. Deborah Peel, MD, Stephanie E. Perrin, Marc Rotenberg, Pamela Samuelson, Bruce Schneier, and Christopher Wolf.

Upcoming Conferences and Events

May 13, 2016
"Data Privacy Advocacy: From Safe Harbour to the Privacy Shield"
Marc Rotenberg, EPIC President
European University Institute
Florence, Italy

May 17, 2016
Goethe Institute Screening, "Democracy"
Landmark's E Street Cinema
Washington, DC

May 18, 2016
Women in Government Advanced Technology & Innovations Summit 2016
Caitriona Fitzgerald, EPIC State Policy Coordinator
Seattle, WA

June 3, 2016
Jeffrey Rosen, "Louis D. Brandeis: American Prophet"
Politics and Prose
Washington, DC

June 5, 2016
EPIC Screening, "Democracy"
Black Cat
Washington, DC

June 6, 2016
EPIC, Data Protection 2016
National Press Club
Washington, DC

June 6, 2016
EPIC 2016 Champions of Freedom Awards Event
National Press Club
Washington, DC
Registration Now Open

June 21, 2016
To be held in conjunction with OECD Ministerial Conference , June 21-23, 2016
Cancun, Mexico

Share this page:

Defend Privacy. Support EPIC.
US Needs a Data Protection Agency
2020 Election Security