EPIC Alert 25.21

1. Supreme Court Orders Additional Briefing in Consumer Privacy Case

The U.S. Supreme Court has ordered additional briefing in Frank v. Gaos, a case about a controversial class action settlement. Plaintiffs alleged that Google disclosed search histories to third parties in violation of various privacy laws, but the parties settled the case with no change in business practice and no benefit to class members. Now the Supreme Court has ordered supplemental briefs to determine whether any named plaintiff has "standing" to pursue the dispute.

EPIC filed an amicus brief with the Supreme Court about the settlement, arguing that the "proposed settlement is bad for consumers and does nothing to change Google's business practices." EPIC also argued that "cy pres"—a class action settlement tool that is meant to benefit plaintiffs by funding relevant public interest work—"requires vigilant judicial oversight to guard against the risks of collusion and ensure that judges are not rubber-stamping settlements that pay attorneys while failing to benefit class members."

Before the case reached the Supreme Court, a federal appeals court narrowly approved the settlement, 2-1. The dissenting judge warned that courts must be on the lookout "not only for explicit collusion, but also for more subtle signs that class counsel have allowed pursuit of their own self-interests." EPIC and several consumer privacy organization objected to the original settlement on three separate occasions.

EPIC routinely opposes class action settlements that fail to provide a benefit to Internet users and has filed many briefs on standing in consumer privacy cases. In the Supreme Court case Spokeo v. Robins, EPIC told the Court that "This is not the time for the Supreme Court to limit the ability of individuals to seek redress for violations of privacy rights set out by Congress."

2. EPIC Supports Constitutionality of ‘Robocall’ Law

EPIC has filed an amicus brief in Gallion v. Charter Communications, a Ninth Circuit case concerning the constitutionality of the Telephone Consumer Protection Act—the law that prohibits unwanted "robocalls" and junk faxes.

In 2015, Congress amended the TCPA to permit robocalls to collect debts owed to the government. Charter Communications sued, arguing that the amendment restricts speech based on content and violates the First Amendment. The District Court disagreed, joining courts across the country in upholding the TCPA's constitutionality. Charter appealed the decision to the Ninth Circuit.

In its brief, EPIC argued that the TCPA amendment is not content-based and that it "protects important consumer privacy interests." But even if there is a First Amendment problem, EPIC argued that the court should invalidate the government debt collection exception, not throw out the entire law.

EPIC explained that consumer privacy safeguards "are needed now more than ever," citing changes in technology since the law was enacted and marketing calls targeting cell phones. EPIC also warned the appeals court that Charter's lawsuit is part of "a systematic effort by companies to undermine the purpose of the TCPA and to find new ways to inundate consumers with unwanted calls."

EPIC has long defended the consumer privacy law. EPIC filed an amicus brief in the D.C. Circuit case ACA International v. FCC, a suit which attacked the FCC's broad definition of the term "autodialer." EPIC has also testified in support of the TCPA and submitted extensive comments on the consumer privacy law.

3. D.C. Circuit to Hear Arguments in Case on Right to Informational Privacy

The D.C. Circuit heard arguments this month in the OPM Data Breach suit. The case concerns the data breach at the U.S. Office of Personnel and Management in 2015 that affected 22 million federal employees, their friends, and their family members. EPIC filed an amicus brief in the case, joined by forty-four technical experts and legal scholars (members of the EPIC Advisory Board),

A lower court dismissed the case, which was brought by the American Federation of Government Employees and the National Treasury Employees Union. On appeal, the D.C. Circuit Court of Appeals is set to determine the scope of the constitutional right to informational privacy and the application of Article III standing doctrine to data breach victims.

In its brief to the D.C. Circuit, EPIC emphasized the importance of protecting the right to informational privacy, which applies to the collection, retention, and disclosure of personal data. "Government collection of personal data implicates fundamental due process rights," EPIC wrote. "When the state has failed to safeguard that information, the state has violated those rights." EPIC also noted that "the right to privacy has been broadly adopted in international declarations and enshrined in constitutions in the United States and around the world."

During arguments, a three-judge panel of the D.C. Circuit expressed skepticism at the government's claim that OPM data breach victims lacked "standing" to sue. "You've got an uphill battle," Judge David Tatel told the government.

EPIC has consistently advocated for the recognition of the constitutional right to informational privacy. EPIC filed comments last year with OPM recommending limits on data collection and has proposed updates to the federal Privacy Act. EPIC has repeatedly urged the Supreme Court to fully recognize a right to informational privacy and to ensure Privacy Act damages for non-economic harm.

4. EPIC Seeks Special Counsel Reports on Russian Election Interference

EPIC has submitted an urgent Freedom of Information Act request to the Department of Justice for records about Special Counsel Robert Mueller's investigation into Russian interference in the 2016 U.S. presidential election.

In May 2017, the Acting Attorney General authorized an investigation into Russian interference, including "any links and/or coordination between the Russian government and individuals associated with the campaign of President Donald Trump." Special Counsel Mueller has since brought criminal charges against 33 individuals and three organizations. According to news reports and President Trump's attorneys, Special Counsel Mueller intends to transmit one or more reports detailing his findings.

"In addition to the extraordinary media attention given to the work of the Special Counsel, the requested records concern the potential involvement of the President in a foreign campaign to influence an election that he won; the possible obstruction of justice by the President while in office; the federal government's capacity to defend U.S. election systems and democratic institutions against foreign attacks; and the discharge of a high-profile Special Counsel investigation," EPIC wrote in the FOIA request. "These matters unquestionably bear on the integrity of the government and affect public confidence."

EPIC launched a project on Democracy and Cybersecurity in response to Russian interference in the 2016 presidential election. EPIC has pursued several FOIA cases concerning Russian interference with the 2016 election, including EPIC v. FBI (response to Russian cyberattacks), EPIC v. ODNI (Russian hacking), EPIC v. IRS I (release of President Trump's tax returns), EPIC v. IRS II (release of President Trump's offers-in-compromise), and EPIC v. DHS (election cybersecurity).

5. New Hampshire Voters Establish Constitutional Right to Informational Privacy

In last week's midterm elections, New Hampshire voters overwhelmingly approved a ballot measure that guarantees a constitutional right to informational privacy in the state. The measure, which received over 80% support, amends Article 2 in the New Hampshire Bill of Rights to provide that "an individual's right to live free from governmental intrusion in private or personal information is natural, essential, and inherent."

The sweeping language ensures that New Hampshire residents can legally challenge the collection and retention of personal information. The measure had previously received wide majority support in the New Hampshire House and Senate.

New Hampshire joins a growing number of states with constitutional privacy protections. To date, eleven states have created an explicit constitutional right of privacy. Additionally, Missouri enacted a specific right to privacy in electronic communications. Before enacting the measure, New Hampshire had no explicit protections against government surveillance or other intrusions on privacy.

EPIC Advisory Board member David Flaherty has written about the development of constitutional privacy protections and concluded that "when explicit constitutional and statutory protection for privacy exists . . . individuals are in a much better position to assert their human rights."

Constitutional rights to privacy are increasingly important as private companies and governments seek access to Americans' most sensitive information. To ensure these protections are robustly defended, EPIC regularly files amicus briefs supporting state privacy rights. In a recent federal amicus brief concerning the OPM data breach, EPIC argued that the federal Constitution provides a right to information privacy, and "when personal data is collected by a government agency, that agency has a constitutional obligation to protect the personal data it has obtained."

News in Brief

Facing EPIC Lawsuit, FAA Scraps Secretive Drone Committees

The FAA's Drone Advisory Committee, facing an open government lawsuit from EPIC, has scrapped the secretive committees that developed drone policy. EPIC filed a lawsuit challenging the closed-door meetings with agency officials and industry reps. EPIC also charged that the FAA ignored the privacy risks posed by the deployment of drones—even after identifying privacy as a top public concern. The FAA acknowledged that the committees provided policy advice, but the FAA failed to comply with open government laws. EPIC has a long history of promoting government transparency and advocating for privacy protections against drones.

EPIC Comments on NTIA's Consumer Privacy Framework

EPIC submitted comments to the National Telecommunications and Information Administration—the agency that advises the White House on Internet policy—on the proposed framework for consumer privacy. EPIC backed the "Desired Outcomes:" (1) transparency, (2) control, (3) minimization, (4) security, (5) access and correction, (6) risk management, and (7) accountability. But EPIC urged the agency to support federal baseline legislation, the creation of a data protection agency, and the ratification of the International Privacy Convention. EPIC explained, "These are not policy preferences or partisan perspectives. These are the steps that modern societies must take to safeguard the personal data of their citizens." NTIA Secretary David Redl met with the Privacy Coalition last month.

EPIC Urges Agencies to Abandon Data Practices that Extend Detention of Children

In comments to the Department of Health and Human Services, EPIC urged the agency to abandon a policy of transferring background check information from potential sponsors of unaccompanied children to the DHS. According to reports, children are kept in detention centers for extended periods due to this policy which places sponsors and household members at risk of deportation. The proposed rule also conflicts with HHS's Privacy Impact Assessment, which fails to assess this risk. EPIC had previously warned Congress about the misuse of immigrant data by the DHS.

EPIC Urges Department of Transportation to Adopt Privacy Act Safeguards For 'Insider Threat' Database

In comments to the Department of Transportation, EPIC has proposed privacy safeguards for the agency's "Insider Threat" database. The database would permit boundless collection of personal data on many people unaffiliated with the agency. The Department also plans to exempt the database from Privacy Act obligations that require data minimization and individual access to records. EPIC wrote, "It is as if the agency has placed itself beyond the reach of the American legal system on the issue of greatest concerns to the American public - the protection of personal privacy." EPIC also urged the agency to limit data collection, citing numerous government data breaches that have put individuals at risk. EPIC has consistently warned against overbroad and insecure government databases.

U.S. House Flips, EPIC Seeks Release of Trump Tax Returns

With the change of control in Congress and the ongoing interest in President Trump's tax returns, two EPIC Freedom of Information Act cases will receive renewed attention. In EPIC v. IRS, currently before the D.C. Circuit, EPIC argued that the IRS has the authority to disclose the returns to correct numerous misstatements of fact concerning his financial ties to Russia. President Trump tweetedthat "Russia has never tried to use leverage over me. I HAVE NOTHING TO DO WITH RUSSIA - NO DEALS, NO LOANS, NO NOTHING"—a claim contradicted by his own attorneys, family members, and business partners. EPIC has repeatedly urged Congress to exercise oversight of the IRS and to support the disclosure of the President's returns in EPIC's case. In a second case, EPIC v. IRS II, EPIC is seeking the release of additional tax records related to President Trump and over 300 of his businesses. Two-thirds of voters favor the release of Trump's tax returns.

UK Privacy Commissioner Releases Report on Data Analytics and Political Campaigns

The UK Information Commissioner released a report on the misuse of personal data in the Brexit vote. The investigation "uncovered a disturbing disregard for voters' personal privacy" and found that the Leave.EU campaign and Cambridge Analytica both improperly harvested personal data. The Commissioner's office will fine the Leave.EU campaign and would fine Cambridge Analytica if the firm were not already in bankruptcy proceedings. The UK report proposes a code of practice for the use of personal data in political campaigns. Earlier this year, EPIC and a coalition of consumer groups urged the FTC to investigate the Facebook-Cambridge Analytica matter. In March, the FTC said it would investigate the matter, but there is still no report, no findings and no fine. In response to EPIC's Freedom of Information Act lawsuit, the FTC has released agency emails about the 2011 Facebook Consent Order.

EPIC in the News

• Interview with Pamela Samuelson, Copybuzz, Nov. 14, 2018
• Facebook Failed to Police How Its Partners Handled User Data, New York Times, Nov. 12, 2018
• Renowned scientists and policy advisors speak at CWI Lectures on Privacy and Security, CWI, Nov. 8, 2018
• US election: Divided Congress is good for privacy, Heise Online, Nov. 8, 2018
• Federal Government Could Face 'Uphill Battle' in Appeal of OPM Data Breach Dismissals, Law.com, Nov. 7, 2018
• Privacy Advocate Demands Mueller Report, WND, Nov. 7, 2018
• EPIC Demands Mueller Report, WND, Nov. 7, 2018
• Are Voting Selfies Legal? Not Always, New York Times, Nov. 6, 2018
• LU makes email addresses available to campaigns for a fee as candidates grow increasingly savvy with big data, The News & Advance, Nov. 5, 2018
• Facial recognition cameras may bring exit checks to U.S.-Mexico border, San Antonio Express-News, Nov. 5, 2018
• Political Groups Confuse And Worry Voters With 'They Know If You Vote' Message, NPR, Nov. 5, 2018
• These 12 guidelines could protect us from threats from artificial intelligence, Genetic Literacy Project, Nov. 5, 2018

More EPIC in the News »

EPIC Bookstore

EPIC publications and books by members of the EPIC Advisory Board, distinguished experts in law, technology and public policy are available at the EPIC Bookstore.

Recent EPIC Publications

The Privacy Law Sourcebook 2018, edited by Marc Rotenberg (2018)

The Privacy Law Sourcebook is the leading resource for students, attorneys, and policymakers interested in privacy law in the United States and around the world. The Sourcebook includes major US privacy laws such as the Fair Credit Reporting Act, the Privacy Act, the Family Educational Rights and Privacy Act, the Video Privacy Protection Act, and the Electronic Communications Privacy Act. The Sourcebook also includes key international privacy frameworks such as the EU General Data Protection Regulation and the revised OECD Privacy Guidelines. The Privacy Law Sourcebook 2018 has been updated and expanded to include the modernized Council of Europe Convention on Privacy, the Judicial Redress Act, the CLOUD Act, and new materials from the United Nations. The Sourcebook also includes an extensive resources section with useful websites and contact information for privacy agencies, organizations, and publications.

Communications Law and Policy: Cases and Materials, 5th Edition, by Jerry Kang and Alan Butler. Direct Injection Press (2016).

This teachable casebook provides an introduction to the law and policy of modern communications. The book is organized by analytic concepts instead of current industry lines, which are constantly made out-of-date by technological convergence. The basic ideas—power, entry, pricing, access, classification, bad content, and intermediary liability—equip students with a durable and yet flexible intellectual structure that can help parse a complex and ever-changing field.

Privacy Law and Society, 3rd Edition, by Anita Allen, JD, PhD and Marc Rotenberg, JD, LLM. West Academic (2015).

The Third Edition of "Privacy Law and Society" is the most comprehensive casebook on privacy law ever produced. It traces the development of modern privacy law, from the early tort cases to present day disputes over drone surveillance and facial recognition. The text examines the philosophical roots of privacy claims and the significant court cases and statues that have emerged. The text provides detailed commentary on leading cases and insight into emerging issues. The text includes new material on developments in the European Union, decisions grounded in fundamental rights jurisprudence, and exposes readers to current debates over cloud computing, online profiling, and the role of the Federal Trade Commission. Privacy Law and Society is the leading and most current text in the privacy field.

Privacy in the Modern Age: The Search for Solutions, edited by Marc Rotenberg, Julia Horwitz and Jeramie Scott. The New Press (2015). Price: $25.95.

The threats to privacy are well known: The National Security Agency tracks our phone calls; Google records where we go online and how we set our thermostats; Facebook changes our privacy settings when it wishes; Target gets hacked and loses control of our credit card information; our medical records are available for sale to strangers; our children are fingerprinted and their every test score saved for posterity; and small robots patrol our schoolyards while drones may soon fill our skies.

The contributors to this anthology don't simply describe these problems or warn about the loss of privacy—they propose solutions.

Contributors include: Steven Aftergood, Ross Anderson, Christine L. Borgman (coauthored with Kent Wada and James F. Davis), Ryan Calo, Danielle Citron, Simon Davies, A. Michael Froomkin, Deborah Hurley, Kristina Irion, Jeff Jonas, Harry Lewis, Anna Lysyanskaya, Gary T. Marx, Aleecia M. McDonald, Dr. Pablo G. Molina, Peter G. Neumann, Helen Nissenbaum, Frank Pasquale, Dr. Deborah Peel, MD, Stephanie E. Perrin, Marc Rotenberg, Pamela Samuelson, Bruce Schneier, and Christopher Wolf.

Upcoming Conferences and Events

Centrum Wiskunde & Informatica Privacy and Security Lecture. Nov. 17, 2018. CWI, Amsterdam. Marc Rotenberg, EPIC President.

"The Future of Innovation and Digital Transformation: Exploring Societal Impacts." Nov. 19, 2018. OECD Global Strategy Group, Paris, France. Marc Rotenberg, EPIC President.

Electronic Evidence in Criminal Matters. Nov. 27, 2018. LIBE Committee, European Parliament, EPIC International Counsel Eleni Kyriakides.

Dave Miller Memorial Lecture. Dec. 13, 2018. Free Legal Advice Centres, Dublin, Ireland. Marc Rotenberg EPIC President.

EPIC International Champion of Freedom Award. Jan. 30, 2019. Les Halles de Schaerbeek, Brussels, Belgium.

CPDP2019: Data Protection and Democracy. Jan. 30–Feb. 1, 2019. Les Halles de Schaerbeek, Brussels, Belgium.

Aspen Roundtable on AI. Feb. 11-13, 2019. Santa Barbara, CA. Marc Rotenberg, EPIC President

'Going Digital.' Mar. 11-12, 2019. OECD, Paris. Marc Rotenberg, EPIC President.

EPIC Champions of Freedom Awards Dinner. June 5, 2019. National Press Club, Washington, DC.