EPIC Alert 26.02

EPIC Alert logo

1. EPIC, Open Markets, Civil Rights Groups Press FTC on Facebook Consent Order

EPIC recently joined a coalition of groups urging the FTC to issue strong penalties in Facebook matter. The groups told the FTC that it should (1) impose substantial fines; (2) establish structural remedies; (3) require compliance with Fair Information Practices; (4) reform hiring and management practices; and (5) restore democratic governance.

"Given that Facebook's violations are so numerous in scale, severe in nature, impactful for such a large portion of the American public and central to the company's business model, and given the company's massive size and influence over American consumers, penalties and remedies that go far beyond the Commission's recent actions are called for," the letter stated.

Almost a year has passed since the FTC announced it was reopening the investigation into Facebook following the Cambridge Analytica breach. In October, the UK Information Commissioner's Office issued a report and maximum £500,000 fine to Facebook for failing to protect users' personal information.

As EPIC and the coalition told the FTC, "We urge the Commission to either restore the right of Facebook users to have meaningful input into the company's decisions or to recommend to Congress that Facebook be regulated as a public utility."

Nine groups signed the letter: EPIC, Color of Change, Common Sense Media, Constitutional Alliance, Government Accountability Project, Open Market Institute, Privacy Times, Patient Privacy Rights, and Stop Online Violence Against Women. EPIC recently called on the agency to unwind Facebook's acquisition of WhatsApp.

2. EPIC Seeks Injunction to Block Census Citizenship Question

EPIC is seeking a preliminary injunction to block the Census Bureau from adding a question about citizenship to the 2020 Census. EPIC alleges that the Census Bureau failed to complete privacy impact assessments, as required by law, before it abruptly added the question to the census last year.

"Unique among federal agencies, the U.S. Census Bureau is authorized by law to compel, from every person in the United States, their personal data including age, sex, race, ethnicity, family relationships, and homeownership status," EPIC told the court. "The extraordinary reach of the Bureau into the private lives of Americans brings with it extraordinary risks to privacy."

"EPIC has repeatedly warned the Census Bureau of the defective nature of the proposed census collection, yet the agency continues to move forward with this unlawful agency action," EPIC added. "Key deadlines are fast approaching, and major privacy risks have not been addressed by the agency."

A federal court in New York recently blocked the citizenship question, ruling that Secretary of Commerce Wilbur Ross "violated the public trust" in introducing the question. The Census Bureau has appealed that decision to the U.S. Supreme Court.

EPIC filed an amicus brief in the New York case and has long advocated for robust protections for census data. EPIC has also filed numerous successful lawsuits to require privacy impact assessments, including EPIC's lawsuit that led a now-defunct Presidential Commission to delete state voter data it unlawfully obtained.

EPIC's case is EPIC v. Commerce Department, No. 18-2711 (D.D.C.). The Court has scheduled a hearing for February 8.

3. Unanimous Decision in Illinois Supreme Court Ensures Strict Limits on Biometric Data Collection

Last week, the Illinois Supreme Court ruled in Rosenbach v. Six Flags that corporations can be held liable for violating individuals' rights to control their biometric data under an Illinois privacy law. EPIC filed an amicus brief in the case, arguing that the biometric privacy law "imposes clear responsibilities on companies that collect biometric identifiers" and that, if these provisions are "not enforced, the statute's subsequent provisions are of little consequence."

The parents of a child sued the Six Flags theme park after the park collected the child's fingerprints, charging a violation of the Illinois biometric privacy law. The theme park claimed that the parents must show some additional harm.

The Illinois Court held that, when companies violate the law, "the injury is real and significant." The court explained that requiring a showing of additional harm "would be completely antithetical to the Act's preventative and deterrent purposes."

"When private entities face liability for failure to comply with the law's requirements without requiring affected individuals or customers to show some injury beyond violation of their statutory rights, those entities have the strongest possible incentive to conform to the law and prevent problems before they occur and cannot be undone," the court wrote.

EPIC has long advocated for strict limits on use of biometric data and for an individual's right to sue when their privacy rights are violated. In December, EPIC filed an amicus brief in Patel v. Facebook, another case concerning the Illinois biometric privacy law. EPIC also filed an amicus brief in the OPM data breach, a case that concerned the breach of 5.1 million fingerprints—precisely the same biometric data at issue in this case. EPIC first raised concern about the use of biometric identification in theme parks more than a decade ago after Disney implemented a biometric system to identify users of annual and seasonal passes abandoning the use of a barcoded laminated photo ID pass.

4. EPIC Honors 2019 International Privacy Champions

EPIC presented the 2019 International Privacy Champion Awards to Giovanni Buttarelli, European Data Protection Supervisor, and Joe McNamee, long time Executive Director of the European Digital Rights Initiative. The awards were presented at the annual conference on Computers, Privacy, and Data Protection in Brussels, Belgium on January 30. EPIC announced the awards in conjunction with International Privacy Day, which commemorates the first international treaty for privacy and data protection.

Giovanni Butarelli is the European Data Protection Supervisor. Prior to his appointment. Mr. Butarelli served as both Assistant Supervisor and Secretary General at the Italian Data Protection Authority. Mr. Butarelli recently hosted the groundbreaking 40th edition of the International Conference of Data Protection and Privacy Commissioners on "Debating Ethics."

Joe McNamee was Executive Director of EDRi for over nine years. EDRi is a powerful association of civil and human rights organizations from across Europe defending rights and freedoms in the digital environment.

Past EPIC Privacy Champion Max Schrems presented the award to Joe McNamee. Shoshana Zuboff, EPIC board member and the author of The Age of Surveillance Capitalism, presented the award to Giovanni Buttarelli.

"Giovanni Butarelli is a beacon for a data protection across the European Union and around the world," EPIC President Marc Rotenberg said. "He is the guiding light for the establishment of privacy as a fundamental right in our modern age. And Joe McNamee's dedication, perseverance, and wry humor has helped transform the politics of privacy in the EU."

The EPIC International Privacy Champion Award was first presented in 2009 to Italian jurist Professor Stefano Rodotà€. Since then, the award has gone to leading privacy advocates and government officials. EPIC also presents an annual Champion of Freedom Award, which was first given to U.S. Senator Patrick Leahy in 2004. The award has since been presented to leading U.S. government officials, judges, lawyers, and advocates. EPIC will present its Champion of Freedom Award on June 5, 2019, at the National Press Club in Washington, DC.

5. EPIC Publishes Simon Davies Memoir, 'Privacy: A Personal Chronicle'

EPIC has published Simon Davies's memoir, Privacy: A Personal Chronicle. Simon Davies is founder of Privacy International and one of the most effective privacy advocates in the world.

Privacy has become one of the most important public policy issues of our time, but how did we get here? Davies' book tells inside story of privacy campaigns that captured media attention and transformed the world. The memoir is part law and technology primer, part tale of how one person can make a difference.

Davies explains that the book is "my story of how the privacy movement has grown from its fledgling steps in the 1980s to a real powerhouse of economic social and political change." Davies described the memoir in his own words in a video recorded for the EPIC Blog.

The memoir was released at the conference on Computers, Privacy, and Data Protection in Brussels, Belgium on January 30, 2019. More than 1,200 people from 60 countries attended the 11th annual CPDP conference.

Privacy: A Personal Chronicle is now available in the EPIC Bookstore in e-book and paperback.

EPIC Book Review: 'Re-Engineering Humanity'

Re-Engineering Humanity, by Brett Frischmann & Evan Selinger

Are increasing technological advances and the integration of technology into our lives turning us into simple machines? This is one of the central questions explored by Professors Brett Frischmann and Evan Selinger in this thought-provoking book. Re-engineering Humanity takes a big-picture view, exploring society's embrace of IOT devices, machine-learning algorithms, and other tools that increasingly reduce our lives to data points.

Frischmann and Selinger begin by explaining the concept of techno-social engineering, which "refers to processes where technologists and social forces align and impact how we think, perceive, and act." A major part of techno-social engineering is surveillance. The authors describe how our surveillance society—particularly our surveillance capitalist society—has contributed to our own techno-social engineering.

Re-engineering Humanity is split up into four parts. The first part of the book illustrates how techno-social engineering affects our behavior and explores why it is so hard to see that this engineering is happening. The second part traces the historical ability of technology to shape and influence our society. With this primer, the authors help us understand the growing scale, scope, and influence of the tools of techno-social engineering. The third part of the book focuses on a framework for recognizing and assessing techno-social engineering. The final part discusses ways to address the consequences of techno-social engineering.

Professors Frischmann and Selinger shine a bright light on the current path of our surveillance capitalist society, using a combination of detailed analysis, contemporary examples, and thought experiments. The authors explain that as we (and information about us) increasingly become the product, we are also becoming simple machines programmed by our technology to respond in certain ways. As Frischmann and Selinger suggest, techno-social engineering is a powerful force that requires us to responsibly evaluate its use. And "if we don't accept that responsibility, we risk becoming means to others' ends."

—Jeramie D. Scott

News in Brief

EPIC Sues Border Agency about Searches of Cellphones

EPIC is filing a lawsuit to compel a federal agency to release audits so as to determine whether the searches of electronic devices are lawful. The Border Search Directive sets out when and how Customs and Border Patrol officials may inspect cellphones, tablets, and laptop computers of travelers crossing the US border. The Directive requires the agency to develop an auditing mechanism to ensure lawful searches, yet the agency has not published the auditing requirements or the results of the audits. So, EPIC has sed for the release of the procedures. The American Bar Association recently adopted a new policy that urges Congress, the courts, and the Department of Homeland Security to enact legislation and adopt policies to protect the privacy rights of travelers. EPIC filed a related lawsuit against Immigration and Customs Enforcement for information about the warrantless searches of cell phones.

EPIC Joins Statement to Facebook, End Messenger for Kids

EPIC joined a letter with fourteen other public interest groups to Mark Zuckerberg, calling on the Facebook CEO to shut down Facebook Messenger Kids, and cease all child-targeted business operations. This coalition effort, led by Campaign for a Commercial-Free Childhood, follows reporting that Facebook made millions of dollars by intentionally duping kids into making accidental purchases while playing games. Last year, the groups called on the company to shut down Facebook Messenger Kids based on research linking adolescent social media use with depression, poor sleep habits, and unhealthy body image. Senators Markey (D-MA) and Blumenthal (D-CT) also wrote a letter to Zuckerberg requesting answers on children's use of Facebook. EPIC, civil rights, and open market groups recently urged the FTC to act on numerous violations of the 2011 Consent Order.

American Bar Association Takes Stand on Privacy Rights and Border Searches

Leaders of the American Bar Association tackled a wide range of policy issues at their recent midyear meeting, including privacy at the border. The ABA adopted a new policy that "Urges the federal judiciary, Congress, and the Department of Homeland Security to enact legislation and adopt policies to protect the privacy interests of those crossing the border by imposing standards for searches and seizures of electronic devices, protection of attorney-client privilege, the work product doctrine, and lawyer-client confidentiality." The resolution was introduced by the ABA Section of Civil Rights and Social Justice and the Criminal Justice Section. EPIC Senior Counsel Alan Butler is the Chair of the ABA Civil Rights and Social Justice Section's Committee on Privacy and Information Protection. EPIC has previously submitted "friend of the court" briefs advocating for Fourth Amendment protection of cell phone data in Riley v. California and Carpenter v. United States.

During Government Shutdown, Facebook Moves to Integrate WhatsApp User Data

The New York Times recently reported that Facebook is planning to integrate WhatsApp, Facebook Messenger, and Instagram. Last week, EPIC joined a coalition of groups urging the FTC to unwind the Facebook-WhatsApp merger, citing promises the companies made at time of the merger. In 2014, EPIC and the Center for Digital Democracy warned the Commission that Facebook incorporates user data from companies it acquires, and that WhatsApp users objected to the acquisition. The FTC responded to EPIC and CDD and told Facebook and WhatsApp "if the acquisition is completed and WhatsApp fails to honor these promises, both companies could be in violation of Section 5 of the FTC Act and potentially the FTC's order against Facebook." The FTC letter concludes "hundreds of millions of users have entrusted their personal information to WhatsApp. The FTC staff continue to monitor the companies' practices to ensure that Facebook and WhatsApp honor the promises they have made to those users." Recently Senators Markey and Blumenthal expressed concern over the impact of the government shutdown on the FTC's investigation into Facebook. On Thursday, the House Commerce Committee held a hearing on the impact of the government shutdown on the FTC's Facebook investigation.

EU Receives 95,000 Privacy Complaints, Still No News from U.S. FTC on Facebook Case

According to the European Commission, recent figures from the European Data Protection Board reveal that EU Data Protection Authorities have received more than 95,000 complaints from citizens across the continent. In a joint statement on International Privacy Day, the Commissioners said "Citizens have become more conscious of the importance of data protection and of their rights. And they are now exercising these rights, as national Data Protection Authorities see in their daily work." The European Data Protection Board also reported that the majority of the complaints were related to activities such as telemarketing, promotional e-mails, and video surveillance. In the United States, the Federal Trade Commission announced in March 2018 that it was reopening the Facebook investigation, following news that Cambridge Analytica improperly harvested the personal data of 87 millions users. Still no word from the FTC on how that one case is proceeding.

New Edition of GDPR Today Now Available

A new edition of GDPR Today is now available. The online hub of the latest developments in data protection—launched by EDRi, a powerful association of European NGOs—is designed to implement the EU General Data Protection Regulation. The latest issue details the EU-Japan agreement on international transfers of personal data, NGO complaints that tech companies violated individuals' right to access their data, and recent criticism of U.S. compliance with the EU-U.S. Privacy Shield. EPIC has encouraged U.S. companies to offer GDPR protections to all consumers. The 2018 Privacy Law Sourcebook also includes the full text of the GDPR.

European Privacy Board Report Criticizes Privacy Shield Compliance

A report from the European Data Protection Board, an influential independent European privacy body, criticizes U.S. oversight of the EU-U.S. Privacy Shield. The European Commission recently renewed the framework permitting the flow of European consumers' personal data to the U.S. However, the Board now states U.S. oversight of compliance lacks "substantial checks." The EU Data Protection Board encouraged the Privacy and Civil Liberties Oversight Board to review U.S. surveillance authorities, and stated that the Privacy Shield Ombudsperson could not be considered an "effective remedy" for privacy violations. During review of Privacy Shield, EPIC cited concerns about the failure of the FTC to enforce the 2011 Consent Order against Facebook, passage of the CLOUD Act, and renewal of bulk foreign intelligence surveillance.

Public Voice Urges World Economic Forum to Adopt Universal Guidelines for AI

Last week, The Public Voice urged participants at Davos to adopt the Universal Guidelines for AI to protect human rights, and to ensure access, inclusion, and equity for global citizens. Leaders of the World Economic Forum launched the 2019 Davos conference this week, with several events on privacy and AI to develop technology policies that are "underpinned by the necessary ethical principles and values-based framework." In opening remarks, Klaus Schwab said the 4th Industrial Revolution demands human-centered, inclusive, and sustainable solutions. @ThePublicVoice urged adoption of the UGAI principles to reduce bias in decision-making algorithms, ensure digital globalization is inclusive, create human-centered evidence-based policy, promote safety in AI deployment in national security uses, and rebuild trust in institutions.

Census Bureau: 99 Percent of Commenters Oppose Citizenship Question

According to a Census Bureau report, 99 percent of commenters who gave feedback on the 2020 Census are opposed to the planned addition of the citizenship question. The Bureau received more than 136,000 comments against the collection of citizenship data, many of which were signed by multiple individuals and organizations. EPIC filed comments opposing the citizenship question, arguing that it will interfere with the census's constitutional purpose and undermine the integrity of the census. EPIC is currently seeking a preliminary injunction to block the collection of citizenship data because the Bureau failed to complete privacy impact assessments required by law. The Court has scheduled a hearing for Feb. 8.

Federal Court Rules Police May Not Compel Passenger ID During Traffic Stop

The Ninth Circuit has ruled that the police violated the Fourth Amendment when they asked a passenger to provide identification. The Court found that "a demand for a passenger's identification is not part of the mission of a traffic stop." As the court explained, "The identity of a passenger...will ordinarily have no relation to a driver's safe operation of a vehicle." EPIC filed a "friend of the court" brief in a similar case before the Supreme Court in 2004. In Hiibel v. Sixth Judicial District, the Supreme Court narrowly upheld a state identification law for the driver of a vehicle. EPIC argued in Hiibel that "A name is now no longer a simple identifier: it is the key to a vast, cross-referenced system of public and private databases, which lay bare the most intimate features of an individual's life." EPIC also filed amicus brief in Watchtower Bible v. Stratton, concerning the right of anonymity. In that case the Supreme Court ruled that an ordinance requiring door-to-door petitioners to obtain a permit and identify themselves violated the First Amendment.

Senators Urge FTC to Act Against Facebook

In a letter to the Federal Trade Commission, Senators Ed Markey and Richard Blumenthal pushed the Commission to take swift action against Facebook, despite the government shutdown. "While we have repeatedly expressed concerns about the pace of this investigation, we fear that the current government shutdown further threatens the FTC's ability to complete this investigation," the Senators wrote. "When Americans' privacy is breached, they deserve a speedy and effective response." The letter comes nearly ten months after the FTC announced it would reopen an investigation into Facebook after EPIC's urging. Since then, EPIC has urged the Commission to act and has repeatedly highlighted Facebook's violations of the 2011 consent order in statements to Congress. The 2011 consent order followed an extensive complaint filed by EPIC and a coalition of consumer privacy organizations in 2009.

Consumer Organizations Announce New Framework for US Privacy Protection, Propose Privacy Agency

EPIC joined 16 organizations in support of a "A Framework for Privacy Protection in the United States." The consumer groups outlined a new approach to privacy protection: (1) enact baseline federal legislation; (2) enforce fair information practices; (3) establish a data protection agency; (4) ensure robust enforcement; (5) establish algorithmic governance; (6) prohibit "take it or leave it" terms; (7) promote privacy innovation; and (8) limit government access to personal data. The consumer framework states that the Federal Trade Commission has failed to enforce the orders it has established. "The US needs a federal agency focused on privacy protection, compliance with data protection obligations, and emerging privacy challenges." [Press Release]

EPIC in the News

More EPIC in the News »

EPIC Bookstore

EPIC publications and books by members of the EPIC Advisory Board, distinguished experts in law, technology and public policy are available at the EPIC Bookstore.

Recent EPIC Publications

The Privacy Law Sourcebook 2018, edited by Marc Rotenberg (2018)

The Privacy Law Sourcebook is the leading resource for students, attorneys, and policymakers interested in privacy law in the United States and around the world. The Sourcebook includes major US privacy laws such as the Fair Credit Reporting Act, the Privacy Act, the Family Educational Rights and Privacy Act, the Video Privacy Protection Act, and the Electronic Communications Privacy Act. The Sourcebook also includes key international privacy frameworks such as the EU General Data Protection Regulation and the revised OECD Privacy Guidelines. The Privacy Law Sourcebook 2018 has been updated and expanded to include the modernized Council of Europe Convention on Privacy, the Judicial Redress Act, the CLOUD Act, and new materials from the United Nations. The Sourcebook also includes an extensive resources section with useful websites and contact information for privacy agencies, organizations, and publications.

Communications Law and Policy: Cases and Materials, 5th Edition, by Jerry Kang and Alan Butler. Direct Injection Press (2016).

This teachable casebook provides an introduction to the law and policy of modern communications. The book is organized by analytic concepts instead of current industry lines, which are constantly made out-of-date by technological convergence. The basic ideas—power, entry, pricing, access, classification, bad content, and intermediary liability—equip students with a durable and yet flexible intellectual structure that can help parse a complex and ever-changing field.

Privacy Law and Society, 3rd Edition, by Anita Allen, JD, PhD and Marc Rotenberg, JD, LLM. West Academic (2015).

The Third Edition of "Privacy Law and Society" is the most comprehensive casebook on privacy law ever produced. It traces the development of modern privacy law, from the early tort cases to present day disputes over drone surveillance and facial recognition. The text examines the philosophical roots of privacy claims and the significant court cases and statues that have emerged. The text provides detailed commentary on leading cases and insight into emerging issues. The text includes new material on developments in the European Union, decisions grounded in fundamental rights jurisprudence, and exposes readers to current debates over cloud computing, online profiling, and the role of the Federal Trade Commission. Privacy Law and Society is the leading and most current text in the privacy field.

Privacy in the Modern Age: The Search for Solutions, edited by Marc Rotenberg, Julia Horwitz and Jeramie Scott. The New Press (2015). Price: $25.95.

The threats to privacy are well known: The National Security Agency tracks our phone calls; Google records where we go online and how we set our thermostats; Facebook changes our privacy settings when it wishes; Target gets hacked and loses control of our credit card information; our medical records are available for sale to strangers; our children are fingerprinted and their every test score saved for posterity; and small robots patrol our schoolyards while drones may soon fill our skies.

The contributors to this anthology don't simply describe these problems or warn about the loss of privacy—they propose solutions.

Contributors include: Steven Aftergood, Ross Anderson, Christine L. Borgman (coauthored with Kent Wada and James F. Davis), Ryan Calo, Danielle Citron, Simon Davies, A. Michael Froomkin, Deborah Hurley, Kristina Irion, Jeff Jonas, Harry Lewis, Anna Lysyanskaya, Gary T. Marx, Aleecia M. McDonald, Dr. Pablo G. Molina, Peter G. Neumann, Helen Nissenbaum, Frank Pasquale, Dr. Deborah Peel, MD, Stephanie E. Perrin, Marc Rotenberg, Pamela Samuelson, Bruce Schneier, and Christopher Wolf.

Upcoming Conferences and Events

CPDP2019: Data Protection and Democracy. Jan. 30–Feb. 1, 2019. Les Halles de Schaerbeek, Brussels, Belgium.

Public Information and Voter Registration Databases. Feb. 3, 2019. National Association of State Secretaries, Washington, DC. Marc Rotenberg, EPIC President.

OECD AI Meeting. Feb. 7­–9, 2019. Dubai, UAE. Marc Rotenberg, EPIC President.

Aspen Roundtable on AI. Feb. 11-13, 2019. Santa Barbara, CA. Marc Rotenberg, EPIC President

'Going Digital.' Mar. 11-12, 2019. OECD, Paris. Marc Rotenberg, EPIC President.

’Privacy: Has Targeted Marketing Gone Too Far?' Mar. 13, 2019. SXSW, Austin, Texas. Christine Bannan, EPIC Consumer Protection Counsel.

AI World Society. Apr. 25, 2019. Harvard University, Cambridge, MA. Marc Rotenberg, EPIC President.

EPIC Champions of Freedom Awards Dinner. June 5, 2019. National Press Club, Washington, DC.

Share this page:

Defend Privacy. Support EPIC.
EPIC Mueller Report book
US Needs a Data Protection Agency