EPIC Alert 26.24

EPIC Alert logo

1. Privacy Year in Review 2019

As 2019 draws to a close, EPIC looks back on some of the biggest developments in the privacy world from 2019.

Support Grows for U.S. Data Protection Agency
In 2019, lawmakers and civil society groups—echoing repeated calls from EPIC—threw their support behind the creation of a U.S. data protection agency. As EPIC has long argued, the U.S. needs an independent agency to safeguard privacy, ensure compliance with data protection obligations, and address emerging privacy challenges. This year saw the introduction in Congress of the Online Privacy Act, which among other measures would establish a federal data protection agency. A broad coalition of organizations, including the Transatlantic Consumer Dialogue, also joined EPIC in endorsing a U.S. data protection agency.

Facial Surveillance Faces Backlash, Bans
EPIC—joined by a coalition of more than 100 organizations and 1,000 experts—called for a global moratorium on the use of facial surveillance. "Declaration: A Moratorium on Facial Recognition Technology for Mass Surveillance Endorsements" urges governments to suspend the use of facial recognition for mass surveillance pending the establishment of legal rules, technical standards, and ethical guidelines. Congress took up the charge, weighing a moratorium on facial surveillance and a bill that would ban the use of facial recognition in public housing. Four U.S. cities—San Francisco, Oakland, Berkeley, and Somerville, MA—enacted facial recognition bans in 2019, while Massachusetts, Minnesota, New York, and Washington all considered new legal limits on the technology.

OECD Announces AI Principles, U.S. AI Commission Subject to FOIA
The OECD this year announced the OECD Principles on Artificial Intelligence, the first international standard for AI. The OECD AI Principles—backed by the United States and 41 other countries—make central "the rule of law, human rights and democratic values" and set out requirements for fairness, accountability, and transparency. The OECD AI Principles overlap extensively with the Universal Guidelines for Artificial Intelligence, backed by more than 250 experts and 60 associations in 40 countries. EPIC also secured a major legal victory on AI this year, persuading a federal court to hold that the National Security Commission on Artificial Intelligence must comply with the Freedom of Information Act.

Court Withholds Approval of Weak FTC-Facebook Settlement
As a result of key filings by EPIC and other consumer privacy organizations, a federal court has withheld approval of a deeply flawed settlement between the Federal Trade Commission and Facebook for violations of consumer privacy. EPIC told the court that the proposed settlement "is not adequate, reasonable, or appropriate" and that it would extinguish more than 26,000 consumer complaints against Facebook pending at the FTC. The court has ordered Facebook and the FTC to respond to EPIC's arguments. EPIC filed the original complaint in 2009 that created legal authority for the FTC to oversee Facebook. Members of Congress have expressed concern about the proposed settlement, which was narrowly approved by the Commission, 3-2.

Citizenship Question Dropped from 2020 Census
Following a landmark decision by the U.S. Supreme Court, the Census Bureau reversed course and conceded that it would not collect personal data concerning citizenship status on the 2020 Census. The Supreme Court effectively blocked the citizenship question, ruling that the government had failed to provide a "reasoned explanation" for collecting citizenship information. EPIC filed a separate lawsuit to prevent the Census Bureau's collection of citizenship data because the agency had failed to complete required privacy impact assessments. EPIC also filed an amicus brief in the Supreme Court case, joined by 23 legal scholars and technical experts, warning that "collecting citizenship status information from hundreds of millions of U.S. residents presents enormous privacy and security concerns."

Schrems 2.0
The first Schrems decision sent shockwaves through the privacy world in 2015. The ruling elevated EU privacy law, upended the Safe Harbor data sharing agreements, and led policymakers on both sides of the Atlantic to craft Privacy Shield, which some called Safe Harbor but with a new coat of paint. In the 2019 sequel—Schrems 2.0—the EU Advocate General backed data transfers generally but sharply criticized the EU-U.S. Privacy Shield agreement. The Advocate General also said that data protection authorities must enforce privacy obligations. The Advocate General cited EPIC's expert submissions in the case concerning the adequacy of U.S. privacy law.

2. Privacy Issues to Watch in 2020

With the new year nearly upon us, there's a lot to look for on the privacy front in 2020.

Federal Privacy Legislation
The stage is set for Congress to enact a comprehensive data privacy law in 2020. Over the past year, members of Congress put forward a variety of data protection bills and frameworks. EPIC published a legislative report evaluating those proposals—some favorably, some not. The best of the bunch, co-sponsored by Rep. Anna Eshoo and Rep. Zoe Lofgren, would establish a data protection agency, create meaningful privacy safeguards for consumers, and hold companies accountable for the collection and use of personal data. Still other privacy bills would limit facial surveillance, tighten cybersecurity for the Internet of Things and the financial sector, strengthen privacy protections at the border, establish a "do not track" registry, target perpetrators who share intimate images without consent, crack down on data breaches, hold companies accountable for their use of algorithms, and fortify protections for the online privacy of children. What's more: polls show strong public support for the enactment of federal privacy legislation in 2020.

Implementation of California Privacy Law
The California Consumer Privacy Act, the most comprehensive data protection law in the country, goes into effect on January 1, 2020. California Attorney General Xavier Becerra has promised aggressive enforcement of the law and has drafted regulations that will "facilitate consumers' new rights under the CCPA[.]" In comments to the California Attorney General, EPIC backed provisions that would strength consumer protections and identified topics for future action, such as the creation of data protection agency.

Antitrust Enforcement Against Big Data Firms
The tide is turning against big corporate mergers that threaten consumer privacy. The Department of Justice has initiated antitrust reviews of Facebook and Google. Members of Congress have called on the FTC to unwind tech mergers that hurt consumer privacy. EPIC has warned Congress that "companies that protect user privacy are being absorbed by companies that do not protect privacy"—like FitBit's recent acquisition by Google. State attorneys general are scrutinizing tech firms for anticompetitive conduct. And the Federal Trade Commission may block Facebook's integration of WhatsApp user data, a step that EPIC has long urged the FTC to take.

Enforcement of GDPR
Europe adopted a comprehensive framework for privacy protection, but almost 20 months after the GDPR went into force, enforcement actions are few and far between. Privacy advocates and small businesses are growing restless as large tech firms seek to lock down their current data collection practices and enforcement agencies make excuses for inaction. Still, European privacy advocate Max Schrems has lodged several high-profile complaints, and prospects for big announcements before the two-year anniversary of GDPR are good.

Voter Privacy & Election Cybersecurity
It's a presidential election year in the United States, which means voter privacy and election cybersecurity will take on added importance. On the privacy side, Sen. Dianne Feinstein has introduced the Voter Privacy Act, a bill to ensure privacy with respect to voter information. The Act would give voters basic rights regarding their personal data: right of access, right of notice, right of deletion, right to prohibit transfer, and the right to prohibit targeting. On the cybersecurity front, questions linger about the Department of Homeland Security's readiness to prevent the type of foreign election interference that roiled the 2016 presidential election—or worse. Stay tuned for more election security documents due to be released soon in EPIC v. DHS.

Release of Trump Tax Returns
In the coming year, the U.S. Supreme Court will decide whether President Trump can block three separate subpoenas for his financial records, including the President's tax returns. Two federal courts of appeals have ruled that the President's accounting firm must turn over his financial records to the U.S. House and a New York grand jury, respectively. Both cases—and a third case involving financial records of the President held by Deutsche Bank—will be argued in March and decided by June. EPIC previously sought public release of President Trump's tax returns in EPIC v. IRS, arguing that disclosure was necessary to correct numerous factual misstatements made by the President. In EPIC v. IRS II, EPIC is currently seeking "offers-in-compromise" and related tax records of President Trump and his businesses.

3. FAA Launches Rulemaking for Remote Drone ID

Five years after EPIC first recommended that the Federal Aviation Administration establish drone identification rules "similar to the Automated Identification System for commercial vessels," the FAA has proposed regulations that would require nearly all drones in U.S. airspace to be remotely identifiable.

Under the regulations, drones would be required to transmit their location and identification details to an online FAA tracking system. Drones flying more than 400 feet from their operators would also be required to broadcast location and ID to surrounding areas. However, it remains unclear whether the general public will have access to the broadcast ID and location details, or whether the data will be solely available to the FAA and law enforcement agencies.

In 2015, EPIC wrote that "Drones should be required to broadcast their registration information to allow members of the public and law enforcement officials to easily identify the operator and responsible party." EPIC further stated any drone operating in the national airspace system should "include a mandatory GPS tracking feature that would always broadcast the location of a drone when aloft (latitude, longitude, and altitude), course, speed over ground, as well as owner identifying information and contact information."

The European Union's drone regulations incorporate these recommendations. Comments on the FAA proposed rule are due March 2, 2020.

4. Congress Enacts Robocall Legislation

Congress has passed the Telephone Robocall Abuse Criminal Enforcement and Deterrence Act of 2019.

The TRACED Act establishes penalties for certain robocalls and requires voice service provide to develop call authentication technologies. The FCC will develop rules to limit unwanted calls or texts from a caller using an unauthenticated number.

EPIC has long advocated for stronger regulations surrounding robocalls. EPIC provided expert analysis to Congress, submitted numerous comments to the FCC, and filed multiple amicus briefs in appellate courts emphasizing the need to limit robocalls.

5. Poll: Strong Public Support for Privacy Legislation

A new poll of registered voters found that 79% of Americans believe that Congress should enact privacy legislation, and 65% of voters said data privacy is "one of the biggest issues our society faces."

The Morning Consult poll found bipartisan consensus: 83% of Democrats and 82% of Republicans said that privacy legislation should be an important or top priority for Congress.

The Morning Consult poll was conducted Dec. 14–16, 2019. The poll of 1,991 registered voters has a margin of error of 2 percentage points.

EPIC maintains an extensive page on Privacy and Public Opinion which shows consistent support among Americans for stronger privacy laws. EPIC advocates for comprehensive privacy legislation and the establishment of a U.S. data protection agency.

News in Brief

Court Orders Further Briefing in EPIC v. AI Commission

A federal court has ordered the National Security Commission on Artificial Intelligence to respond to EPIC's arguments that the Commission is violating a federal law requiring advisory committees to operate transparently. During a hearing in EPIC v. AI Commission, Judge Trevor N. McFadden ordered the parties to file briefs concerning the Commission's obligation to hold open meetings and publish its records. The court has already ruled that the AI Commission must comply with EPIC's Freedom of Information Act request. In the same hearing, the government stated that the Defense Department will disclose records about the AI Commission in the next 4–6 weeks. The Commission, which is tasked with developing U.S. AI policy, recently released a report to Congress criticizing the EU General Data Protection Regulation and calling for greater "government access to data on Americans."

Members of Congress Question Sale of .ORG

Members of Congress are now turning attention to the proposed sale of the .ORG domain to a private equity fund. In a letter to the Internet Society, the Public Interest Registry, and Ethos Capitol, Senators Wyden, Warren and Blumenthal and Representative Eshoo wrote, "The nonprofit community is understandably concerned about whether Ethos Capital, a private equity firm that has existed for less than six months, will act as a responsible steward over this core component of internet infrastructure." The Members of Congress have asked for responses to a series of questions by January 6, 2020. EPIC's Marc Rotenberg, a founding board member and former chair of PIR, said that the secrecy of the deal was "a failure of process." He told the Financial Times "You can't make decisions about the allocation of internet domain names in the dark." In a recent commentary for The Hill, Rotenberg said that ICANN should block the sale.

DOD Warns Military Personnel Against DNA Tests, Citing Privacy

The Department of Defense is warning military personnel against using home DNA test kits, citing the privacy risks that the tests pose. "These [direct-to-consumer] genetic tests are largely unregulated and could expose personal and genetic information," reads a DOD memo circulated to servicemembers. "Moreover, there is increased concern in the scientific community that outside parties are exploiting the use of genetic data for questionable purposes, including mass surveillance and the ability to track individuals without their authorization or awareness." DNA profiles contain sensitive personal data that can impact employment decisions, insurance availability, and criminal justice outcomes. EPIC's Marc Rotenberg spoke recently with C-Span Washington Journal about the privacy risks of DNA kits. EPIC has backed privacy safeguards for genetic data in comments to federal agencies and amicus briefs for the U.S. Supreme Court.

EU Advocate General Backs Data Transfers, Criticizes Privacy Shield

The EU Advocate General has issued an advisory opinion in "Schrems 2.0," a case about Facebook's transfer of personal data to the United States. The Advocate General backed data transfers generally but sharply criticized the EU-US Privacy Shield agreement. The Advocate also said that data protection authorities must enforce privacy obligations. The Advocate General cited EPIC's expert submissions in the case concerning the adequacy of US privacy law. The case follows the European Court's landmark decision in Schrems v. DPC striking down the "Safe Harbor" arrangement. The European Court of Justice is expected to issue a binding opinion in the next few months. After the original Schrems opinion, EPIC testified in Congress. EPIC's Marc Rotenberg urged Congress to "modernize" US privacy law and also establish an independent privacy agency.

NIST Study Finds Extensive Bias in Face Surveillance Technology

The National Institute of Science and Technology study of Face Recognition Software recently found that false positives are up to 100 times more likely for Asian and African American faces when compared to White faces. NIST examined 189 software algorithms from 99 developers, a "majority of the industry," according to the federal agency. The highest rates of false positives were found for African American females—which NIST says is "particularly important because the consequences could include false accusations." EPIC has called for a global moratorium on the use of Face Surveillance technology. The Public Voice declaration in support of the moratorium has been endorsed by over 100 organizations and 1000 individuals in more than 40 countries.

Intelligence Court Rebukes FBI

The Foreign Intelligence Surveillance Court recently criticized the FBI for misleading judges, following a scathing report from the Inspector General. In a rare public order, the Court explained that the Bureau's representations were "antithetical to the heightened duty of candor" that the government must satisfy in surveillance applications. Presiding Judge Collyer wrote, "The frequency with which representations made by F.B.I. personnel turned out to be unsupported or contradicted by information in their possession, and with which they withheld information detrimental to their case, calls into question whether information contained in other F.B.I. applications is reliable." The Court ordered the FBI to propose new procedures by January 10, 2020. EPIC has advocated for significant FISA reforms for almost 20 years, and recently advised Congress to limit Section 702 of FISA and to sunset Section 215 of the Patriot Act.

EPIC in the News

More EPIC in the News »

EPIC Bookstore

EPIC publications and books by members of the EPIC Advisory Board, distinguished experts in law, technology and public policy are available at the EPIC Bookstore. Featured now at the EPIC Bookstore:

The Age of Surveillance Capitalism: The Fight for a Human Future at the New Frontier of Power, by Shoshana Zuboff (Public Affairs 2019)

The challenges to humanity posed by the digital future, the first detailed examination of the unprecedented form of power called "surveillance capitalism," and the quest by powerful corporations to predict and control our behavior.

  • New York Times Notable Book of the Year
  • One of The Guardian's Best 100 Books of the 21st Century

Recent EPIC Publications

The AI Policy Sourcebook 2020, edited by Marc Rotenberg (EPIC 2020).

The AI Policy Sourcebook includes global AI frameworks such as the OECD AI Principles and the Universal Guidelines for AI. The Sourcebook also includes AI materials from the European Union and the Council of Europe, national AI initiatives, as well as recommendations from professional societies, including the ACM and the IEEE. The Sourcebook also includes an extensive resources section on AI, including reports, articles, and books from around the world.

The Privacy Law Sourcebook 2020, edited by Marc Rotenberg (EPIC 2020).

The Privacy Law Sourcebook is the leading resource for students, attorneys, and policymakers interested in privacy law in the United States and around the world. The Sourcebook includes major US privacy laws. The Sourcebook also includes key international privacy frameworks such as the EU General Data Protection Regulation and the modernized Council of Europe Convention on Privacy. The Privacy Law Sourcebook 2020 includes the new California Consumer Privacy Act, the Illinois Biometric Privacy Act, the Public Voice Declaration for a Moratorium on Facial Recognition, and updates on GDPR implementation. EPIC’s Privacy Law Sourcebook also includes extensive contact information for privacy agencies, organizations, and publications.

EPIC v. Department of Justice: The Mueller Report, commentary by Marc Rotenberg (EPIC 2019).

EPIC v. Department of Justice: The Mueller Report chronicles the efforts to obtain a full account of Russian interference in the 2016 presidential election. EPIC filed the first lawsuit in the country for the release of the full and unredacted Mueller Report and obtained a newly redacted version in early May 2019. EPIC is now challenging the redactions made by the Department of Justice in federal court. This volume is an essential guide to the legal arguments about the redactions, the dispute between the Attorney General and the Special Counsel, and EPIC's request for the Mueller Report and other records about Russian interference in the 2016 presidential election.

Communications Law and Policy: Cases and Materials, 5th Edition, by Jerry Kang and Alan Butler (Direct Injection Press 2016).

This teachable casebook provides an introduction to the law and policy of modern communications. The book is organized by analytic concepts instead of current industry lines, which are constantly made out-of-date by technological convergence. The basic ideas—power, entry, pricing, access, classification, bad content, and intermediary liability—equip students with a durable and yet flexible intellectual structure that can help parse a complex and ever-changing field.

Privacy Law and Society, 3rd Edition, by Anita Allen, JD, PhD and Marc Rotenberg, JD, LLM (West Academic 2015).

The Third Edition of "Privacy Law and Society" is the most comprehensive casebook on privacy law ever produced. It traces the development of modern privacy law, from the early tort cases to present day disputes over drone surveillance and facial recognition. The text examines the philosophical roots of privacy claims and the significant court cases and statues that have emerged. The text provides detailed commentary on leading cases and insight into emerging issues. The text includes new material on developments in the European Union, decisions grounded in fundamental rights jurisprudence, and exposes readers to current debates over cloud computing, online profiling, and the role of the Federal Trade Commission. Privacy Law and Society is the leading and most current text in the privacy field.

Privacy in the Modern Age: The Search for Solutions, edited by Marc Rotenberg, Julia Horwitz and Jeramie Scott (The New Press 2015).

The threats to privacy are well known: The National Security Agency tracks our phone calls; Google records where we go online and how we set our thermostats; Facebook changes our privacy settings when it wishes; Target gets hacked and loses control of our credit card information; our medical records are available for sale to strangers; our children are fingerprinted and their every test score saved for posterity; and small robots patrol our schoolyards while drones may soon fill our skies.

The contributors to this anthology don't simply describe these problems or warn about the loss of privacy—they propose solutions.

Contributors include: Steven Aftergood, Ross Anderson, Christine L. Borgman (coauthored with Kent Wada and James F. Davis), Ryan Calo, Danielle Citron, A. Michael Froomkin, Deborah Hurley, Kristina Irion, Jeff Jonas, Harry Lewis, Anna Lysyanskaya, Gary T. Marx, Aleecia M. McDonald, Dr. Pablo G. Molina, Peter G. Neumann, Helen Nissenbaum, Frank Pasquale, Dr. Deborah Peel, MD, Stephanie E. Perrin, Marc Rotenberg, Pamela Samuelson, Bruce Schneier, and Christopher Wolf.

Upcoming Conferences and Events

2020 Aspen Institute Roundtable on Artificial Intelligence. Jan. 12-14, 2020. Santa Barbara, CA. Marc Rotenberg, EPIC President.

EPIC International Champion of Freedom Awards. Jan. 22, 2020. Brussels, Belgium.

CPDP 2020: Data Protection and Artificial Intelligence. Jan. 22–24, 2020. Brussels, Belgium. Marc Rotenberg, EPIC President.

EPIC Champion of Freedom Awards Dinner. June 3, 2020. Washington, DC.

Share this page:

Defend Privacy. Support EPIC.
US Needs a Data Protection Agency
2020 Election Security