EPIC Alert 27.11

EPIC Alert logo

1. Top Court in Europe Invalidates EU-U.S. Privacy Shield, Citing Lack of Privacy Safeguards and Overbroad U.S. Surveillance Laws

The European Court of Justice issued a landmark decision this month in Irish Data Protection Commissioner v. Facebook & Schrems, a case concerning transfers of personal data by Facebook between the EU and the United States. The ruling, which calls into question the adequacy of privacy protection in the United States, has major implications for U.S. lawmakers and corporations.

The court considered the validity of transfers made from companies in the EU to companies in the U.S. under the EU-U.S. Privacy Shield agreement or pursuant to "standard contractual clauses." Although both methods had previously been authorized by the European Commission, the court held that the Privacy Shield was invalid and that transfers could not be made under standard clauses where personal data is not adequately protected.

Because U.S. surveillance law authorizes the mass processing of personal data transferred from abroad (under Section 702 of the FISA), Privacy Shield "cannot ensure a level of protection essentially equivalent to that guaranteed by" the EU's Charter of Fundamental Rights, the court wrote. "In the light of all of the foregoing considerations, it is to be concluded that the Privacy Shield Decision is invalid."

EPIC participated as an amicus curiae in the case and argued that U.S. surveillance law does not provide an equivalent level of protection because it does not provide adequate protections or remedies for non-U.S. persons abroad. EPIC was represented in this case by the Free Legal Advice Centres (FLAC) and by barristers Grainne Gilmore and Colm O'Dwyer, SC. EPIC's full press release is available here.

2. White House Tells EPIC to Delete COVID-19 Records, EPIC Declines

In an unusual development, the White House recently "ordered" EPIC to delete a set of records that EPIC had obtained from the Office of Science & Technology Policy—a request which EPIC declined.

Last week, EPIC published hundreds of records about the White House's response to the COVID-19 pandemic and proposals to use location data for public health surveillance (1, 2, 3, 4). The documents were produced in response to an EPIC Freedom of Information Act request.

The records showed that a tech sector task force closely aligned with the White House sought to aggregate "non-clinical location data" for "disease surveillance," including cell phone location data, Uber trip data, and Google search data. OSTP described the location tracking proposals as "certainly interesting" and sought to "establish a portal/clearinghouse" for such submissions—but also told the tech sector task force that it was "not engaged in any activities relating to location data."

Hours after EPIC posted the records, a White House attorney sent EPIC a letter "order[ing]" EPIC "to immediately cease using and disclosing" one set of records and to "destroy all electronics copies." The letter stated that OSTP had "inadvertently and erroneously" provided EPIC with an unredacted copy of the records.

Although EPIC voluntarily decided to redact personal contact information contained in the documents, EPIC informed the OSTP that it would still make the records available to the public. Under the Freedom of Information Act, a federal agency is not entitled to "claw back" a record that it discloses to a requester.

EPIC has filed numerous FOIA requests concerning the federal government's COVID-19 response and has compiled a resource page about privacy and the pandemic.

3. EPIC Amicus: To Protect Privacy, California Must Preserve All-Party Consent for Call Recording

EPIC, the Consumer Federation of California, and Consumer Action have filed an amicus brief urging the California Supreme Court to preserve its long-standing rule requiring all parties to consent to the recording of a call.

Consumers in the case, Smith v. LoanMe, sued the online lender for surreptitiously recording customer calls in violation of the California Invasion of Privacy Act. A lower court dismissed the case because it interpreted the law as only applying to third-party eavesdroppers, not parties to the call. The California Supreme Court is now reviewing the decision.

The amicus brief from EPIC and others argues that "recording a call poses unique threats to privacy because a permanent record of the private communication can be made surreptitiously without the consent, or even knowledge, of the caller." The brief also explains that "the need to preserve California's all-party consent law is more urgent now than ever before" because COVID-19 has forced millions of Californians "to conduct their personal and business lives remotely, relying on voice and video calls to complete their work, to pursue their education, to preserve their relationships, and to maintain basic human connections."

"The increased use of call technology exacerbates the risk that private communications—concerning issues of political involvement, health and other private matters, or sensitive financial data—could be recorded and disclosed against an individual's will," the brief continues. "That is precisely what the California Invasion of Privacy Act was enacted to prevent, and this Court should preserve those protections."

EPIC routinely files amicus briefs in cases implicating consumer privacy.

4. EPIC to Congress: Create a U.S. Data Protection Agency

In advance of this week's Congressional hearing on "Online Platforms and Market Power"—at which the CEOs of Amazon, Apple, Facebook, and Google testified—EPIC told the House Judiciary Subcommittee on Antitrust that the U.S. needs a Data Protection Agency. EPIC told lawmakers that merger review must consider data protection.

"The United States stands virtually alone in its unwillingness to address privacy as an increasingly important dimension of competition in the digital marketplace," EPIC wrote. "If the largest Internet firms continue to buy up new market entrants and assimilate their users' data into the existing platforms then there will be no meaningful opportunity for firms to compete with better privacy and data security practices."

EPIC pointed to the Facebook-WhatsApp deal and the failure of the FTC to protect the personal data of WhatsApp users after the merger. EPIC noted that if the FTC approves Google's acquisition of Fitbit, it will be the 230th firm that Google or Alphabet has acquired "with little action from U.S. antitrust regulators."

EPIC also urged the Subcommittee to hold a hearing on H.R. 4978, the Online Privacy Act. EPIC's recent report, Grading on a Curve: Privacy Legislation in the 116th Congress, sets out the key elements of a modern privacy law, including federal baseline legislation and the creation of a Data Protection Agency.

5. AI Commission Holds First Public Meeting Following Decision in EPIC Case

The National Security Commission on Artificial Intelligence held its first-ever public meeting last week to discuss the Commission's recommendations on the use of AI in national security and defense contexts. A recording is available here, and materials from the meeting can be found here.

The Commission's latest recommendations include "[c]reating a framework for the ethical and responsible development and fielding of AI." However, the Commission failed to urge Congress to establish baseline rules for the use of AI by federal agencies, calling instead for non-binding "norms and best practices."

Public access to the Commission's meeting is the result of a recent court ruling in EPIC v. AI Commission that the Commission is subject to the transparency requirements of the Federal Advisory Committee Act. The Commission previously operated largely in secret, including dozens of closed-door meetings and briefings from tech firms and defense contractors. But in June, Judge Trevor N. McFadden ordered the Commission to hold open meetings and regularly publish its records in the future.

Judge McFadden previously ruled that the AI Commission is subject to the Freedom of Information Act, and the Commission has disclosed thousands of pages of records to EPIC since January. The case is EPIC v. AI Commission, No. 19-2906 (D.D.C.).

News in Brief

EPIC Releases Report on Pretrial Risk Assessments

EPIC has released a report on Pretrial Risk Assessments. The report, Liberty at Risk: Pre-trial Risk Assessment Tools in the U.S., provides an overview of Risk Assessment Tools that practitioners and scholars can use to understand the nature of these systems, understand the broader context in which they are used, and help focus their evaluations of the fairness of these systems. EPIC hosted a panel on the topic on July 8, available to watch here. EPIC advocates for Algorithmic Transparency and maintains a resource on Algorithms in the Criminal Justice System.

NIST Study Finds Masks Undermine Face Recognition Accuracy

A recent study conducted by the National Institute of Standards and Technology showed that face masks undermine the accuracy of facial recognition algorithms. The NIST study tested digitally applied masks of various shapes on 89 commercial algorithms. The result were error rates between 5% and 50%. The algorithms tested were all created pre-Covid-19. NIST plans to test facial algorithms developed with face masks in mind later this summer. A previous NIST study released at the end of last year found that false positives are up to 100 times more likely for Asian and African American faces compared to White faces. EPIC has previously launched a Ban Face Surveillance campaign and called for a facial recognition moratorium across the globe, as well as suspension across the federal government and in U.S. schools.

EPIC to Congress: Reform Section 230

In a statement to the Senate Commerce Committee, EPIC supported reforms to Section 230 of the Communications Decency Act. The Committee is considering the bipartisan Platform Accountability and Consumer Trasparency (PACT) Act, which requires online platforms to give notice of their content moderation policies and to make a complaint system available, and sets deadlines by which platforms must process complaints. EPIC urged the Committee to expand the Act's provisions on injunctive relief, which currently only requires platforms to take down content if ordered by a court to do so in limited types of cases. "When a court finds that content has been posted illegally or in violation of an individual's rights, there should be a legal mechanism to order online platforms to remove that content," EPIC said. "The bill should be amended to make clear that platforms must comply with court orders to remove content deemed unlawful regardless of the type of legal claim involved." In an amicus brief in Herrick v. Grindr, EPIC objected to a court decision that found "online platforms bear no responsibility for the harassment and abuse their systems enable."

DOJ Says It Will Release More of Mueller Report in EPIC Case

The Department of Justice, as part of the open government case EPIC v. DOJ, has announced in a court filing that it will disclose additional material from the Mueller Report. The DOJ said it had "determined that certain information in the Report now could be released without harming government interests or pending matters." However, the DOJ asserted that it would not publish the additional material until "after the Court has issued its ruling on the redactions" to the Report. Judge Reggie B. Walton is currently conducting an "in camera" review of the complete Mueller Report to determine which passages must still be released. The court recently posed a series of questions to the DOJ about its redactions to the Report, and the DOJ responded to the court last week. Both filings are sealed from the public, but a heavily redacted version of the DOJ's response shows that Judge Walton questioned every legal basis asserted by the DOJ to withhold material in the Report. EPIC's case previously forced the DOJ to disclose additional material from the Mueller Report concerning Roger Stone. The case is EPIC v. DOJ , No. 19-810.

EPIC Files Application to the International Criminal Court on Location Data Privacy

EPIC has filed a request to submit an amicus brief in the International Criminal Court concerning the recognition of an international right to privacy in cell site location information ("CSLI"). Investigators in the case, The Prosecutor v. Yekatom & Ngaïssona, obtained two years of defendant Yekatom's cell location data from a telecommunications company in the Central African Republic without prior judicial authorization. EPIC wrote that "there is increased recognition in the international community that cell phone metadata, and CSLI in particular, can reveal sensitive personal information by allowing investigators to track an individual's movements over time and infer their habits, social associations, and even political and religious beliefs." Should the ICC grant EPIC's application, EPIC will file a full amicus briefs arguing that the international right to privacy includes privacy in cell location data. EPIC filed an amicus brief in Carpenter v. United States, in which the U.S. Supreme Court determined that law enforcement could not obtain historical cell location data without a warrant. EPIC has also participated as amicus curiae in cases involving the right to privacy under international law, including most recently Irish Data Protection Commissioner v. Facebook & Schrems, in which the top European court invalidated the EU-US Privacy Shield.

Federal Appeals Court Sounds Alarm Over Predictive Policing

Judges on a federal appeals court took aim yesterday at predictive policing, the practice of using algorithmic analysis to predict crime and direct law enforcement resources. The Fourth Circuit ruled that Richmond police violated the Fourth Amendment when they stopped and searched the defendant, Billy Curry, simply because he was walking near the scene of a shooting. In a dissent, Judge J. Harvie Wilkinson called the court's decision a "gut-punch to predictive policing." But others on the court responded to highlight the dangers and failings of the practice. Chief Judge Roger Gregory questioned whether predictive policing is "a high-tech version of racial profiling." Judge James A. Wynn highlighted the "devastating effects of over-policing on minority communities" and explained that predictive policing "results in the citizens of those communities being accorded fewer constitutional protections than citizens of other communities." Judge Stephanie D. Thacker warned that "any computer program or algorithm is only as good as the data that goes into it" and that predictive policing "has been shown to be, at best, of questionable, effectiveness, and at worst, deeply flawed and infused with racial bias." EPIC has long highlighted the risks of algorithms in the criminal justice system and recently obtained a 2014 Justice Department report detailing the dangers of predictive policing.

D.C. Circuit Reverses District Court Ruling on Unsealing Electronic Surveillance Records

Earlier this month, the D.C. Circuit reversed a lower court decision and ruled that electronic surveillance records in closed federal investigations are subject to public access. Investigative journalist Jason Leopold and the Reporters Committee for Freedom of the Press litigated for years to unseal electronic surveillance records that allow law enforcement to collect different types of electronic information for surveillance, including metadata about a telephone subscriber's activity or cell site location information. The lower court determined that administrative burden to providing public access to these seal records was enough to justify the interminable sealing of these records. But the D.C. Circuit reversed the lower court's decision, stating that "although administrative burden is relevant to how and when documents are released, it does not justify precluding release forever. … Production may be time-consuming, but time-consuming is not the same thing as impossible." The D.C. Circuit noted that providing public access to judicial records like the electronic surveillance records at issue "is a fundamental element of the rule of law" and "is the duty and responsibility of the Judicial Branch." EPIC is currently litigating a case against the Department of Justice seeking the public release of information about the agency's collection of cell site location information through "§ 2703(d) orders" and warrants. The case is EPIC v. DOJ, No. 18-1814 (D.D.C.).

EPIC in the News

More EPIC in the News »

EPIC Bookstore

EPIC publications and books by members of the EPIC Advisory Board, distinguished experts in law, technology and public policy are available at the EPIC Bookstore. Featured now at the EPIC Bookstore:

EU Law in Populist Times: Crises and Prospects (Francesca Bignami ed., 2020).

Authored by leading academics and policymakers, EU Law in Populist Times provides a comprehensive and cutting-edge analysis of the fields of European Union law at the heart of contemporary political debates—economic policy, human migration, internal security, and constitutional fundamentals at the national level.

Recent EPIC Publications

The AI Policy Sourcebook 2020, edited by Marc Rotenberg (EPIC 2020).

The AI Policy Sourcebook includes global AI frameworks such as the OECD AI Principles and the Universal Guidelines for AI. The Sourcebook also includes AI materials from the European Union and the Council of Europe, national AI initiatives, as well as recommendations from professional societies, including the ACM and the IEEE. The Sourcebook also includes an extensive resources section on AI, including reports, articles, and books from around the world.

The Privacy Law Sourcebook 2020, edited by Marc Rotenberg (EPIC 2020).

The Privacy Law Sourcebook is the leading resource for students, attorneys, and policymakers interested in privacy law in the United States and around the world. The Sourcebook includes major U.S. privacy laws. The Sourcebook also includes key international privacy frameworks such as the EU General Data Protection Regulation and the modernized Council of Europe Convention on Privacy. The Privacy Law Sourcebook 2020 includes the new California Consumer Privacy Act, the Illinois Biometric Information Privacy Act, the Public Voice Declaration for a Moratorium on Facial Recognition, and updates on GDPR implementation. The Sourcebook also includes an extensive resources section with information on privacy agencies, organizations, and publications.

EPIC v. Department of Justice: The Mueller Report, edited by Marc Rotenberg (EPIC 2019).

EPIC v. Department of Justice: The Mueller Report chronicles the efforts to obtain a full account of Russian interference in the 2016 presidential election. EPIC filed the first lawsuit in the country for the release of the full and unredacted Mueller Report and obtained a newly redacted version in early May 2019. EPIC is now challenging the redactions made by the Department of Justice in federal court. This volume is an essential guide to the legal arguments about the redactions, the dispute between the Attorney General and the Special Counsel, and EPIC's request for the Mueller Report and other records about Russian interference in the 2016 presidential election.

Communications Law and Policy: Cases and Materials, 6th Edition, by Jerry Kang and Alan Butler (Direct Injection Press 2018).

This teachable casebook provides an introduction to the law and policy of modern communications. The book is organized by analytic concepts instead of current industry lines, which are constantly made out-of-date by technological convergence. The basic ideas—power, entry, pricing, access, classification, bad content, and intermediary liability—equip students with a durable and yet flexible intellectual structure that can help parse a complex and ever-changing field.

Share this page:

Defend Privacy. Support EPIC.
US Needs a Data Protection Agency
2020 Election Security