You are viewing an archived webpage. The information on this page may be out of date. Learn about EPIC's recent work at epic.org.

EPIC Alert 28.05

EPIC Alert logo

1. Gillibrand Introduces EPIC-Backed U.S. Data Protection Agency Bill

Senator Kirsten Gillibrand (D-NY) has introduced the Data Protection Act of 2021, a bill which would create an independent Data Protection Agency in the United States to safeguard the personal data of Americans. EPIC, along with many leading consumer and civil rights organizations, privacy experts, and scholars, support Senator Gillibrand's bill.

"It's time for America to catch up with the rest of the world and create a Data Protection Agency," said Caitriona Fitzgerald, EPIC Deputy Director. "Congress' ongoing failure to modernize our privacy laws imposes enormous costs on individuals, communities, and American businesses alike. We need a new approach."

"Senator Gillibrand's Data Protection Act creates an agency dedicated to safeguarding the personal data of individuals and ensuring that data practices are fair and non-discriminatory," Fitzgerald said. "The Data Protection Act is the game-changing proposal we need in order to ensure adequate oversight over what has become a massive sector of our economy and affects the daily lives of all Americans. EPIC urges Congress to enact the Data Protection Act."

EPIC has long advocated for the creation of a U.S. Data Protection Agency, arguing that the Federal Trade Commission is an ineffective agency, lacking basic competence for privacy protection. [Bill text] [Sen. Gillibrand Press Release]

2. EPIC Releases Report on FTC's Unused Statutory Authorities

EPIC has released a report highlighting numerous statutory authorities that the Federal Trade Commission has failed to use to safeguard privacy. The report, What the FTC Could Be Doing (But Isn't) to Protect Privacy, identifies untapped or underused powers in the FTC's toolbox and explains how the FTC should deploy them to protect the public from abusive data practices.

"Until Congress acts to create a modern data protection agency in the United States, is critical that the Commission deploy every available tool to safeguard privacy rights and stem the tide of exploitative data practices," the report argues. Among other measures, the report urges the Commission to enact industry-wide data privacy rules, penalize companies that knowingly violate FTC cease-and-desist orders, and order platforms to disclose key information about their business practices to the Commission.

EPIC's report also criticizes the FTC's lack of effective privacy enforcement over the past two decades. "Too often, the FTC has neglected to use the authority Congress has already given it," the report explains. "The Commission's repeated failure to take meaningful enforcement action and to block harmful mergers has allowed abusive data practices by Facebook, Google, and other industry giants to flourish."

"A common refrain from the Commission during this period is that it lacks the authority to address these mounting threats to individual privacy," the report continues. "But the FTC has not made full use of the authorities that it already has, so the Commission is not in a strong position to defer action until new authorities are granted."

EPIC has frequently challenged the FTC over its failure to address consumer privacy harms and has long advocated for the creation of a U.S. Data Protection Agency. EPIC also supports legislation that would restore the FTC's 13(b) authority to obtain restitution for individuals harmed by companies' unlawful trade practices, which the Supreme Court recently curtailed in AMG Capital Management v. Federal Trade Commission.

3. EPIC-Led Coalition Tells Biden Administration: No Data Flows Deal Until Congress Enacts Privacy Laws

An EPIC-led coalition of civil society groups sent a letter to President Biden this month urging the administration to ensure that any new transatlantic data transfer deal is coupled with the enactment of surveillance reforms and comprehensive data protection legislation.

"The United States' failure to ensure meaningful privacy protections for personal data is the reason that a growing number of countries are concerned about trans-border data flows," the groups wrote. "Until the United States addresses this problem, concerns about data transfers to the United States will remain, and data flow agreements are likely to be invalidated."

"It is long past time for the United States to update its privacy laws and regain its position as a leader on these issues, which have broad bipartisan support," the letter continues. "The ongoing failure to modernize our privacy law imposes enormous costs on individuals, communities, and American businesses alike. This is not simply a matter of trade policy. It is a matter of fundamental rights, civil rights, and safeguards against unchecked corporate power."

In 2015, the Court of Justice of the European Union invalidated the U.S.-EU Safe Harbor agreement. In July 2020, the successor agreement, Privacy Shield, was also invalidated by the same court. [PRESS RELEASE]

4. EPIC Urges Court Not to Weaken Enforcement of Illinois Biometric Privacy Law

EPIC has filed an amicus brief in Cothron v. White Castle, a case before the Seventh Circuit about when violations of Illinois's Biometric Information Privacy Act can be remedied by a court.

Cothron, the plaintiff, alleges that White Castle collected and disclosed her fingerprints for a decade in violation of BIPA. White Castle is seeking to have the case dismissed, claiming that an individual is only able to sue the first time a company violates their BIPA rights. Even if White Castle is continuing to violate BIPA to this day, the company argues that it shouldn't be held liable because the initial violation would have occurred outside the statute of limitations.

In its brief, EPIC argued that White Castle's proposed rule would effectively "overrule the Illinois Supreme Court on a question of state law" by attempting "to import arguments about Article III standing into the BIPA statutory injury analysis." As EPIC noted, the Illinois Supreme Court previously held in Rosenbach v. Six Flags that every violation of BIPA confers the right to sue.

EPIC also argued that White Castle is "mistaken about the underlying purpose of BIPA" and that White Castle's rule "would in fact undermine BIPA's purposes" because it "would remove the key incentive for companies who previously violated BIPA to come into compliance, adopt responsible biometric data practices, and seek informed consent."

5. Supreme Court Rules Officer's Improper Access to License Plate Record Does Not Violate Computer Crimes Law

Earlier this month, the Supreme Court ruled in Van Buren v. United States that a police officer who improperly accessed a license plate record could not be held liable under a federal computer crimes law, the Computer Fraud and Abuse Act. EPIC filed an amicus brief in the case highlighting the serious privacy concerns with government employees' improper access of sensitive personal information in government databases. Several justices echoed these concerns during oral argument.

The outcome of the case highlights the urgent need for comprehensive privacy legislation. The U.S. needs enforceable rules to prevent improper access to and misuse of personal information contained in both government and private databases.

The Court's ruling, however, did not resolve what it means for someone to have "authorization" to access a computer or to be "entitled" to access information in the computer. The Court endorsed a "gates-up-or-down approach"—meaning an individual either has authorization to access the computer or specific information within the computer, or does not—but explicitly left open the question whether prohibitions on access must be technical or whether they can be contract-based.

As a result of the Court's ruling, the range of activities criminalized by the CFAA may be broader than even the government advocated in the case. Website terms of service that prohibit specific individuals or groups from accessing the website may still be enforceable through the CFAA even if the individuals have no knowledge of the restrictions and the website owners do nothing else to limit access. An 18-year-old who accesses a website restricted to those over the age of 21 may violate the CFAA, but a police officer who knowingly accesses personal information to stalk and harass the individual does not.

The Court also did not answer more complicated questions about the practice of web scraping, which is often prohibited by a website's terms of service and also blocked using technical barriers. EPIC filed an amicus brief urging the Supreme Court to grant review of a major CFAA case concerning web scraping, LinkedIn v. hiQ Labs, but the Court sent the case back to a lower court following its decision in Van Buren.

News in Brief

Lina Khan Named Chair of Federal Trade Commission

Lina Khan was confirmed to the Federal Trade Commission and named chair of the Commission earlier this month. Khan received bipartisan support, with senators voting 69-28 in support of her confirmation. Khan is an expert on antitrust enforcement and served as counsel to House Antitrust Subcommittee Chairman David Cicilline during the Subcommittee's groundbreaking investigation last year. She has written extensively on the problems of concentrated power in the context of digital markets and said during her confirmation hearing that "I worry that some of these companies may think it's just worth the cost of business to actually violate privacy law." EPIC has long argued that the FTC is not doing its job to protect privacy and that the U.S. needs a Data Protection Agency. "Commissioner Khan has a tremendous opportunity as Chair to transform the FTC at a moment where anticompetitive and invasive business practices have proliferated," said Alan Butler, Executive Director of the Electronic Privacy Information Center (EPIC). "Large tech companies have increasingly infiltrated our lives to the most minute level, and it will take a keen and aggressive regulator to ensure that these powerful entities don't monopolize our markets and our data."

EPIC Asks D.C. Circuit to Review Decision Endorsing Secrecy of Drone Advisory Committee Working Groups

EPIC has petitioned the full D.C. Circuit Court of Appeals to reverse a recent decision by a three-judge panel allowing the FAA's Drone Advisory Committee to conduct much of its work in secret. EPIC filed suit in 2018 against the industry-dominated Committee, which consistently ignored the privacy risks posed by the deployment of drones—even after identifying privacy as a top public concern. As a result of EPIC's lawsuit, the Committee was forced to disclose hundreds of pages of records under the Federal Advisory Committee Act. But the lower court ruled that the Committee did not need to disclose records from its secretive subcommittees—a decision that divided panel of the D.C. Circuit affirmed in April. Circuit Judge Robert L. Wilkins, writing in dissent, accused the majority of "doing violence to the text" of the FACA and argued that the decision "undermines FACA's purpose and greenlights an easily abusable system[.]" EPIC's petition highlights ways in which the panel's opinion conflicts with past D.C. Circuit decisions and warns that the ruling gives federal agencies "a legal roadmap to evade the public scrutiny that Congress intended FACA to provide. " The case is EPIC v. Drone Advisory Committee, No. 19-5238 (D.C. Cir.).

EPIC, Coalition Call for Ban on Law Enforcement Use of Facial Recognition

In a recent statement of concerns, EPIC and a coalition of more than 40 privacy, civil liberties, immigrants rights, and good government groups argued that "the most comprehensive approach to addressing the harms of face recognition would be to entirely cease its use by law enforcement." The statement lists six concerns with police deployment of the technology that can only be addressed by halting its use. The coalition called for a moratorium or ban on use of facial recognition and urges Congress to not preempt state or local bans in any federal legislation addressing facial recognition. EPIC recently organized a coalition letter that led to the shutdown of a DC-area facial recognition system previously used on Black Lives Matter protesters. EPIC leads a campaign to Ban Face Surveillance and through the Public Voice Coalition has gathered support from over 100 organizations and experts from more than 30 countries.

After Meeting with EPIC, DC Council Chairman Seeks More Information About DC-Area Facial Recognition System

In a recent DC Council hearing (video starts at 13:22), Chairman Phil Mendelson asked the Executive Director of the Metropolitan Washington Council of Governments for more information on a soon to be shuttered DC-area facial recognition system. The Chairman's questions were prompted by a meeting with EPIC in which EPIC staff pushed for more disclosures on the MWCOG's role in the creation of a secret facial recognition system used to surveil Black Lives Matter protesters last year. EPIC recently joined over 40 other organizations to detail the issues with police using facial recognition and to call for a law enforcement ban on the technology's use.

EPIC Obtains New Details on DOJ Location Data Requests

As part of EPIC's ongoing lawsuit for cell phone surveillance orders issued by federal prosecutors, the Department of Justice has identified 182 orders and warrants for cell phone location data under § 2703(d) from the U.S. Attorney's Office for the District of Rhode Island from 2016-2019. During the same time period, the office handled 453 criminal cases. The District of Rhode Island is one of the smallest districts in the country. EPIC has previously obtained the number of location data requests for the District of Delaware and the Virgin Islands, two of the five districts that the DOJ has agreed to search for location data requests. EPIC is awaiting responses from two of the agency's other prosecutor's offices and will continue to update its comparative table as remaining districts release more information. Currently, prosecutors do not release any comprehensive or uniform data about their surveillance of cell phone location data. In 2018, the U.S. Supreme Court ruled in Carpenter v. United States that the collection of cell phone location data without a warrant is a violation of the Fourth Amendment. The case is EPIC v. DOJ, No. 18-1814 (D.D.C.).

EPIC Joins Call for Surveillance Reforms in Response to DOJ Surveillance of Congress and Reporters

In a coalition letter, EPIC and more than twenty civil society groups called for reforms to surveillance statutes authorizing collection of sensitive information and gag orders. The letter follows recent revelations that the Department of Justice spied on members of Congress and the press by collecting their communications and issued gag orders to hide that surveillance. The coalition also called for a thorough investigation by Congress and the DOJ. EPIC recently endorsed a bill to stop government use of facial recognition and other biometric surveillance tools.

EPIC, Coalition Call for Global Ban on Biometric Recognition Technologies

In an open letter, EPIC and a coalition of more than 175 civil society organizations, activists, technologists, and other experts called "for an outright ban on uses of facial recognition and remote biometric recognition technologies that enable mass surveillance and discriminatory targeted surveillance." The letter urges lawmakers around the world to stop public investment in facial recognition, prohibit government and private use of facial recognition in public spaces, and mandate disclosure and reparations to individuals monitored or harmed by biometric mass surveillance systems. The letter explains that one-to-many facial recognition identification (in which a new image is compared to a gallery of known images) is inherently dangerous and often discriminatory. EPIC began pushing for a ban in 2019 with the launch of the Ban Face Surveillance campaign and recently joined over 40 other organizations to call for a ban on U.S. law enforcement's use of facial recognition technology.

4th Circuit Rules That Baltimore Warrantless Aerial Surveillance Program Violates Fourth Amendment

The en banc 4th Circuit ruled last week that Baltimore's warrantless aerial surveillance program violates the Fourth Amendment because it "enables police to deduce from the whole of individuals' movements[.]" The Aerial Investigation Research program was a public-private partnership that flew several surveillance planes above Baltimore, capturing detailed video of 32 square miles of the city per second. Using the AIR pilot program, Baltimore Police were able to track individual movements throughout the city for up to 12 hours a day. The pilot program was not renewed at the end of its 6-month term last year. EPIC joined an amicus brief in the case, arguing that under Carpenter v. United States the Baltimore Police Department's ability to track individuals with weeks of flight video constituted a search. EPIC previously filed an amicus brief in Carpenter v. United States and has long fought to limit drone surveillance and other forms of aerial spying.

House Committee Approves Antitrust Reform Bills

The House Judiciary Committee last week approved six bills aimed at disrupting the monopoly power of big tech. EPIC has long argued that market consolidation in online platform threatens privacy. More than a decade ago, EPIC urged the FTC to block Google's proposed acquisition of DoubleClick. EPIC said that the acquisition would enable Google to collect the personal information of billions of users and track their browsing activities across the web. EPIC correctly warned that this acquisition would accelerate Google's dominance of the online advertising industry and diminish competition. The FTC ultimately allowed the merger to go forward. EPIC has since warned the FTC that other mergers posed similar risks to consumer privacy and competition, including Facebook's acquisition of WhatsApp.

European Data Protection Authorities Issue Joint Call for Ban on Facial Recognition Across the EU

In a joint opinion regarding the European Commission's Proposal for Regulation on artificial intelligence, the European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS) called for a ban on the use of "AI for automated recognition of human features in publicly accessible spaces, and some other uses of AI that can lead to unfair discrimination." Europe's two main data protection authorities also criticized the European Commission for failing to include international law enforcement efforts in the proposed regulations. The joint opinion is the latest in an increasing chorus of calls to ban facial recognition. EPIC has joined a number of coalitions urging a ban on facial recognition including an international letter opposing the technology, a statement of concerns on police use of the technology, and EPIC's Ban Face Surveillance campaign. EPIC recently endorsed legislation that would ban federal law enforcement use of facial recognition and pressure state law enforcement to do the same.

Data Flow Deal Talks Fail Due to Lack of U.S. Action on Privacy

The agreement on transatlantic cooperation recently reached by U.S. and EU leaders did not include the political agreement the White House was hoping for on transatlantic data deals. Earlier this month, EPIC and 23 other leading civil society groups sent a letter to President Biden urging his Administration to ensure that any new transatlantic data transfer deal is coupled with the enactment of surveillance reforms and comprehensive data protection legislation. "The United States' failure to ensure meaningful privacy protections for personal data is the reason that a growing number of countries are concerned about trans-border data flows," the groups wrote. "Until the United States addresses this problem, concerns about data transfers to the United States will remain, and data flow agreements are likely to be invalidated." In 2015, the Court of Justice of the European Union invalidated the U.S.-EU Safe Harbor agreement. And in July 2020, the successor agreement, Privacy Shield, was also invalidated by the same court.

Supreme Court Sends Web Scraping Case Back to Lower Court

The U.S. Supreme Court has vacated the Ninth Circuit's decision in LinkedIn v. hiQ Labs but will not decide the merits of the case, instead sending the case back to the Ninth Circuit for a new decision in light of Van Buren v. United States. EPIC had filed an amicus brief in support of the petition for certiorari. The LinkedIn v. hiQ petition asked whether hiQ lacked authorization to access LinkedIn's servers under the Computer Fraud and Abuse Act after LinkedIn used a combination of technical and verbal methods to cut off hiQ's access to the website to stop the company from scraping user data. The company sued LinkedIn to regain access to the website, arguing that its business model depended on access to LinkedIn user data. A district court granted hiQ's request for an injunction, which LinkedIn appealed. EPIC filed an amicus brief in the Ninth Circuit arguing that the injunction was "contrary to the interests of individual LinkedIn users" and contrary to the public interest "because it undermines the principles of modern privacy and data protection law." The Ninth Circuit upheld the injunction, finding that hiQ's economic interests outweighed the interests in protecting users' personal information. In its amicus brief in support of LinkedIn's petition for cert, EPIC explained that the Ninth Circuit's decision "makes it impossible" for companies to protect personal data and sets "a dangerous precedent that could threaten the privacy of user data." The EPIC amicus brief highlighted the business practices of Clearview AI, a company that scraped billions of photographs to create a secretive facial recognition system. The case will most likely be sent back to the district court for a new decision that accords with Van Buren v. United States.

Canadian Privacy Commissioner Finds RCMP Use of Clearview AI Facial Recognition Violated Canada's Privacy Act

In a recent report to Parliament, the Canadian Privacy Commissioner concluded that the Royal Canadian Mounted Police (RMCP) violated the Canadian Privacy Act by using Clearview AI's facial recognition tool. The report follows a February 2021 investigation finding that Clearview AI violated Canadian law by scraping images off social media sites to create a facial recognition database so that "billions of people essentially found themselves in a '24/7' police line-up." Recently, EPIC and a coalition of more than 175 civil society organizations and prominent individuals called for "an outright ban on uses of facial recognition and remote biometric recognition technologies that enable mass surveillance and discriminatory targeted surveillance."

Federal Court Upholds Settlement Requiring Equifax to Pay for Data Breach Affecting Millions

The Eleventh Circuit recently ruled that the $425 million class action settlement arising from the 2017 Equifax data breach, which compromised the personal data of nearly half of all Americans, should move forward. The district court previously approved the settlement in 2020, but it has been stayed pending the appeal. The settlement was supported by various government agencies including the CFPB, the FTC, and 48 state attorneys general, but several class members raised objections about the adequacy of the relief. The Eleventh Circuit rejected those objections, and now the settlement will move forward in the lower court. Meanwhile, a related $575 million settlement entered into by Equifax and the FTC, CFPB, and state attorneys general in 2019 will allow people affected by the breach to file a claim for expenses occurred between January 2020 and January 2024 as a result of identity theft or fraud related to the breach; people can also be compensated for up to 20 hours of time spent on recovering from the breach. Equifax was also required to pay $125 for each person who claimed they were wronged by the breach, but the company has so far failed to do so. This was one of the largest data breaches in history and underscores the pressing need to improve data security in the United States.

Washington Post Calls for Federal Moratorium on Facial Recognition

The Washington Post Editorial Board recently called on Congress to impose a nationwide moratorium on facial recognition technology until it can pass legislation requiring technical and legal safeguards for the use of the technology. The Post cited the recent shutdown of a DC-area facial recognition system after an EPIC-led coalition organized against the system. In 2019, EPIC launched the Ban Face Surveillance campaign and through the Public Voice coalition gathered the support of over 100 organizations and many leading experts across 30 plus countries. An EPIC-led coalition urged the Privacy and Civil Liberties Oversight Board to recommend the suspension of face surveillance systems across the federal government. EPIC has joined with other organizations to oppose school administrators' use of facial recognition, urge President Biden to halt the federal use of facial recognition, and press Congress to stop the use and investment in facial recognition. Most recently, EPIC joined over 40 other organizations to detail the issues with police using facial recognition and call for a law enforcement ban on the technology's use.

King County, WA Bans Local Government Use of Facial Recognition

An ordinance passed in King County, Washington bans "any person or entity acting on behalf of a King County administrative office or executive department" from using facial recognition technology or information derived from it. The ban includes the King County Sheriff's Department. Seattle's King County is the first county in the nation to ban government use of facial recognition technology. EPIC recently sought records about the use of Clearview AI facial recognition and other surveillance software by the U.S. Postal Service's Internet Covert Operations Program. EPIC leads a campaign to Ban Face Surveillance and through the Public Voice Coalition has gathered support from over 100 organizations and experts from more than 30 countries.

Facebook Backs Down from Forced WhatsApp Privacy Changes

Under pressure from a worldwide coalition of privacy organizations, WhatsApp recently backed down from its threat to punish users who would not accept the company's new terms of service with weaker privacy protections. Burcu Kilic, digital rights program director for Public Citizen, released the following statement in response: "Thank you for stopping what you never should have started. Now please also undo what you coerced millions of people into accepting." In 2014, EPIC and the Center for Digital Democracy warned the FTC that Facebook routinely incorporates user data from companies it acquires and that WhatsApp users objected to the acquisition. The FTC approved the merger but told EPIC and CDD that "if the acquisition is completed and WhatsApp fails to honor these promises, both companies could be in violation of Section 5 of the FTC Act and potentially the FTC's order against Facebook."

EPIC in the News

EPIC Bookstore

EPIC publications and books by members of the EPIC Advisory Board, distinguished experts in law, technology and public policy are available at the EPIC Bookstore.

Recent EPIC Publications

Communications Law and Policy: Cases and Materials, 7th Edition, by Jerry Kang and Alan Butler (Direct Injection Press 2020)

This teachable casebook provides an introduction to the law and policy of modern communications. The book is organized by analytic concepts instead of current industry lines, which are constantly made out-of-date by technological convergence. The basic ideas—power, entry, pricing, access, classification, (indecent) content, privacy, and intermediary liability—equip students with a durable and yet flexible intellectual structure that can help parse a complex and ever-changing field. This book includes concise technological and legal summaries and carefully edited opinions and FCC reports. It also includes "just-in-time" delivery of the text of statutes and regulations so that students get accustomed to parsing statutory material as they analyze legal questions.

The AI Policy Sourcebook 2020, edited by Marc Rotenberg (EPIC 2020).

The AI Policy Sourcebook includes global AI frameworks such as the OECD AI Principles and the Universal Guidelines for AI. The Sourcebook also includes AI materials from the European Union and the Council of Europe, national AI initiatives, as well as recommendations from professional societies, including the ACM and the IEEE. The Sourcebook also includes an extensive resources section on AI, including reports, articles, and books from around the world.

The Privacy Law Sourcebook 2020, edited by Marc Rotenberg (EPIC 2020).

The Privacy Law Sourcebook is the leading resource for students, attorneys, and policymakers interested in privacy law in the United States and around the world. The Sourcebook includes major U.S. privacy laws. The Sourcebook also includes key international privacy frameworks such as the EU General Data Protection Regulation and the modernized Council of Europe Convention on Privacy. The Privacy Law Sourcebook 2020 includes the new California Consumer Privacy Act, the Illinois Biometric Information Privacy Act, the Public Voice Declaration for a Moratorium on Facial Recognition, and updates on GDPR implementation. The Sourcebook also includes an extensive resources section with information on privacy agencies, organizations, and publications.

EPIC v. Department of Justice: The Mueller Report, edited by Marc Rotenberg (EPIC 2019).

EPIC v. Department of Justice: The Mueller Report chronicles the efforts to obtain a full account of Russian interference in the 2016 presidential election. EPIC filed the first lawsuit in the country for the release of the full and unredacted Mueller Report and obtained a newly redacted version in early May 2019. EPIC is now challenging the redactions made by the Department of Justice in federal court. This volume is an essential guide to the legal arguments about the redactions, the dispute between the Attorney General and the Special Counsel, and EPIC's request for the Mueller Report and other records about Russian interference in the 2016 presidential election.

Upcoming Conferences and Events

EPIC Champions of Freedom Awards. Nov. 3, 2021. National Press Club, Washington, D.C.

Share this page:

Defend Privacy. Support EPIC.
US Needs a Data Protection Agency
2020 Election Security