epic.org

The Irish Data Protection Commission (DPC) fined Facebook’s WhatsApp €225 million ($266 million) for privacy violations following a GDPR investigation that began in 2018. In the decision, the data privacy regulator explained that WhatsApp breached the GDPR’s rules about data transparency, including when it processed user information between WhatsApp and other Facebook companies. While the €225 million fine is a record for the DPC and the second largest fine ever issued under the GDPR, privacy advocate and EPIC Advisor Max Schrems noted “[t]he DPC also proposed an initial € 50 million fine and was forced by the other European data protection authorities to move towards € 225 million, which is still only 0.08% of the turnover of the Facebook Group. The GDPR foresees fines of up to 4% of the turnover.” EPIC has long urged the Federal Trade Commission to block or unwind Facebook's acquisitions of Instagram and WhatsApp. In 2014, EPIC and the Center for Digital Democracy warned the FTC that Facebook incorporates user data from companies it acquires, and that WhatsApp users objected to the acquisition. Despite these problems, the FTC allowed the merger to go forward.

EPIC has submitted comments to the Biometrics and Surveillance Commissioner of the United Kingdom on proposed updates to the Surveillance Camera Code of Practice. The proposed updates focus on aligning the Code with developments in surveillance law and recent court decisions. EPIC recommended ways to more directly address risks to privacy and international human rights, including banning facial recognition technology, emotion recognition, and biometric categorization systems; setting clear assessment and consultation requirements for databases used for matching; and strengthening protections against improper use of facial and biometric recognition systems. EPIC has long fought to protect the public against surveillance, including by campaigning to ban facial recognition technology and filing suit against agencies misusing surveillance technology. EPIC recently brought suit against the Postal Service over its unlawful use of facial recognition and social media monitoring tools.

The Sixth Circuit has rejected a robocall defendant's bid to use the Supreme Court's decision last year in Barr v. American Association of Political Consultants to create immunity for illegal robocalls made between 2015 and 2020. In Barr, the Supreme Court found that an exception added in 2015 to the decades-old robocall restriction was unconstitutional and must be severed from the law. The defendant in the case before the Sixth Circuit, Lindenbaum v. Realgy, LLC, argued that the decision in Barr made the broad robocall ban unenforceable for the period between the unconstitutional exception's enactment and the Supreme Court's decision to sever, from 2015-2020. The district court agreed and threw the lawsuit out. The Sixth Circuit's decision reverses the district court and allows the robocall suit to continue. EPIC and the National Consumer Law Center filed an amicus brief in the case arguing that granting robocallers immunity “would reward those who made tens of billions of unwanted robocalls and deprive consumers of any remedy for the incessant invasion of their privacy.” EPIC regularly files amicus briefs supporting consumers in illegal robocall cases.

The U.S. Supreme Court announced Wednesday that it will continue streaming live audio of its oral arguments at least through December of this year. The justices will also resume holding arguments in person, though the Court building will remain closed to the public. The Court's announcement came the same day that EPIC and a coalition of over 75 civil society, transparency, media, and disability rights organizations wrote to the Court urging it to make live audio access to oral arguments permanent. The letter emphasized that "[f]air and equal justice can't be delivered without accountability and transparency. Ensuring that live audio of oral arguments remains accessible to the public . . . would promote transparency and increase public confidence in the nation's highest court." At the start of the COVID-19 pandemic, the Court began streaming live audio feed oral arguments for the first time in its history. More than 130,000 people streamed arguments live during the Court's May 2020 sitting, and oral arguments since the beginning of the pandemic have been streamed nearly three million times. During its last term, the Court held oral arguments by teleconference in four cases in which EPIC filed an amicus brief, including U.S. Fish & Wildlife Service v. Sierra Club, Van Buren v. United States, Facebook v. Duguid, and TransUnion v. Ramirez.

President Biden has nominated Alvaro Bedoya, founding director of the Georgetown Center on Privacy & Technology, to serve as member of the Federal Trade Commission. Bedoya will succeed Commissioner Rohit Chopra when confirmed by the Senate. As a legal scholar and advocate, Bedoya has exposed the harms and biases of facial recognition technology and argued for legislation that would prevent predatory and discriminatory targeting of online ads. Bedoya is the author of Privacy as a Civil Right, in which he details how "the burdens of government surveillance have fallen overwhelmingly on the shoulders of immigrants, heretics, people of color, the poor, and anyone else considered 'other'" and argues that privacy must be understood as a "shield that allows the unpopular and persecuted to survive and thrive." Bedoya previously served as Chief Counsel of the U.S. Senate Judiciary Subcommittee on Privacy, Technology and the Law. "Alvaro brings more than a decade of experience in privacy and surveillance issues, including a special focus on the impact that invasive technologies have on communities of color, to an FTC that needs to quickly and dramatically ramp up its responses to these emerging threats," said Alan Butler, EPIC's Executive Director. "There is no doubt that his expertise on these issues will put the Commission in a much better position to investigate data abuses and to craft new rules to bring these invasive business practices under control."

The House Energy and Commerce Committee today approved a $1 billion appropriation for the Federal Trade Commission to create and operate a new bureau focused on privacy, data security, identity theft, data abuses, and related matters. EPIC strongly supports the appropriation, but urges Congress to follow up this budget measure with comprehensive privacy legislation and create an independent data protection agency. "This increased funding for enforcement is a step in the right direction, but the increasing pervasiveness of technology in our lives and our economy necessitates an update to our privacy laws and a dedicated agency," said Caitriona Fitzgerald, EPIC's Deputy Director. "While the FTC helps to safeguard consumers and promote competition, it is not a data protection agency. Congress must follow up this budget measure with comprehensive baseline privacy legislation and the creation of an independent data protection agency. And the FTC should use these funds to promptly initiate a privacy rulemaking and go after unfair data practices and biased AI systems." EPIC has long advocated for the creation of a U.S. Data Protection Agency.

Today, Senators Richard Blumenthal and Marsha Blackburn announced an investigation into Facebook’s knowledge and coverup of the harmful effects of Facebook’s Instagram on children and teenagers. The announcement follows a Wall Street Journal investigation which revealed that Facebook’s researchers found that Instagram is harmful to a “sizeable percentage” of its young users, most notably teenage girls. Internally, Facebook knew that Instagram’s effects on young people included increased anxiety and depression, body image issues, and thoughts of suicide. Publicly, CEO Mark Zuckerberg testified before Congress that Facebook’s research suggested that the use of its social media apps had positive mental health benefits to users. The Wall Street Journal uncovered several documents that “show that Facebook has made minimal efforts to address these issues and plays them down in public.” In response to Senators Blumenthal and Blackburn’s August 2020 request for Facebook to release its internal research on the matter, Facebook sent a six-page letter that did not include the company’s studies. EPIC has fought for transparency and accountability for Facebook's privacy abuses for over a decade, from filing the original FTC Complaint in 2009 that led to the FTC's 2012 Consent Order with the company, to moving to intervene in and filing an amicus brief challenging the FTC's 2019 settlement with Facebook.

EPIC and a coalition of privacy and consumer rights group today sent a letter to Senators Ron Wyden and Mike Crapo of the Senate Finance Committee regarding a proposal under consideration in the budget reconciliation bill to expand the mandatory reporting regime for private financial information in the United States. The proposal would require peer-to-peer payment apps and other similar services such as Square Cash and Venmo to collect Taxpayer Identification Numbers (“TINs”) for virtually all payee accounts in order to comply with new reporting obligations. Because most individuals do not hold a separate TIN from their Social Security Number, unlike businesses, this means that these private entities will be collecting SSNs of millions of Americans. The groups urged the Senators to reject the Treasury Department’s proposal and instead explore ways to improve tax compliance that do not put Americans’ SSNs at risk. "At minimum, the expanded reporting requirement should be scaled back to apply only to business accounts or individual accounts with a high de minimis threshold, adjusted for inflation over time," the groups said. "Peer to Peer payment apps and other similar services that currently do not collect TINs should not be required to do so under the new reporting requirements."

In a report published today, the United Nations High Commissioner for Human Rights called on governments to “ban AI applications that cannot be operated in compliance with international human rights law and impose moratoriums on the sale and use of AI systems that carry a high risk for the enjoyment of human rights, unless and until adequate safeguards to protect human rights are in place.” The report also stresses the need for comprehensive data protection legislation in addition to a regulatory approach to AI that prioritizes protection of human rights. UN High Commissioner for Human Rights Michelle Bachelet explained: "The risk of discrimination linked to AI-driven decisions - decisions that can change, define or damage human lives - is all too real. This is why there needs to be systematic assessment and monitoring of the effects of AI systems to identify and mitigate human rights risks.” EPIC has long advocated for comprehensive data protection legislation, moratoriums on particularly dangerous tools and commonsense AI regulation to protect the public.

In a letter to the Secretary of Homeland Security, EPIC and a Coalition of privacy, civil rights, and civil liberties organizations demanded the Department of Homeland Security (DHS) end some of the agency’s more pervasive surveillance programs. The coalition called for DHS to end its practice of purchasing sensitive data (e.g. cellphone location and utility information) from third-party vendors and cease the collection of social media identifiers. The coalition also urged DHS to implement a moratorium on the use of face recognition for immigration enforcement. In previous comments to DHS, EPIC opposed DHS collecting social media identifiers and called for DHS to suspend the use of facial recognition.

The New Jersey Supreme Court today decided that dog owners in the state do not have a colorable claim to privacy in their names and addresses—but there may be a privacy interest in the names and breeds of their dogs. The case, Bozzi v. City of Jersey City, asked whether the privacy exemption to the state’s freedom of information law required government agencies to withhold the names and addresses of dog license holders when the only justification for disclosure was commercial interest in selling dog paraphernalia. EPIC filed an amicus brief and presented oral argument in the case, arguing that the privacy interests in names and addresses in government documents is well established under federal law and the state should follow the federal example. The court’s majority found no colorable claim to privacy for dog owners because “owning a dog is, inherently, a public endeavor”—owners take their dogs on “daily walks, grooming sessions, veterinarian visits,” “celebrate their animals on social media or bumper stickers” and “enter their dogs into public shows.” But, as the two dissenting justices retorted, “dog owners appearing in public with their dogs do not do so while simultaneously advertising their full names and addresses.” Further undermining the majority’s reasoning was the court’s recognition that other information in the dog license record—such as the name and breed of the dog, which is exposed to the public to the same degree as dog ownership, and moreso than the names and addresses of owners—may need to be redacted because of the privacy interests at stake. EPIC routinely participates as amicus in cases involving involuntary disclosure of personal information to third parties.

Nine Democratic Senators led by Senator Richard Blumenthal have called on the Federal Trade Commission to conduct a rulemaking process to "protect consumer privacy, promote civil rights, and set clear safeguards on the collection and use of personal data in the digital economy." "Americans’ identities have become the currency in an unregulated, hidden economy of data brokers that buy and sell sensitive information about their families, religious beliefs, healthcare needs, and every movement to shadowy interests, often without their awareness and consent," the Senators said. Senators Schatz, Wyden, Warren, Coons, Luján, Klobuchar, Booker, and Markey joined Senator Blumenthal on the letter. EPIC has long urged the FTC to impose clear privacy obligations on companies that collect and use personal data, including by exercising the Commission's underused rulemaking power. In 2020, EPIC filed a petition with the FTC calling on the Commission to conduct a rulemaking on the use of artificial intelligence in commercial settings. "By defining unfair and deceptive practices ex ante, and with specificity, a trade regulation rule would make it easier for the FTC to take action against parties that harm consumers," EPIC explained.

The Ninth Circuit announced today police violated a defendant’s Fourth Amendment rights when they warrantlessly searched files that Google automatically reported using a proprietary algorithm designed to detect child sexual abuse material (“CSAM”). Prosecutors in the case, United States v. Wilson, had argued that the police officer’s search of the defendant’s files did not violate the Fourth Amendment because Google, a private party, had conducted the initial search. The district court agreed, finding that there was a “virtual certainty” that the files Google sent to police were identical to files previously identified by a Google employee as CSAM. But no Google employee reviewed the defendant's files before sending them to police—instead, Google automatically forwarded the files to law enforcement after a proprietary algorithm matched the files to previously-identified CSAM images. EPIC filed an amicus brief in the Ninth Circuit appeal to explain that prosecutors had failed to show that the proprietary Google algorithm reliably matched images. EPIC also urged the court to narrowly apply the private search exception. The Ninth Circuit found that the police search “allowed the government to learn new, critical information” and “expanded the scope of the antecedent private search because the government agent viewed Wilson’s email attachments even though no Google employee—or other person—had done so.” The Ninth Circuit also echoed EPIC’s amicus brief: “on the limited evidentiary record, the government has not established that what a Google employee previously viewed were exact duplicates of Wilson’s images.” The decision in this case diverges from previous federal appeals and state court decisions on the issue and may lead the Supreme Court to review the important privacy implications of mass automatic file scanning programs.

Facebook announced today that it is pausing its work on a kids’ version of Instagram after facing widespread criticism. In March 2021, reports leaked that Facebook was planning to build a version of Instagram for kids under the age of 13. Regarding today’s announcement, Fairplay’s Executive Director stated, “Today is a watershed moment for the growing tech accountability movement and a great day for anyone who believes that children’s wellbeing should come before Big Tech’s profits.” The earlier reports faced swift backlash as consumer protection advocacy groups and politicians asked Facebook to halt its plan. This announcement came after senators announced an investigation into Facebook’s negative effects on teenagers and a series of investigations by the Wall Street Journal which revealed that Facebook is aware of its harmful effects on users. EPIC signed onto a letter by Campaign for a Commercial-Free Childhood, now known as Fairplay, urging Facebook to cancel its plan for Instagram Kids. EPIC has fought for transparency and accountability for Facebook's privacy abuses for over a decade, from filing the original FTC Complaint in 2009 that led to the FTC's 2012 Consent Order with the company, to moving to intervene in and filing an amicus brief challenging the FTC's 2019 settlement with Facebook.