EPIC Alert 27.11
EPIC Alert 27.11 - July 31, 2020
- Top Court in Europe Invalidates EU-U.S. Privacy Shield, Citing Lack of Privacy Safeguards and Overbroad U.S. Surveillance Laws
- White House Tells EPIC to Delete COVID-19 Records, EPIC Declines
- EPIC Amicus: To Protect Privacy, California Must Preserve All-Party Consent for Call Recording
- EPIC to Congress: Create a U.S. Data Protection Agency
- AI Commission Holds First Public Meeting Following Decision in EPIC Case
- News in Brief
- EPIC in the News
- EPIC Bookstore
1. Top Court in Europe Invalidates EU-U.S. Privacy Shield, Citing Lack of Privacy Safeguards and Overbroad U.S. Surveillance Laws
The European Court of Justice issued a landmark decision this month in Irish Data Protection Commissioner v. Facebook & Schrems, a case concerning transfers of personal data by Facebook between the EU and the United States. The ruling, which calls into question the adequacy of privacy protection in the United States, has major implications for U.S. lawmakers and corporations.
The court considered the validity of transfers made from companies in the EU to companies in the U.S. under the EU-U.S. Privacy Shield agreement or pursuant to "standard contractual clauses." Although both methods had previously been authorized by the European Commission, the court held that the Privacy Shield was invalid and that transfers could not be made under standard clauses where personal data is not adequately protected.
Because U.S. surveillance law authorizes the mass processing of personal data transferred from abroad (under Section 702 of the FISA), Privacy Shield "cannot ensure a level of protection essentially equivalent to that guaranteed by" the EU's Charter of Fundamental Rights, the court wrote. "In the light of all of the foregoing considerations, it is to be concluded that the Privacy Shield Decision is invalid."
EPIC participated as an amicus curiae in the case and argued that U.S. surveillance law does not provide an equivalent level of protection because it does not provide adequate protections or remedies for non-U.S. persons abroad. EPIC was represented in this case by the Free Legal Advice Centres (FLAC) and by barristers Grainne Gilmore and Colm O'Dwyer, SC. EPIC's full press release is available here.
2. White House Tells EPIC to Delete COVID-19 Records, EPIC Declines
In an unusual development, the White House recently "ordered" EPIC to delete a set of records that EPIC had obtained from the Office of Science & Technology Policy—a request which EPIC declined.
Last week, EPIC published hundreds of records about the White House's response to the COVID-19 pandemic and proposals to use location data for public health surveillance (1, 2, 3, 4). The documents were produced in response to an EPIC Freedom of Information Act request.
The records showed that a tech sector task force closely aligned with the White House sought to aggregate "non-clinical location data" for "disease surveillance," including cell phone location data, Uber trip data, and Google search data. OSTP described the location tracking proposals as "certainly interesting" and sought to "establish a portal/clearinghouse" for such submissions—but also told the tech sector task force that it was "not engaged in any activities relating to location data."
Hours after EPIC posted the records, a White House attorney sent EPIC a letter "order[ing]" EPIC "to immediately cease using and disclosing" one set of records and to "destroy all electronics copies." The letter stated that OSTP had "inadvertently and erroneously" provided EPIC with an unredacted copy of the records.
Although EPIC voluntarily decided to redact personal contact information contained in the documents, EPIC informed the OSTP that it would still make the records available to the public. Under the Freedom of Information Act, a federal agency is not entitled to "claw back" a record that it discloses to a requester.
EPIC has filed numerous FOIA requests concerning the federal government's COVID-19 response and has compiled a resource page about privacy and the pandemic.
3. EPIC Amicus: To Protect Privacy, California Must Preserve All-Party Consent for Call Recording
EPIC, the Consumer Federation of California, and Consumer Action have filed an amicus brief urging the California Supreme Court to preserve its long-standing rule requiring all parties to consent to the recording of a call.
Consumers in the case, Smith v. LoanMe, sued the online lender for surreptitiously recording customer calls in violation of the California Invasion of Privacy Act. A lower court dismissed the case because it interpreted the law as only applying to third-party eavesdroppers, not parties to the call. The California Supreme Court is now reviewing the decision.
The amicus brief from EPIC and others argues that "recording a call poses unique threats to privacy because a permanent record of the private communication can be made surreptitiously without the consent, or even knowledge, of the caller." The brief also explains that "the need to preserve California's all-party consent law is more urgent now than ever before" because COVID-19 has forced millions of Californians "to conduct their personal and business lives remotely, relying on voice and video calls to complete their work, to pursue their education, to preserve their relationships, and to maintain basic human connections."
"The increased use of call technology exacerbates the risk that private communications—concerning issues of political involvement, health and other private matters, or sensitive financial data—could be recorded and disclosed against an individual's will," the brief continues. "That is precisely what the California Invasion of Privacy Act was enacted to prevent, and this Court should preserve those protections."
EPIC routinely files amicus briefs in cases implicating consumer privacy.
4. EPIC to Congress: Create a U.S. Data Protection Agency
In advance of this week's Congressional hearing on "Online Platforms and Market Power"—at which the CEOs of Amazon, Apple, Facebook, and Google testified—EPIC told the House Judiciary Subcommittee on Antitrust that the U.S. needs a Data Protection Agency. EPIC told lawmakers that merger review must consider data protection.
"The United States stands virtually alone in its unwillingness to address privacy as an increasingly important dimension of competition in the digital marketplace," EPIC wrote. "If the largest Internet firms continue to buy up new market entrants and assimilate their users' data into the existing platforms then there will be no meaningful opportunity for firms to compete with better privacy and data security practices."
EPIC pointed to the Facebook-WhatsApp deal and the failure of the FTC to protect the personal data of WhatsApp users after the merger. EPIC noted that if the FTC approves Google's acquisition of Fitbit, it will be the 230th firm that Google or Alphabet has acquired "with little action from U.S. antitrust regulators."
EPIC also urged the Subcommittee to hold a hearing on H.R. 4978, the Online Privacy Act. EPIC's recent report, Grading on a Curve: Privacy Legislation in the 116th Congress, sets out the key elements of a modern privacy law, including federal baseline legislation and the creation of a Data Protection Agency.
5. AI Commission Holds First Public Meeting Following Decision in EPIC Case
The National Security Commission on Artificial Intelligence held its first-ever public meeting last week to discuss the Commission's recommendations on the use of AI in national security and defense contexts. A recording is available here, and materials from the meeting can be found here.
The Commission's latest recommendations include "[c]reating a framework for the ethical and responsible development and fielding of AI." However, the Commission failed to urge Congress to establish baseline rules for the use of AI by federal agencies, calling instead for non-binding "norms and best practices."
Public access to the Commission's meeting is the result of a recent court ruling in EPIC v. AI Commission that the Commission is subject to the transparency requirements of the Federal Advisory Committee Act. The Commission previously operated largely in secret, including dozens of closed-door meetings and briefings from tech firms and defense contractors. But in June, Judge Trevor N. McFadden ordered the Commission to hold open meetings and regularly publish its records in the future.
Judge McFadden previously ruled that the AI Commission is subject to the Freedom of Information Act, and the Commission has disclosed thousands of pages of records to EPIC since January. The case is EPIC v. AI Commission, No. 19-2906 (D.D.C.).
EPIC Releases Report on Pretrial Risk Assessments
EPIC has released a report on Pretrial Risk Assessments. The report, Liberty at Risk: Pre-trial Risk Assessment Tools in the U.S., provides an overview of Risk Assessment Tools that practitioners and scholars can use to understand the nature of these systems, understand the broader context in which they are used, and help focus their evaluations of the fairness of these systems. EPIC hosted a panel on the topic on July 8, available to watch here. EPIC advocates for Algorithmic Transparency and maintains a resource on Algorithms in the Criminal Justice System.
NIST Study Finds Masks Undermine Face Recognition Accuracy
A recent study conducted by the National Institute of Standards and Technology showed that face masks undermine the accuracy of facial recognition algorithms. The NIST study tested digitally applied masks of various shapes on 89 commercial algorithms. The result were error rates between 5% and 50%. The algorithms tested were all created pre-Covid-19. NIST plans to test facial algorithms developed with face masks in mind later this summer. A previous NIST study released at the end of last year found that false positives are up to 100 times more likely for Asian and African American faces compared to White faces. EPIC has previously launched a Ban Face Surveillance campaign and called for a facial recognition moratorium across the globe, as well as suspension across the federal government and in U.S. schools.
EPIC to Congress: Reform Section 230
In a statement to the Senate Commerce Committee, EPIC supported reforms to Section 230 of the Communications Decency Act. The Committee is considering the bipartisan Platform Accountability and Consumer Trasparency (PACT) Act, which requires online platforms to give notice of their content moderation policies and to make a complaint system available, and sets deadlines by which platforms must process complaints. EPIC urged the Committee to expand the Act's provisions on injunctive relief, which currently only requires platforms to take down content if ordered by a court to do so in limited types of cases. "When a court finds that content has been posted illegally or in violation of an individual's rights, there should be a legal mechanism to order online platforms to remove that content," EPIC said. "The bill should be amended to make clear that platforms must comply with court orders to remove content deemed unlawful regardless of the type of legal claim involved." In an amicus brief in Herrick v. Grindr, EPIC objected to a court decision that found "online platforms bear no responsibility for the harassment and abuse their systems enable."
DOJ Says It Will Release More of Mueller Report in EPIC Case
The Department of Justice, as part of the open government case EPIC v. DOJ, has announced in a court filing that it will disclose additional material from the Mueller Report. The DOJ said it had "determined that certain information in the Report now could be released without harming government interests or pending matters." However, the DOJ asserted that it would not publish the additional material until "after the Court has issued its ruling on the redactions" to the Report. Judge Reggie B. Walton is currently conducting an "in camera" review of the complete Mueller Report to determine which passages must still be released. The court recently posed a series of questions to the DOJ about its redactions to the Report, and the DOJ responded to the court last week. Both filings are sealed from the public, but a heavily redacted version of the DOJ's response shows that Judge Walton questioned every legal basis asserted by the DOJ to withhold material in the Report. EPIC's case previously forced the DOJ to disclose additional material from the Mueller Report concerning Roger Stone. The case is EPIC v. DOJ , No. 19-810.
EPIC Files Application to the International Criminal Court on Location Data Privacy
EPIC has filed a request to submit an amicus brief in the International Criminal Court concerning the recognition of an international right to privacy in cell site location information ("CSLI"). Investigators in the case, The Prosecutor v. Yekatom & Ngaïssona, obtained two years of defendant Yekatom's cell location data from a telecommunications company in the Central African Republic without prior judicial authorization. EPIC wrote that "there is increased recognition in the international community that cell phone metadata, and CSLI in particular, can reveal sensitive personal information by allowing investigators to track an individual's movements over time and infer their habits, social associations, and even political and religious beliefs." Should the ICC grant EPIC's application, EPIC will file a full amicus briefs arguing that the international right to privacy includes privacy in cell location data. EPIC filed an amicus brief in Carpenter v. United States, in which the U.S. Supreme Court determined that law enforcement could not obtain historical cell location data without a warrant. EPIC has also participated as amicus curiae in cases involving the right to privacy under international law, including most recently Irish Data Protection Commissioner v. Facebook & Schrems, in which the top European court invalidated the EU-US Privacy Shield.
Federal Appeals Court Sounds Alarm Over Predictive Policing
Judges on a federal appeals court took aim yesterday at predictive policing, the practice of using algorithmic analysis to predict crime and direct law enforcement resources. The Fourth Circuit ruled that Richmond police violated the Fourth Amendment when they stopped and searched the defendant, Billy Curry, simply because he was walking near the scene of a shooting. In a dissent, Judge J. Harvie Wilkinson called the court's decision a "gut-punch to predictive policing." But others on the court responded to highlight the dangers and failings of the practice. Chief Judge Roger Gregory questioned whether predictive policing is "a high-tech version of racial profiling." Judge James A. Wynn highlighted the "devastating effects of over-policing on minority communities" and explained that predictive policing "results in the citizens of those communities being accorded fewer constitutional protections than citizens of other communities." Judge Stephanie D. Thacker warned that "any computer program or algorithm is only as good as the data that goes into it" and that predictive policing "has been shown to be, at best, of questionable, effectiveness, and at worst, deeply flawed and infused with racial bias." EPIC has long highlighted the risks of algorithms in the criminal justice system and recently obtained a 2014 Justice Department report detailing the dangers of predictive policing.
D.C. Circuit Reverses District Court Ruling on Unsealing Electronic Surveillance Records
Earlier this month, the D.C. Circuit reversed a lower court decision and ruled that electronic surveillance records in closed federal investigations are subject to public access. Investigative journalist Jason Leopold and the Reporters Committee for Freedom of the Press litigated for years to unseal electronic surveillance records that allow law enforcement to collect different types of electronic information for surveillance, including metadata about a telephone subscriber's activity or cell site location information. The lower court determined that administrative burden to providing public access to these seal records was enough to justify the interminable sealing of these records. But the D.C. Circuit reversed the lower court's decision, stating that "although administrative burden is relevant to how and when documents are released, it does not justify precluding release forever. … Production may be time-consuming, but time-consuming is not the same thing as impossible." The D.C. Circuit noted that providing public access to judicial records like the electronic surveillance records at issue "is a fundamental element of the rule of law" and "is the duty and responsibility of the Judicial Branch." EPIC is currently litigating a case against the Department of Justice seeking the public release of information about the agency's collection of cell site location information through "§ 2703(d) orders" and warrants. The case is EPIC v. DOJ, No. 18-1814 (D.D.C.).
- Would a government-backed social credit scoring system like China's ever fly in the US?, ABA Journal, July 29, 2020
- Going back to work or school? An algorithm may warn you to keep your distance from others, CNN Business, July 28, 2020
- Contact Tracing Demonstrates Need for National Privacy Laws, Lawmaker Says, Route Fifty, July 26, 2020
- Sens. Sanders, Warren, Wyden back national facial recognition ban bill, CNET, July 23, 2020
- Contact Tracing Demonstrates Need for National Privacy Laws, Lawmaker Says, Nextgov, July 23, 2020
- Clear usually helps people speed past the TSA line. Now it's offering a Covid-19 screening service., Recode, July 23, 2020
- Former Google CEO Wants to Create a Government-Funded University to Train A.I. Coders, OneZero, July 21, 2020
- 'Circumstances have changed': DOJ ready for more Mueller report declassifications, Washington Examiner, July 21, 2020
- China, Russia AI Support Needs Security Review, U.S. Panel Says, Bloomberg Law, July 20, 2020
- National Security Commission on AI recommends digital reserve corps and academy, FedScoop, July 20, 2020
- CJEU strikes down Privacy Shield and questions Standard Contractual Clauses (SCCs), Lexology, July 17, 2020
- Everything you need to know about Palantir, the secretive company coming for all your data, Recode, July 16, 2020
- Hillicon Valley: Law Students Have Concerns , The Hill, July 16, 2020
- Law school graduates worried about security, privacy of online bar exam, The Hill, July 14, 2020
- TikTok a privacy threat? Sure, but so are most of your smartphone apps, NBC News, July 13, 2020
- Judge Orders DOJ to Explain Its Secret Portions of the Mueller Report by Next Week, Law & Crime, July 13, 2020
- Random House Is Publishing A Former Prosecutor's Tell-All About The Mueller Investigation, Forbes, July 13, 2020
EPIC publications and books by members of the EPIC Advisory Board, distinguished experts in law, technology and public policy are available at the EPIC Bookstore. Featured now at the EPIC Bookstore:
EU Law in Populist Times: Crises and Prospects (Francesca Bignami ed., 2020).
Authored by leading academics and policymakers, EU Law in Populist Times provides a comprehensive and cutting-edge analysis of the fields of European Union law at the heart of contemporary political debates—economic policy, human migration, internal security, and constitutional fundamentals at the national level.
Recent EPIC Publications
The AI Policy Sourcebook 2020, edited by Marc Rotenberg (EPIC 2020).
The AI Policy Sourcebook includes global AI frameworks such as the OECD AI Principles and the Universal Guidelines for AI. The Sourcebook also includes AI materials from the European Union and the Council of Europe, national AI initiatives, as well as recommendations from professional societies, including the ACM and the IEEE. The Sourcebook also includes an extensive resources section on AI, including reports, articles, and books from around the world.
The Privacy Law Sourcebook 2020, edited by Marc Rotenberg (EPIC 2020).
The Privacy Law Sourcebook is the leading resource for students, attorneys, and policymakers interested in privacy law in the United States and around the world. The Sourcebook includes major U.S. privacy laws. The Sourcebook also includes key international privacy frameworks such as the EU General Data Protection Regulation and the modernized Council of Europe Convention on Privacy. The Privacy Law Sourcebook 2020 includes the new California Consumer Privacy Act, the Illinois Biometric Information Privacy Act, the Public Voice Declaration for a Moratorium on Facial Recognition, and updates on GDPR implementation. The Sourcebook also includes an extensive resources section with information on privacy agencies, organizations, and publications.
EPIC v. Department of Justice: The Mueller Report, edited by Marc Rotenberg (EPIC 2019).
EPIC v. Department of Justice: The Mueller Report chronicles the efforts to obtain a full account of Russian interference in the 2016 presidential election. EPIC filed the first lawsuit in the country for the release of the full and unredacted Mueller Report and obtained a newly redacted version in early May 2019. EPIC is now challenging the redactions made by the Department of Justice in federal court. This volume is an essential guide to the legal arguments about the redactions, the dispute between the Attorney General and the Special Counsel, and EPIC's request for the Mueller Report and other records about Russian interference in the 2016 presidential election.
Communications Law and Policy: Cases and Materials, 6th Edition, by Jerry Kang and Alan Butler (Direct Injection Press 2018).
This teachable casebook provides an introduction to the law and policy of modern communications. The book is organized by analytic concepts instead of current industry lines, which are constantly made out-of-date by technological convergence. The basic ideas—power, entry, pricing, access, classification, bad content, and intermediary liability—equip students with a durable and yet flexible intellectual structure that can help parse a complex and ever-changing field.
Share this page:
Subscribe to the EPIC Alert
The EPIC Alert is a biweekly newsletter highlighting emerging privacy issues.