IWG 61 Public Notice and Comment Opportunity and Updating Federally Mandated Agency Privacy Assessments.5

International Working Group on Data Protection in Telecommunications 61st meeting Washington, D.C. 24 – 25 April 207

Country Report United States of America (provided by EPIC)

I. Executive Action

Limits on Federal Privacy Act Protections for Non-U.S. Persons

President Trump has issued an Executive Order on immigration that limits federal Privacy Act protections for non-U.S. persons.1 Section 14 of “Enhancing Public Safety in the Interior of the United States” requires, “to the extent consistent with applicable law,” that agencies exclude persons who are not United States citizens or lawful permanent residents from the Privacy Act’s protections.

The full legal implications of provision are still unclear. Six senators have written to the Department of Homeland Security to question the agency about the impact of Section 14.2 The Senators stated the change reversed a “longstanding practice of federal agencies” and “would be inconsistent with the commitments made when the government collected much of the information.”3 They also asked DHS to explain the Order’s impact on the U.S.’s Privacy Shield commitments.4

EPIC and a coalition explained to federal officials that the implementation of the Order must adhere to several federal privacy and accountability requirements, including provision of a

1 Executive Order: Enhancing Public Safety in the Interior of the United States (Jan. 25, 2017), https://www.whitehouse.gov/the-press-office/2017/01/25/presidential-executive-order- enhancing-public-safety-interior-united. 2 Letter from Sen. Markey, et. al, to Sec’y John Kelly, Dep’t of Homeland Sec. (Feb. 6, 2017), https://www.markey.senate.gov/imo/media/doc/2017-02-09-Privacy-EO-Letter.pdf. 3 Id. 4 Id.

U.S. Country Report (EPIC) 1 IWG 61 public notice and comment opportunity and updating federally mandated agency privacy assessments.5

Data Collection and Publication for Non-U.S. Persons

A second immigration order issued by President Trump, “Protecting the Nation from Foreign Terrorist Entry into the United States,” requires new data collection and publication practices concerning foreign nationals.6 Section 11 of the Order mandates that DHS publicly report certain information, such as the number of foreign nationals convicted or charged with terrorism-related offenses, the number radicalized after entry to the U.S., and the number of acts of gender-based violence against women by foreign nationals.

Similarly, Section 14 of Executive Order “Border Security and Immigration Enforcement Improvements” requires a monthly public report of “statistical data on aliens apprehended at or near the southern border” of the U.S.7

EPIC and a coalition raised concerns that selective collection and reporting under Order lacks “utility, objectivity, and integrity.”8 “Once collected, this data will have no frame of reference and, accordingly, will not give policy makers or the public a sense of how it compares to all travelers or all U.S. persons,” the coalition noted.9

II. Legislation

FCC Broadband Privacy Rules Rescinded by New Congress

A resolution adopted by the U.S. Congress rescinded the FCC’s privacy regulations for broadband Internet service providers.10 The rules required ISPs to obtain consumers’ consent before disclosing “sensitive” information such a precise location, web browsing history, and app

5Letter from EPIC, et. al, to Sec’y John Kelly, Dep’t of Homeland Sec., and Jeff Sessions, Attorney Gen. (Mar. 21, 2017), http://www.openthegovernment.org/sites/default/files/Letter%20to%20DHS%20&%20%20DOJ _Data%20Provisions%20in%20Executive%20Orders.pdf. 6 Executive Order: Protecting the Nation from Foreign Terrorist Entry into the United States (Mar. 6, 2017), https://www.whitehouse.gov/the-press-office/2017/03/06/executive-order- protecting-nation-foreign-terrorist-entry-united-states. 7 Executive Order: Border Security and Immigration Enforcement Improvements (Jan. 25, 2017), https://www.whitehouse.gov/the-press-office/2017/01/25/executive-order-border-security-and- immigration-enforcement-improvements. 8 Letter from EPIC, et. al, to Sec’y. John Kelly, Dep’t of Homeland Sec., and Jeff Sessions, Attorney Gen., supra note 5. 9 Id. 10 Pub. L. No. 115-22 (2017), https://www.congress.gov/115/bills/sjres34/BILLS- 115sjres34enr.pdf.

U.S. Country Report (EPIC) 2 IWG 61 usage history.11 The rules also required companies notify consumers of data breaches. This resolution nullifies the FCC's rules and blocks the FCC from enacting similar rules in the future. Critics had attacked the FCC rules on the grounds that they unreasonably singled out a sector of the communications industry.12 EPIC had urged the FCC to go further and to establish comprehensive safeguards for consumer privacy.13

Email Privacy Act Passes the House

The House of Representatives passed the Email Privacy Act, a bill that would amend the Electronic Communications Privacy Act of 1986 and establish a warrant requirement to communications stored for more than 180 days.14 The modest reform will now be reviewed by the Senate. An earlier version of the Act would have required notice of email searches to the user, with some exceptions. EPIC has recommended several additional updates to the law, including protections for location data, data minimization requirements, and end-to-end encryption for commercial e-mail services.15

Privacy and Security Standards for Connected Cars Proposed

The Congress is considering the “Security and Privacy in Your Car Act of 2017.”16 Introduced by Senators Edward Markey (D-MA) and Richard Blumenthal (D-CT), the bill would establish cybersecurity and privacy standards for new passenger vehicles and establish a privacy rating system. In 2014, Sen. Markey released a report entitled “Tracking & Hacking: Security & Privacy Gaps Put American Drivers at Risk.”17 The report found “[n]early 100% of cars on the

11 Protecting the Privacy of Customers of broadband and Other Telecommunications Services, Report and Order, WC Docket No. 16-106, FCC 16-148 (Nov. 2, 2016), https://apps.fcc.gov/edocs_public/attachmatch/FCC-16-148A1_Rcd.pdf. 12 Ajit Pai & Maureen Ohlhausen, No, Republicans didn’t just strip away your Internet privacy rights, Wash. Post (Apr. 4, 2017) https://www.washingtonpost.com/opinions/no-republicans- didnt-just-strip-away-your-internet-privacy-rights/2017/04/04/73e6d500-18ab-11e7-9887- 1a5314b56a08_story.html?utm_term=.89fd8a0b5f1f. 13 Letter from EPIC to Tom Wheeler, Chairman of the Fed. Commc’n Comm’n, (Jan. 20, 2016), https://epic.org/privacy/consumer/EPIC-to-FCC-on-Communications-Privacy.pdf. 14 H.R. 387, 115th Cong. (2017), https://www.congress.gov/bill/115th-congress/house- bill/387/text. 15 Letter from EPIC to Rep. Jim Sesenbrenner, Chairman, House Comm. on the Judiciary, Subcomm. On Crime, Terrorism, Homeland Sec. and Investigations, and Rep. Bobby Scott, Ranking Member (Mar. 18, 2013), https://epic.org/privacy/ecpa/EPIC-to-HJC-re-ECPA-3-18- 2013.pdf. 16 S.680, 115th Cong. (2017), https://www.markey.senate.gov/imo/media/doc/2017-03-20- SPYCAR-Act-BillText-.pdf 17 Sen. Ed Markey, Tracking & Hacking: Security & Privacy Gaps Put American Drivers at Risk (2014), https://www.markey.senate.gov//imo/media/doc/2015-02-06_MarkeyReport- Tracking_Hacking_CarSecurity%202.pdf.

U.S. Country Report (EPIC) 3 IWG 61 market include wireless technologies that could pose vulnerabilities to hacking or privacy intrusions.”18

New FISA Reporting Requirements Go Into Effect

The Administrative Office of the U.S. Courts has issued the 2016 report on activities of the Foreign Intelligence Surveillance Court.19 The 2016 FISA report reveals that there were 1,752 FISA applications in 2016, of which 1,378 were granted, 339 were modified, 26 were denied in part, and 9 were denied in full. Scrutiny of FISA applications increased substantially in 2016. The FISA court denied more applications in 2016 than it had during the previous 36 years. In testimony before Congress in 2012, EPIC urged increased public reporting of the use of FISA authority to prevent abuse.20 Several of EPIC’s recommendations are reflected in the revised reporting requirements, following passage of the USA FREEDOM Act in June 2015.

III. Privacy Issues of Interest

Public Opinion Polls: Public More Concerned about Google and Facebook than ISPs, Would Not Sacrifice Privacy to Foil Terror Plots

According to a POLITICO/Morning Consult poll, Americans trust Google and Facebook less than ISPs to protect personal data. Only 43% of respondents trusted broadband companies with personal information "a great deal" or "a fair amount."21 But trust in internet companies was much lower: 31% said they trust Facebook, 21% trust Twitter, 39% trust Google, and 35% trust other websites they visit regularly. The poll also shows public opposition to web tracking, with 70% respondents saying they were "somewhat uncomfortable" or "very uncomfortable" with companies tracking the web sites people visit and 77% being uncomfortable with companies selling people's data for advertising purposes.22

18 Id. at 1. 19 Administrative Office of the U.S. Courts, New Report on Foreign Intelligence Surveillance Court Issued (Apr. 20, 2017), http://www.uscourts.gov/news/2017/04/20/new-report-foreign- intelligence-surveillance-court-issued 20 Testimony of Marc Rotenberg, EPIC Executive Director, The FISA Amendments Act of 2008, hearing before the House Committee on the Judiciary, Subcommittee on Crime, Terrorism, and Homeland Security (May 31, 2012), https://epic.org/privacy/testimony/EPIC-FISA-Amd-Act- Testimony-HJC.pdf 21 Amir Nasr, Poll: Little Trust That Tech Giants Will Keep Personal Data Private, Morning Consult (Apr. 10, 2017), https://morningconsult.com/2017/04/10/poll-little-trust-tech-giants-will-keep-personal-data- private/ 22 Id.

U.S. Country Report (EPIC) 4 IWG 61

Further, a Reuters/Ipsos poll showed that a majority of Americans are not willing to give up their privacy - even to help the government fight terrorism.23 About 3 in 4 participants in the online survey answered that they would not give up the privacy of their e-mail, text messages, or phone records to help the U.S. fight foreign or domestic terrorism plots or counter hacking of U.S. networks by foreign powers.24

Second Major Yahoo Data Breach Compromises Over One Billion Accounts

Yahoo announced that data was stolen from over one billion user accounts in August 2013. The breach included names, email addresses, telephone numbers, dates of birth, passwords, and security questions and answers.25 The U.S. recently indicted both Russian intelligence officials and hackers for perpetrating the breach.26 This follows an earlier announcement by the company that a 2014 data breach implicated 500 million Yahoo users.27

U.S. Authorities to Require Traveler Social Media Passwords, Increase Searches of Electronic Devices

The Department of Homeland Security is considering a requirement for foreign travelers to turn over passwords to social media accounts as a condition of entering the U.S.28 The proposal has not been finalized, but the policy was raised by new DHS Secretary Kelly in an open hearing before Congress.

Reports also emerged that border authorities have already required travelers, including American citizens, to disclose cell phone passwords and submit to a search of their devices.29 A

23 Dustin Volz, Most Americans unwilling to give up privacy to thwart attacks: Reuters/Ipsos poll, Reuters (Apr. 4, 2017), http://www.reuters.com/article/us-usa-cyber-poll- idUSKBN1762TQ. 24 Id. 25 Bob Lord (CISO), Important Security Information for Yahoo Users, Yahoo (Dec. 14, 2016), https://yahoo.tumblr.com/post/154479236569/important-security-information-for-yahoo-users. 26 Sam Thielman & Spencer Ackerman, US charges two Russian spies and two hackers in Yahoo data breach, Guardian (Mar. 15, 2017), https://www.theguardian.com/technology/2017/mar/15/fbi-charges-two-russian-spies-hackers- yahoo-data-breach. 27 An Important Message to Yahoo Users on Security, Yahoo (Sept. 22, 2016), https://investor.yahoo.net/releasedetail.cfm?ReleaseID=990570. 28 Ending the Crisis: America’s Borders and the Path to Security, Homeland.house.gov (Feb. 7, 2017) https://homeland.house.gov/hearing/ending-crisis-americas-borders-path-security/ (including statements of DHS Secretary Kelly in hearing video footage therein). 29 Cynthia McFadden, E.D. Cauchi William M. Arkin, & Kevin Monahan, American Citizens: U.S. Border Agents Can Search Your Cellphones, NBC News (Mar. 13, 2017), http://www.nbcnews.com/news/us-news/traveling-while-brown-u-s-border-agents-can-search- your-n732746.

U.S. Country Report (EPIC) 5 IWG 61

NBC report revealed border searches of cellphones increased “fivefold in just one year, from fewer than 5,000 in 2015 to nearly 25,000 in 2016.”30

Neil Gorsuch Appointed to the U.S. Supreme Court

On April 7, 2017, Judge Neil M. Gorsuch was confirmed by the Senate as the next Associate Justice to the U.S. Supreme Court.31 Judge Gorsuch previously sat on the U.S Court of Appeals for the Tenth Circuit. He replaces the late Justice Antonin Scalia, to whom his legal views and writing have often been compared. EPIC wrote to the U.S. Senate Committee on the Judiciary ahead of the nomination hearings. EPIC explained that Judge Gorsuch “authored several Fourth Amendment decisions that protect individuals against intrusive searches,” but urged the Committee to closely scrutinize his positions on a wide range of privacy and civil liberties issues.32

Over 130,000 Sailors’ Records Compromised in Navy Data Breach

The Navy reported that a hacker gathered the personal data of more than 130,000 current and former sailors from a laptop that belonged to a government contractor.33 “[S]ensitive information, including the names and Social Security Numbers” of the Sailors “were accessed by unknown individuals,” the Navy said.34 This announcement an upward trend in the number of data breaches across the U.S. government.35 In 2015, a hack of the Office of Personnel Management affected 22 million people – the “greatest theft of sensitive personnel data in history.”36

New Rules Permit Broad Dissemination of Raw Intelligence by NSA

Just before President Trump took office, Obama’s Director of National Intelligence James Clapper issued new procedures allowing broad dissemination of raw data collected by the NSA.37 The rules permit the NSA to disseminate signals intelligence to sixteen federal agencies without first removing or "minimizing" personal information. The Director said the new rules

30 Id. 31 Neil Gorsuch, EPIC.org, https://epic.org/privacy/gorsuch/. 32 Letter from EPIC to Sen. Chuck Grassley, Chairman, Senate Comm. on the Judiciary, and Sen. Dianne Feinstein, Ranking Member (Mar. 20, 2017), https://epic.org/privacy/gorsuch/EPIC-SJC- Gorsuch-Mar2017.pdf. 33 Chief of Naval Personnel Pub. Affairs, Security Breach Notification of Sailors' PII, Navy (Nov. 23, 2016), http://www.navy.mil/submit/display.asp?story_id=97820. 34 Id. 35 Gov’t Accountability Office, Information Security: Federal Agencies Need to Better Protect Sensitive Data (2015), http://www.gao.gov/assets/680/673678.pdf. 36 Michael Adams, Why the OPM Hack Is Far Worse Than You Imagine, Lawfare (Mar. 11, 2016), https://www.lawfareblog.com/why-opm-hack-far-worse-you-imagine. 37 Procedures for the Availability or Dissemination of Raw Signals Intelligence Information by the National Security Agency Under Section 2.3 of Executive Order 12333, https://www.dni.gov/files/documents/icotr/RawSIGINTGuidelines-as-approved-redacted.pdf.

U.S. Country Report (EPIC) 6 IWG 61 would "prohibit recipient elements from querying raw [intelligence] for a law enforcement purpose.”38 However, EPIC and a coalition previously warned that the changes would "fatally weaken existing restrictions on access to the phone calls, emails, and other data the NSA collects.”39

U.S. Evaluates Russian Interference with 2016 Presidential Election

Following the Russian Interference with the 2016 Presidential Election, U.S. intelligence agencies and the new Congress have been active evaluating the ongoing risk and developing the U.S. response.

The FBI and DHS released a Joint Analysis Report on the interference, “GRIZZLY STEPPE – Russian Malicious Cyber Activity” on December 29, 2016. The report sketched the tools and infrastructure used and attributed the interference to Russian actors.40 On January 6, 2017, the ODNI also published a joint intelligence of the CIA, FBI, and NSA, “Assessing Russian Activities and Intentions in Recent US Elections.”41 This report addressed the “motivation and scope of Moscow’s intentions regarding US elections,” and explored both the cyberattacks and the broader influence campaign carried out by the Russians.42

Bipartisan investigations into the Russian interference are underway in the U.S. Congress, led by the Senate and House Intelligence Committees.43 The new Congress has also held numerous public and closed door hearings concerning the interference.44 The legislature is

38 Office of the Dir. of Nat’l Intelligence, Fact Sheet on E.O. 12333 Raw SIGINT Availabilitiy Procedures (2017), https://www.dni.gov/files/documents/icotr/FactSheetEO12333RawSIGINTProcedures.pdf. 39 Letter from EPIC, et. al, to Dir. Nat’l Intelligence James R. Clapper and Dir. Michael S. Rogers, Nat’l Sec. Agency (Apr. 7, 2016), http://www.openthegovernment.org/sites/default/files/Coalition%20Letter_DNI_NSA_EO%201 2333_data_sharing.pdf. 40 Fed. Bureau of Investigation & Dep’t of Homeland Sec., GRIZZLY STEPPE – Russian Malicious Cyber Activity (2016), https://www.us- cert.gov/sites/default/files/publications/JAR_16-20296A_GRIZZLY%20STEPPE-2016- 1229.pdf. 41 Office of the Dir. Nat. Intelligence, Assessing Russian Activities and Intentions in Recent US Elections (2017), https://www.dni.gov/files/documents/ICA_2017_01.pdf. 42 Id. at i. 43 Press Release, Sen. Richard Burr, Chairman of the Senate Select Comm. on Intelligence, and Sen. Mark Warner, Vice Chairman, Joint Statement on Comm. Inquiry into Russian Intelligence Activities (Jan. 13, 2017), https://www.burr.senate.gov/press/releases/joint-statement-on- committee-inquiry-into-russian-intelligence-activities; Press Release, Intelligence Committee Chairman, Ranking Member Establish Parameters for Russian investigation (Mar. 1, 2017), http://intelligence.house.gov/news/documentsingle.aspx?DocumentID=767. 44 See, e.g., Hearings, Armed-services.senate.gov, https://www.armed- services.senate.gov/hearings?PageNum_rs=1&.

U.S. Country Report (EPIC) 7 IWG 61 considering several legislative proposals, ranging from increased sanctions against Russia to the creation of a Select Committee on Cybersecurity45

EPIC has filed three Freedom of Information Act lawsuits to obtain information about the extent of Russian interference with the 2016 Presidential Election. In EPIC v. FBI, EPIC is seeking to determine the FBI response to knowledge of the Russian interference with the Presidential election.46 In EPIC v. ODNI, EPIC is seeking to obtain the public release of the complete report concerning the Russian interference with the election.47 In EPIC v. IRS, EPIC is seeking the tax returns of Donald J. Trump.48 Beginning with the first Congressional hearing in 2017, EPIC has also consistently urged Congress to prioritize U.S. cybersecurity, addressing political leaders in both parties.49

FTC Reaches Settlement with VIZIO Over Smart TV Tracking

The FTC reached a $2.2 million settlement with smart TV manufacturer VIZIO over the company's tracking of consumers' viewing habits without their knowledge or consent.50 The FTC's complaint alleged that VIZIO's collection and sale of viewing data was unfair and deceptive, and explained that the TVs transmitted “information about what a consumer is watching on a second-by-second basis.”51 The settlement requires the company to delete all viewing data and enact a comprehensive privacy program.52 EPIC previously filed a complaint with the FTC over Samsung's smart TV data collection practices, including surveillance of

45 Counteracting Russian Hostilities Act of 2017, S. 94, 115th Cong. (2017); Establishing the Select Committee on Cybersecurity, S. Res. 23, 115th Cong. (2017). 46 EPIC v. FBI (Russian Hacking), EPIC.org, https://epic.org/foia/fbi/russian-hacking/. See also EPIC files FOIA suit over records of Russia hacking, POLITICO Pro (Jan. 19, 2017), https://www.politicopro.com/tech/whiteboard/2017/01/epic-files-foia-suit-over-russia-hacking- records-082479. 47 EPIC v. ODNI (Russian Hacking), EPIC.org, https://epic.org/foia/odni/russian-hacking/. See also Marc Rotenberg, Americans have a right to know what intel community knows on Russia, The Hill (Mar. 27, 2017), http://thehill.com/blogs/pundits-blog/the-administration/325862- americans-have-a-right-to-know-what-intel-community. 48 EPIC v. IRS (Donald Trump’s Tax Returns, EPIC.org, https://epic.org/foia/irs/trump-taxes/, See also Law360, EPIC Sues IRS for Trump's Tax Returns, https://www.law360.com/articles/913931/privacy-group-sues-irs-for-trump-s-tax-returns 49 See, e.g., Letter from EPIC to Sen. John McCain, Chairman of the Senate Comm. on Armed Servs., and Sen. Jack Reed, Ranking Member (Jan. 4, 2017), https://epic.org/privacy/cybersecurity/EPICletter-SenateArmedServices-010417.pdf. 50 VIZIO to Pay $2.2 Million to FTC, State of New Jersey to Settle Charges It Collected Viewing Histories on 11 Million Smart Televisions without Users’ Consent, FTC.gov (Feb. 6, 2017), https://www.ftc.gov/news-events/press-releases/2017/02/vizio-pay-22-million-ftc-state-new- jersey-settle-charges-it. 51 Complaint at 4, FTC v. Vizio, Inc, No. 2:17-CV-00758 (D.N.J. Feb. 6, 2017), https://www.ftc.gov/system/files/documents/cases/170206_vizio_2017.02.06_complaint.pdf. 52 VIZIO to Pay $2.2 Million to FTC, State of New Jersey to Settle Charges It Collected Viewing Histories on 11 Million Smart Televisions without Users’ Consent, supra note 47.

U.S. Country Report (EPIC) 8 IWG 61 consumers' private conversations.53 EPIC has also defended the privacy of consumers' TV viewing habits in a federal court case involving the Video Privacy Protection Act.

U.S. Designates Countries Covered Under the Judicial Redress Act Privacy Shield EU-U.S. Data Transfer Arrangement

During the final week of Obama’s term, the Department of Justice released the list of European countries covered under the Judicial Redress Act.54 The designations were published in the Federal Register, an official publication of federal regulations and notices, and became effective on February 1, 2017.55 The Judicial Redress Act provides citizens of designated countries certain rights under the federal Privacy Act.56 The Act implements the U.S.-EU “Umbrella Agreement,” a framework for transferring law enforcement data across the Atlantic.57

IV. EPIC’s Work and Events

“Democracy and Cybersecurity: Preserving Democratic Institutions”

EPIC has launched a new project -- "Democracy and Cybersecurity" -- to address growing concerns about cyber attacks on democratic institutions.58 The new EPIC project will take a broad look at the relationship between democratic institutions and cybersecurity policy. The project will examine three key areas: election integrity, foreign interference with democratic decision-making, and cyber policy.

Irish Data Protection Commissioner v. Facebook

EPIC is serving as amicus curiae in Irish Data Protection Comissioner v. Facebook (Record No: 2016/4809P).59 The case follows the landmark decision by the European Court of Justice invalidating the Safe Harbor arrangement for transferring EU citizens’ data to the U.S. Now, the Irish High Court is being asked to review whether “standard contractual clauses” used authorize the transfer of personal data to the U.S. post-Safe Harbor provide adequate protection for E.U. citizens.

53 EPIC, “Samsung ‘Smart TV’ Complaint,” https://epic.org/privacy/internet/ftc/samsung/ 54 Judicial Redress Act of 2015, Justice.gov, https://www.justice.gov/opcl/judicial-redress-act- 2015. 55 Attorney General Order No. 3824-2017, "Judicial Redress Act of 2015; Attorney General Designations," 82 Fed. Reg. 7860 (Jan. 23, 2017) https://www.federalregister.gov/documents/2017/01/23/2017-01381/judicial-redress-act-of- 2015-attorney-general-designations. 56 Judicial Redress Act of 2015, Pub. L. No. 114-126. 57 EU-US Umbrella Agreement, EPIC.org, https://epic.org/privacy/intl/data-agreement/. 58 Democracy ad Cybersecurity: Preserving Democratic Institutions, EPIC.org, https://epic.org/democracy/. 59 Schrems v. Data Protection Commissioner, EPIC.org, https://epic.org/privacy/intl/schrems/#schrems2.

U.S. Country Report (EPIC) 9 IWG 61

In submissions to the Court, EPIC explained that "U.S. privacy law is characterized by particularly narrow conceptions of privacy and personal data, which in turn limit the scope of relevant constitutional, statutory, and regulatory privacy protections."60 EPIC also stated, "many of the privacy safeguards under U.S. law in fact operate to the exclusion of E.U. citizens" and that the "standing" doctrine is an overarching barrier to legal redress.

Recent EPIC Publications

Commentaries

Alan Butler, United States of America · Whither Privacy Shield in the Trump Era?, European Data Protection Law Review (April 21, 2017)61

Marc Rotenberg, Urgent Mandate, Unhurried Response: An Evaluation of the UN Special Rapporteur on the Right to Privacy, European Data Protection Law Review (April 21, 2017).62

Marc Rotenberg, When the Government Is Watching You, New York Times (March 28, 2017).63

Marc Rotenberg, Americans have a right to know what intel community knows on Russia, The Hill (March 27, 2017)64

Books

EPIC Bookstore – with many books by members of the EPIC Advisory Board and other featured authors – www.epic.org/bookstore

Communications Law and Policy: Cases and Materials, 5th Edition, by Jerry Kang and Alan Butler. (Direct Injection Press 2016).

The Privacy Law Sourcebook 2016: United States Law, International Law, and Recent Developments, edited by Marc Rotenberg (EPIC 2016),65

60Amended Outline Submissions for EPIC as Amicus Curiae, Data Protection Commissioner v. Facebook Ireland, Ltd., No. 2016/4809P (Irish High Court 2017), https://epic.org/privacy/intl/schrems/02272017-EPIC-Amended-Submissions.pdf. 61 http://edpl.lexxion.eu/article/EDPL/2017/1/17 62 http://edpl.lexxion.eu/article/EDPL/2017/1/8 63 https://www.nytimes.com/2017/03/28/opinion/when-the-government-is-watching-you.html. 64 http://thehill.com/blogs/pundits-blog/the-administration/325862-americans-have-a-right-to- know-what-intel-community 65 https://epic.org/bookstore/pls2016/

U.S. Country Report (EPIC) 10 IWG 61

Privacy Law and Society, 3rd Edition, by Anita Allen, JD, PhD and Marc Rotenberg, JD, LLM. (West Academic 2015). 66

EPIC Champions of Freedom Awards Dinner

EPIC will host the 2017 Champions of Freedom Award dinner and ceremony on June 5, 2017 at the National Press Club in Washington, D.C. The 2017 honorees include Carrie Goldberg, Garry Kasparov, and Judge Pat Wald.

More information is available here: https://epic.org/june5/

Further information about privacy developments in the United States is available at the website of the Electronic Privacy Information Center – www.epic.org. For biweekly updates, subscribe to the EPIC Alert.

66 Privacy Law and Society, https://privacylawandsociety.org

U.S. Country Report (EPIC) 11 IWG 61

Appendix: EPIC Resources for 61st IWG

Connected toys, EPIC complaint to the FTC (Dec. 6, 2016): https://epic.org/privacy/kids/EPIC-IPR-FTC-Genesis-Complaint.pdf

Facebook-WhatsApp Data Transfer, EPIC complaint to the FTC (Aug. 29, 2016): https://epic.org/privacy/ftc/whatsapp/EPIC-CDD-FTC-WhatsApp-Complaint-2016.pdf

Smart cities, EPIC comments to National Science Foundation (Feb. 28, 2017): https://epic.org/apa/comments/EPIC-NSF-Smart-Cities-Comments-2-27-17.pdf

Connected vehicles, EPIC comments to National Highway Traffic Safety Administration (Apr. 12, 2017): https://epic.org/apa/comments/EPIC-NHTSA-V2V-Communications.pdf

Connected vehicles, EPIC amicus brief to the 9th Circuit Court of Appeals, Cahen v. Toyota (Aug. 5, 2016): https://epic.org/amicus/cahen/EPIC-Amicus-Cahen-Toyota.pdf

Smart TVs, EPIC complaint to the FTC (Feb. 24, 2015): https://epic.org/privacy/internet/ftc/Samsung/EPIC-FTC-Samsung.pdf

Privacy in evidence based policymaking, EPIC comments to Commission on Evidence Based Policymaking (Nov. 14, 2016): https://epic.org/apa/comments/EPIC-CEP-RFC.pdf

Broadband privacy rule, EPIC comments to the FCC (July 6, 2016): https://epic.org/apa/comments/EPIC-FCC-Privacy-NPRM-Reply-Comments-07.06.16.pdf

“Ten Steps to Protect Consumer Privacy,” letter to the FTC (Feb. 15, 2017): https://epic.org/privacy/internet/ftc/EPIC-et-al-ltr-FTC-02-15-2017.pdf

Cross device tracking, EPIC comments to FTC (Dec. 16, 2015): https://epic.org/apa/comments/EPIC-FTC-Cross-Device-Tracking-Comments.pdf

Google e-mail scanning, EPIC amicus brief to the Massachusetts Supreme Court, Marquis v. Google (Oct. 24, 2016): https://epic.org/amicus/massachusetts/google/EPIC-MA-Gmail-Amicus.pdf

Personally identifiable information & online tracking, EPIC amicus brief to 3d Circuit Court of Appeals, In re Nickelodeon (May 4, 2015): https://epic.org/amicus/vppa/nickelodeon/EPIC-Amicus.pdf

Telephone Record Retention, Coalition Letter to End FCC Retention Mandate, (Apr. 24, 2017), https://epic.org/2017/04/epic-coalition-urge-fcc-to-act.html

U.S. Country Report (EPIC) 12 IWG 61