Jeff Cassman

The U.S. Senate confirmed Anna Gomez to the Federal Communications Commission on Thursday. The FCC has been without a full Commission for an unprecedented two-and-a-half years as President Biden’s initial nomination of attorney and consumer advocate Gigi Sohn stalled in the Senate over groundless attacks on Sohn’s record. Anna Gomez has served in the State Department’s Cyberspace and Digital Policy Bureau, NTIA, the FCC, and Sprint Nextel. EPIC’s Executive Director, Alan Butler, noted when Anna Gomez was nominated in May of this year that she would bring “decades of telecom experience to an FCC that needs to quickly and dramatically ramp up its response to threats to Americans’ privacy and data security, especially as they relate to location data. EPIC is optimistic that a full Commission will be in a much better position to protect Americans from these harms.”

Over a dozen privacy, civil rights, and civil liberties groups from across the political spectrum met yesterday with Director of National Intelligence (DNI) Avril Haines and other high ranking intelligence community officials to discuss Section 702 of the Foreign Intelligence Surveillance Act (FISA 702), and connected surveillance issues such as data purchases and surveillance pursuant to Executive Order 12333.

Following the meeting, the undersigned attendees (full list below) issued the following statement:

“We appreciate DNI Haines taking time to hear our serious concerns with warrantless FISA 702 surveillance, but remain deeply distressed that the intelligence community will not commit to any of the meaningful reforms that are critical to protect Americans’ privacy. 

“After years of misuse such as deliberately seeking out private messages of activists on the left and right, a batch of 19,000 campaign donors, and lawmakers, it’s clear that FISA 702 and related surveillance powers need serious change. The administration and intelligence community must be willing to come to the table and accept significant new privacy protections that advocates, Congress, and the American people are calling for. There simply isn’t a path to reauthorization built on half-measures, window dressing, and codification of internal procedures that have repeatedly failed to protect Americans’ civil rights and civil liberties.”

As detailed in a letter provided to DNI Haines in advance of the meeting, participants view reauthorization of FISA 702 as dependent on a range of meaningful reforms, including:

• Requiring the government to obtain a warrant before searching the content of Americans’ communications collected under intelligence authorities;
• Establishing legislative safeguards for surveillance affecting Americans that is conducted under Executive Order 12333;
• Closing the data broker loophole, through which intelligence and law enforcement agencies purchase Americans’ sensitive location, internet, and other data without any legal process;
• Bolstering judicial review in FISA-related proceedings, including by shoring up the government’s obligation to give notice when information derived from FISA is used against a person accused of a crime; and
• Codifying reasonable limits on the scope of intelligence surveillance.

Statement above attributable to the following organizations:

• Americans For Prosperity
• Brennan Center for Justice at NYU School of Law
• Center for Democracy & Technology
• Demand Progress
• Due Process Institute
• Electronic Information Privacy Center (EPIC)
• FreedomWorks
• National Association of Criminal Defense Lawyers
• Project for Privacy and Surveillance Accountability
• Project on Government Oversight
• Restore the Fourth

By: Ben Winters, Senior Counsel

Earlier this year, EPIC, the Center for Digital Democracy, and the Consumer Federation of America submitted comments to the California Privacy Protection Agency (CPPA) to recommend strong regulations implementing key provisions of the California Consumer Privacy Act. The comments include proposals on cybersecurity audits, risk assessments, and automated decision-making systems and urge the agency to protect Californians by drawing on strong existing frameworks and ensuring that consumers’ rights to opt out and receive information are easy to exercise.

EPIC also provided extensive input on CCPA regulations in November 2021, May 2022, August 2022, and November 2022, arguing for consumer-friendly interpretations of the CCPA to guard against exploitative commercial data practices. 

Last week, the CPPA published draft regulatory text implementing the cybersecurity audits and risk assessment sections of the CCPA. This blog highlights and evaluates the draft risk assessment provisions. It’s important to remember this is an early draft, and also that the agency is limited to creating regulations pursuant to the drafted text. (Occasional inline commentary by EPIC in parentheses.)

When do risk assessments have to be submitted? When processing of information presents significant risk to consumers’ privacy. The agency is proposing that be any one of the 7 following circumstances:

• “Selling or sharing personal information” (which means many businesses may have to complete these risk assessments);
• Processing sensitive personal info (information for normal employment purposes like payroll, health insurance, and wage reporting are excluded);
• Using Automated Decisionmaking Technology in furtherance of a sensitive decision (i.e, one “that results in the provision or denial of financial or lending services, housing, insurance, education enrollment or opportunity, criminal justice, employment, healthcare, or access to to essential goods/services”);
• Processing personal information from people that the business knows are younger than 16;
• Processing in ways that constitute workplace or school surveillance (e.g., recording, speech/face detection, location trackers, keystroke loggers, and productivity monitors);
• Processing personal information of consumers in publicly accessible places using technology to monitor behavior, location, movements or actions (places that serve or are open to the public);
• Processing to train AI or ADT (particularly relevant to Generative AI)

What are risk assessments comprised of? Risk assessments are instruments of accountability—and the required process should reflect that. As EPIC wrote to the CPPA in March 2023, “When implemented properly, risk assessments force institutions to carefully evaluate the full spectrum of privacy and data-driven risks of a contemplated processing activity, to identify and implement measures to mitigate those risks, and to determine whether the processing activity can be justified considering any risks that cannot be fully mitigated. A risk assessment can also provide regulators and the public with vital information about processing activities that may pose a threat to privacy and civil rights. A risk assessment should not be a simple box-checking exercise or a static, one-off undertaking.” The CPPA’s draft reflects this perspective, requiring a whole-of-organization approach to completing risk assessments and a wide breadth of required considerations and disclosures.

The regulations call for a disclosure of the following to the agency:

• A short summary…

EPIC urged the Federal Communications Commission this week to explicitly prohibit data from telecommunications relay services (TRS)—services made available for individuals with hearing or speech disabilities—from being used to train AI data sets without express, affirmative consent from the consumer following a clear and comprehensive disclosure of the risks involved. There have been numerous, well-publicized instances of AI models being trained on non-public data and that data being leaked to future users. As EPIC explained, it would be a violation of TRS participants’ confidentiality and frustrate data minimization efforts to permit providers to train AI using TRS data without a robust consent-based safeguard. EPIC also supported two FCC proposals to clarify the scope of TRS confidentiality rules to ensure greater privacy for TRS participants. EPIC routinely advocates before the Commission for rules that protect consumers from exploitative data practices, including supporting protections for TRS users.