DOJ Responds to EPIC FOIA on Location Data
In response to EPIC’s Freedom of Information Act request to the Justice Department for information about the use of location data, including cell phone records, to counter the pandemic the DOJ wrote there are no “responsive records.” EPIC had asked for “all legal memos, analysis, communications, and guidance documents, in the possession of the Department of Justice, concerning the collection or use of GPS data and cell phone location data for public health surveillance.” The DOJ forwarded EPIC’s request to its Office of Legal Counsel to see if responsive records exist in that office. EPIC will continue to seek information about the DOJ’s views on the use of location data, and particularly phone records. After 9-11, the Justice Department supported the warrantless surveillance of Americans, a program that was later terminated after the New York Times broke the story, and EPIC pursued a FOIA lawsuit and then a Supreme Court petition.
State Attorneys General Investigate Zoom
The Attorneys General from several states including New York, Connecticut, and Florida are investigating Zoom’s privacy and security practices. The New York AG stated that she was “concerned that Zoom’s existing security practices might not be sufficient to adapt to the recent and sudden surge in both the volume and sensitivity of data being passed through its network.” Last year, EPIC filed a complaint about Zoom security practices with the Federal Trade Commission. EPIC explained that Zoom had “placed at risk the privacy and security of the users of its services.” EPIC’s 22-page analysis detailed how Zoom had “exposed users to the risk of remote surveillance, unwanted videocalls, and denial-of-service attack.” The Federal Trade Commission failed to act on EPIC’s 2019 Zoom complaint.
HHS Removes Safeguards for Personal Health Data, Suspends Public Comment
Health and Human Services announced today it will reduce privacy safeguards for personal health data. Under the federal patient privacy law (HIPAA), a third party “business associate” that receives personal data from a health care provider or insurer must have express permission to redisclose the data. HHS has now suspended that protection, as long as “business associates” disclose personal health data in “good faith” for “public health activities” and provide notice within 10 days.There was no opportunity for public comment on the rule change. Previously, HHS announced that it would not take enforcement action against health care providers that violate the HIPAA when consulting with patients remotely.