The World Health Organization (WHO) has issued guidance on documentation of COVID-19 vaccination certificates. Among other items, the guidance outlines ethical and data protection considerations, different use scenarios, and procedures for use and verification. Critically, the guidelines emphasize that emergency circumstances do not permit authorities to ignore legal obligations relating to privacy and human rights. The guidelines also mandate data protection safeguards and warn against normalizing surveillance of health information. EPIC has previously recommended that public health responses to the pandemic be consistent with privacy and human rights standards and urged authorities to limit unnecessary collection and use of vaccine-related personal data by third parties, including pharmacies.
EPIC and the National Consumer Law Center have filed an amicus brief in a case that highlights the privacy-invading behavior of the online lead generator industry. The plaintiffs in the case, McCurley v. Royal Seas Cruises, are trying to hold a cruise company accountable for tens of thousands of illegal robocalls made on its behalf by a foreign telemarketing company using leads from two unscrupulous online lead generators. The trial court dismissed the case against Royal Seas Cruises because a provision in their contract with the telemarketer that said the telemarketer would comply with the federal anti-robocall law, the Telephone Consumer Protection Act. EPIC and NCLC argue in their brief that a simple contract provision cannot absolve Royal Seas Cruises from responsibility for these illegal robocalls. The amicus brief highlights the unscrupulous practices of the lead generator industry, including recent lawsuits accounting for millions of illegal calls and FTC enforcement actions against deceptive lead generator practices. EPIC and NCLC also argue that failure to hold Royal Seas Cruises accountable would "dramatically weaken TCPA enforcement, denying consumers any remedy for their privacy injuries, and leaving consumers unprotected from future harms." EPIC routinely files amicus briefs in TCPA cases.
EPIC submitted comments identifying gaps and proposing privacy and fundamental rights-preserving updates to the European Commission's Proposal for Harmonized Rules on Artificial Intelligence (the Artificial Intelligence Act or "AIA"). The AIA is intended as a step forward in proactive regulation of AI system use. However, EPIC's comment describes how unaddressed privacy and human rights concerns may allow AI systems to be used in ways that cause serious harm to individuals interacting, knowingly or unknowingly, with those systems. EPIC recommends that the Commission (i) remove the broad exemptions on regulatory requirements for AI systems and expand prohibitions where necessary, (ii) mandate prior notification to individuals subject to AI system decision-making, (iii) fully ban emotion recognition and biometric categorization systems, and (iv) mandate review and approval of AI system conformity assessments by data protection authorities prior to use. EPIC advocates for algorithmic justice, transparency, and accountability, and recently submitted comments on the OECD Framework for Classifying AI Systems, recommending changes to more robustly address privacy concerns.
