The Metropolitan Washington Coalition of Governments (MWCOG) informed EPIC today that the National Capital Region Facial Recognition System (NCR-FRILS) will be shut down by July 1, 2021. The system is used by police departments and government agencies in the DC, Maryland, and Virginia area. EPIC led a coalition that recently sent a letter to the MWCOG demanding an end to the system citing the dangerous nature of facial recognition and racial bias in facial recognition software. A recently passed law in Virginia requiring approval from the General Assembly before using facial recognition was going to curtail NCR-FRILS use in that state. The facial recognition system was first disclosed last year after it was used to identify a protester at a Black Lives Matter rally who was accused of assault.
In comments to the DHS's Data Privacy and Integrity Advisory Committee (DPIAC), EPIC urged a comprehensive review of DHS's Information Sharing Access Agreements (ISAAs) prioritizing the most sensitive types of data, information from marginalized groups, and agreements disclosing information to unreliable partners. EPIC's comments respond to DPIAC's tasking to provide guidance to the DHS Privacy Office after an OIG audit revealed that thousands of ISAAs had never been reviewed for compliance with privacy laws and regulations. EPIC previously urged DPIAC to undertake a comprehensive investigation of fusion centers for chronic privacy and civil liberties abuses.
The Irish High Court today issued an order in a follow-on case to Irish Data Protection Commissioner v. Facebook and Schrems ("Schrems II") and, as a result, the investigation into Facebook's U.S.-EU data transfers will move forward. The case arises from a complaint filed with the DPC in Ireland against Facebook by privacy activist Max Schrems in 2013 alleging that the company violated EU law when it transferred personal data to the U.S. (where the company is obliged to provide access to the government). The case has since been referred two separate times to the highest court in Europe (the CJEU), and has led to the invalidation of both the U.S.-EU Safe Harbor Agreement and the U.S.-EU Privacy Shield Agreement. The CJEU in the Schrems II decision last year remanded the case to the Irish DPC to determine whether Facebook violated the law and whether it was necessary to block Facebook's U.S.-EU data transfers. The DPC later issued a Preliminary Draft Decision to Facebook and laid out procedures for the inquiry. Both Facebook and Schrems challenged the DPC procedures. The DPC agreed in a settlement with Schrems that it would complete the investigation into his original complaint. The Irish High Court today rejected Facebook's challenge to the DPC inquiry, and both the Schrems complaint and this new DPC inquiry against Facebook will move forward. EPIC participated as an amicus curiae in Schrems II, arguing that U.S. Surveillance law does not provide adequate privacy protections or remedies for non-U.S. persons abroad.
