Federal Communications Commission Chairman Tom Wheeler announced the agency’s highly anticipated proposal for privacy rules for Internet service providers on Thursday. Though the agency did not release the actual proposal, Wheeler took to Huffington Post to describe the main points of the soon-to-be-proposed rules – which centered around choice, security, and transparency – and offered a three-page fact sheet.
If approved, the rules would be the first explicit privacy regulations placed on Internet service providers like Comcast and Time Warner Cable. FCC commissioners have until March 31 to approve the Notice of Proposed Rulemaking, and if approved, the rules would then be up for public comment.
In a blog post, Wheeler wrote, “We all know that the social media we join and the web sites we visit collect our personal information, and use it for advertising purposes. Seldom, however, do we stop to realize that our Internet service provider is also collecting information about us.” Wheeler notes that information collected by phone companies has long been protected under FCC regulations.
“The same should be true for information collected by your ISP,” he wrote.
According to the fact sheet describing the tenets of the Notice of Proposed Rulemaking, Wheeler is proposing a three-pronged choice regime ISPs would follow, more transparency so that consumers know what data about them is collected, new measures that lay our reasonable data security protections, and a set of data breach notification provisions. Wheeler’s proposal is limited in scope and would not cover websites “like Twitter or Facebook, over which the Federal Trade Commission has authority.”
The choice regime notes that consent is inherent when purchasing an ISP’s services, but an opt-out would be required for an ISP to share customer data with its affiliates. Under Wheeler’s NPRM, “all other uses and sharing of consumer data would require express, affirmative ‘opt-in’ consent from customers.”
ISPs would also have “to take reasonable steps” to secure consumer data, and, “at a minimum,” require providers “to adopt risk-management practices; institute personnel training practices” as well as implement “strong customer authentication requirements.” ISPs would also appoint a senior manager for data security, and “take responsibility for use and protection of customer information when shared with third parties.”
If breached, ISPs would have 10 days to notify customers, seven days to notify the commission, and if more than 5,000 individuals were affected, providers would have to notify the FBI and Secret Service within seven days after discovery.
It was immediately clear, however, that industry — even at least one of the FCC commissioners — does not approve of the proposal. In an official statement, FCC Commissioner Michael O’Rielly wrote, “The ‘fact’ sheet demonstrates that the FCC is doubling down on its misguided and broken Net Neutrality decision by imposing troubling and conflicting ‘privacy’ rules on Internet companies, as well as freelancing on topics like data security and data breach that are not even mentioned in the statute.”
There are also concerns that regulation of a small portion of the Internet is disproportionate and unfair and may well affect a much broader section of the advertising industry.
DLA Piper Partner Jim Halpert, who also co-chairs the firm’s cybersecurity and global data protection practices, said in a phone interview with The Privacy Advisor that based on what’s been released by Chairman Wheeler, the proposal “appears to discriminate irrationally against ISPs.” He also expressed disappointment “that the FCC proposal would take outdated CPNI [consumer proprietary network information] rules from the 1996 Telecommunications Act and apply them mechanically to a tiny corner of a much larger advertising ecosystem.”
“There are serious questions about whether this would promote clarity, consistency and control for consumers,” he added.
Davis Wright Tremaine Partner Christin McMeley, CIPP/US, said what’s “on the fact sheet is not totally unexpected,” but she pointed out that Wheeler’s “proposed data security and opt-in requirements may target a very broad set of customer data and have an impact on the marketing activities of not only broadband providers, but others in the advertising ecosystem as well.”
She also said that though the fact sheet “attempts to limit the scope of the proposal’s applications, it is simply impossible to create these types of restrictive rules without creating a resulting ripple effect.” The new proposal also creates conflicting rules for ISPs, McMeley notes, “resulting in disparate treatment of consumer information.”
Halpert also expressed concern about treatment of CPNI. “If they are deemed CPNI, would IP addresses merit strong protection? Does every piece of information within CPNI merit the same security requirements?” He said that if ISPs will have to equally protect all forms of customer data – in light of elevated cybersecurity attacks on ISP networks – then it create a bad atmosphere for risk prioritization.
McMeley anticipates push-back from industry on the data breach notification aspects of the NPRM. “I had hoped," she said, "that the Commission would have taken this opportunity to bring its CPNI reporting obligations more in-line with state requirements, and while that may be one reason for push-back, I don’t think that will be the main reason.” She pointed out the time it takes for a breach company to properly investigate as well as prepare and deliver notices and wondered if that was in line with the proposed notification rules.
There will be support for the rules as well.
Assistant Visiting Professor at Georgetown Law Laura Moy, who also represents the Open Technology Institute on this issue, said she’s also reserving final judgment about the rules until she see the actual plan, “but based on this fact sheet, it seems the FCC is moving in the right direction – toward a privacy framework very similar to the rules that already apply to phone carriers, consistent with the statutory mandate that the FCC closely safeguard privacy on communications networks.”
“Of course, ISPs are not going to be happy to have to comply with strong privacy rules,” Moy said, “but this isn’t ‘discriminatory’ regulation, any more than are the strong, context-specific privacy rules that apply to health care providers, or those that apply to financial institutions.”
Others in the privacy field have already been working to inform the FCC and other stakeholders about how much access ISPs have to consumer data. Georgia Tech Prof. Peter Swire, CIPP/US, along with Justin Hemmings, and Alana Kirkland have published a working paper on ISPs and online privacy. In an email to The Privacy Advisor, Swire wrote, “I hope the Commission, as it considers these important issues, will consider our factual report.”
If the FCC does approve of Wheeler’s NPRM, there will be plenty of comments from stakeholders across the ecosystem.
For Halpert, it comes down to one question: “If we are going to come up with solutions that really empower consumers, shouldn’t they work across the entire Internet ecosystem?”
We may soon find out.
If you want to comment on this post, you need to login.