The U.S. Federal Communications Commission voted 2-1 Wednesday to halt a portion of the agency's consumer privacy rules. Set to take effect Thursday, March 2, the rule would have required internet service providers to implement reasonable data security around consumer data, including Social Security numbers, browsing history, and geolocation data.
Since being appointed head of the FCC, Ajit Pai has made it clear the agency would roll back the privacy rules approved in 2015 by former FCC Chairman Tom Wheeler and the then-Democrat-led commission. Wednesday's vote puts a temporary stay on the data security portion of the privacy rules and will be in place until the FCC votes on a reconsideration of the regulations.
In a joint statement, Acting Federal Trade Commission Chairman Maureen Ohlhausen and Pai said the data security portion of the rules "is not consistent with the FTC's privacy framework." And though both agencies "are committed to protecting the online privacy of American consumers," it should be done through "a comprehensive and consistent framework." They said Americans "shouldn't have to be lawyers or engineers to figure out if their information is protected differently depending on which part of the internet holds it."
Davis Wright Tremaine Partner and former CPO at Charter Communications Christin McMeley, CIPP/US, told Privacy Tracker in emailed comments that "the stay is not a good or a bad thing - it retains the status quo. As the Commission pointed out, ISPs have been obligated to comply with Section 222 of the Communications Act; the FCC's interim guidance; and other applicable federal and state privacy, data security, and breach notification laws. This will continue, even under the stay of the rules."
Ohlhausen and Pai said they "disagreed with the FCC's unilateral decision in 2015 to strip the FTC of its authority" over telecommunications companies, and both agreed "jurisdiction over broadband providers' privacy and data security practices should be returned to the FTC."
Pai and Ohlhausen, however, said, "We agree that it is vital to fill the consumer protection gap created by the FCC in 2015, and today's action is a step toward properly filling that gap" and that it doesn't serve consumers to have "two distinct frameworks - one for internet service providers and one for all other online companies."
The lone Democrat on the FCC, Commissioner Mignon Clyburn, issued a strong dissent on Wednesday's vote. "In this Order," she wrote, "the majority fells a tree to ostensibly prune a branch." Ultimately, Clyburn argues the order "is but a proxy for gutting the Commission's duly adopted privacy rules — and it does so with very little finesse."
Clyburn notes the FCC privacy rules are not wholly inconsistent with FTC standards. "Both agencies require only reasonable data security measures, with caveats for the sensitivity of the data, size of the company, and technical feasibility," she writes.
McMeley said, "It was interesting that, in Clyburn's dissent, she referenced the announcement from a major content distrubution network that revealed 'private data of millions of users from thousands of websites had been exposed for several months.' The FCC's data security rules would not have applied to that entitity, and if such a breach happened to an ISP, the ISP would have had the same obligations to notify that the media company did."
In a series of tweets, the FTC's McSweeny questioned the logic of the stay, as well. Like Clyburn, she argued the move shifts risk onto consumers.
— Terrell McSweeny (@TMcSweenyFTC) February 28, 2017
— Terrell McSweeny (@TMcSweenyFTC) March 1, 2017
Agree it is vital to fill the consumer protection gap - but why deepen it in the process? This approach shifts all the risk onto consumers. https://t.co/FlxgKgvITv
— Terrell McSweeny (@TMcSweenyFTC) March 1, 2017
Pai and Ohlhausen, however, said, moving "forward, we will work together to establish a technology-neutral privacy framework for the online world. Such a uniform approach is in the best interests of consumers and has a long track record of success."
Davis Wright Tremaine's McMeley said she agrees there is a role here for both agencies, and that the joint statement acknowledges this. She believes the goal is to provide harmonization, "which will benefit consumers and industry, alike." She said the FCC's reasonable security standards, though appearing to be in harmony with the FTC's definition, "were really much more expansive." The FCC's definition, for example, included URLs with a persistent identifier. "Arguably," she pointed out, "telecom providers would have had to apply the same security to databases that contained that information as they applied to databases that contained payment card numbers and Social Security numbers. When you apply heightened security to such a broad swath of information, it actually reduces your security posture."
McMeley also said the rules left a lot of ambiguity around enforcement. "When enforcing against 'unfair' acts and practices, the FTC has to show that there was unavoidable harm to the consumer that was not outweighed by benefit to the public. The FCC did not commit to any such standard, and I think we will now see a very focused attempt by the current commissions in determining what acts and practices actually result in harm to consumers, and how to create technology-neutral safeguards that consumers can rely on no matter where they are on the internet."
If you want to comment on this post, you need to login.