The Senate Committee on Commerce, Science and Transportation yesterday held a hearing on the Federal Communications Commission’s proposal to apply a new regime of privacy rules to broadband internet providers. On hand to testify were a slew of industry reps and academics.

The hearing follows the reclassification of broadband internet service as a telecommunications service under the FCC’s 2015 Open Internet Order, which shifted regulatory authority from the FTC to the FCC and ushered in the proposed rules in question.

The FCC says the rules are aimed at giving consumers choices about how internet service providers use their data as well as confidence their data is safe.

But some feel the rules are too top-down prescriptive. Major points of contention among witnesses at the hearing were the breadth of data-use restrictions included in the rules, specifically, the strict opt-in requirements for data sharing; the effect the rules would have on small and medium-sized ISPs serving rural areas, and the chilling effect the rules could have on innovation and competition.

The FTC, for its part, has contested the FCC’s proposed rules, in part because it says broadband service providers would be regulated more stringently than other services collecting and using the same kinds of data. On this, it says in its comments, “The outcome is not optimal.”

Former FTC Chairman Jon Leibowitz, now a partner at David, Polk & Wardwell and co-chair of the 21st Century Privacy Coalition, a group of leading communications companies, testified that instead of creating new privacy rules for broadband companies, the FCC would be wise to lean on the FTC’s privacy framework of 2012.

“Unfortunately … in many important areas the rules deviate sharply from that approach, demonstrating both the FCC’s lack of experience in the privacy area, and its failure to fully consider and test the likely impact of its proposed rule on consumers and ISPs alike during the course of its drafting process,” Leibowitz said.

He said the proposal’s default opt-in requirement in order for ISPs to share customer data with unaffiliated services should be restricted to just sensitive data, not all PII, and he said the proposal’s restrictions on first-party use of data will rob companies of their abilities to better serve their own customers through products and offers. 

While the FCC cites the visibility ISPs have into consumers’ lives as reason for the strict rules, Leibowtiz said it’s more important to look at the sensitivity of the data being collected than the type of entity collecting the data. He further called for a redrafting of the proposal, citing the importance of smart rulemaking on privacy right now, given that the U.S. and EU are negotiating cross-border data transfers including the recently passed Privacy Shield, and the rest of the world is watching.

Dean Garfield is president and CEO of the Information Technology Industry Council, and echoed many of Leibowitz’s concerns. He said there’s no need to deviate from the work the FTC and NIST have done on privacy and cybersecurity. In a sort of “if it ain’t broke, don’t fix it”-themed testimony, Garfield said the FCC’s approach is inconsistent with best practices and assumes there’s a need to “rework all the rules wholecloth.”

When Professor Paul Ohm of Georgetown Law asserted the U.S. is distinct in its lack of privacy regulations, Garfield answered, “The U.S. is distinct, but not deficient.”

But Ohm disagreed with Leibowitz and Garfield, saying there is a deficiency. He cited a study which found people already hesitate to conduct Web searches the way the want to because they’re concerned about who’s watching and who they’re selling that data to. He called the FCC’s proposal “wise” and a “modest set of requirements” given that broadband providers are the “gatekeepers” to the rest of the Internet and therefore should be held to heightened privacy standards.

Garfield and Leibowitz argued ISPs shouldn’t be regulated differently than other data collectors, but Ohm said that’s long been true. Look at the way hospitals and doctors are regulated by HIPAA, for example, or the way financial institutions are regulated by GLBA, educational institutions by FERPA. Sensitive data, he said, deserves special rules.

“Where you go online every day, all day long, is as sensitive as health information,” he said. “This is merely an opportunity for a meaningful contractual relationship with your ISP. In my mind, the most important feature of this rule is an opt-in world. You have the comfort of not having to worry about this. Your choice by default is not to be tracked.”

Matthew Polka testified on behalf of the American Cable Association. Half of the companies he represents have 10 or fewer employees, providing broadband to rural America. He said the rules would require ISPs to appoint a senior privacy officer.

“When you have 10-12 employees, we’re going to be looking around saying, ‘Do you want it?’ Because it’s going to be hard to fill,” he said.

In the end, Leibowtiz said, no bill gets signed into law without getting stress tested. He said final rules are generally more balanced than proposed ones. This one is no exception: “I have serious questions about whether it would withstand Constitutional scrutiny.”

For now, the industry has to wait to see what the final rules will say. Since it welcomed public comments in March, the FCC has received 276,434 filings. Now that the comment period closed, July 6, the FCC must decide what advice to heed and what to ignore.