U.S. President Donald Trump on Monday signed into law the repeal of the U.S. Federal Communications Commission's broadband privacy rules. The rules, a portion of which was scheduled to take effect March 2 before new FCC Chairman Ajit Pai put a halt to it, would have given the FCC authority to regulate broadband service providers on data security practices and a host of other data privacy considerations. The FCC's adoption of the rules in October 2016, was met with much criticism by the big broadband companies, including Comcast, AT&T and Sprint, who argued they were being unfairly regulated in ways inconsistent with the way other large data handlers were regulated by the principal privacy authority in the U.S. to date, the Federal Trade Commission.
But the rollback of the rules has been equally controversial.
Some say it creates a regulatory vacuum: While the FTC has enforcement authority over so-called "edge providers," using consumer data in ways similar to broadband carriers, a Ninth Circuit ruling last year exempted all common carriers from FTC enforcement action under Section 5 of the FTC Act. (The FTC is appealing that decision, and litigation is ongoing.) But others say the idea of a vacuum is false, and we need not worry about broadband carriers operating in a way that would violate consumers' expectations. Still others say it's likely that, in reaction to the rollback, the FTC will see its power to regulate common carriers restored via the repeal of the Section 5 exemption stripping it of that power.
While there are plenty who dismiss concerns about the rollback, FTC Commissioner Terrell McSweeny is not one of them. She said the rollback is bad for consumer privacy because the FCC rules would have protected consumers' choices about who gets to use their sensitive personal information.
"In the interest of not having any difference, we created an enormous difference. Now the edge provider is under FTC jurisdiction and our approach and our enforcement authority, while the common carriers are not." — FTC Commissioner Terrell McSweeny
She said while broadband companies had argued against the rules, citing they'd be unfairly regulated, "In the interest of not having any difference, we created an enormous difference. Now the edge provider is under FTC jurisdiction and our approach and our enforcement authority, while the common carriers are not. So in the name of trying to address discrepancy ... what's being created here is enormous discrepancy."
She added that concerns about personal information, rather than being regulated by the FCC, are now being shifted onto consumers' backs. That's unfair because "it's impossible for individuals to accurately audit the data security practices of the carriers they're using, that's not a thing we can do, so it isn't appropriate we bear all the liability for situations where the security practices aren't reasonable."
But a former government attorney, who asked not to be identified due to his involvement in ongoing litigation, said it's easy to determine whether the rollback is problematic. Just look at how many data security and privacy cases the FTC brought against broadband providers before the common carrier exemption of 2015, when it still had jurisdiction.
"The answer is none," he said. "There were no enforcement actions on privacy and data security issues against broadband providers."
That's because broadband providers have historically taken a cautious approach in handling customers' data, he said. "And the FCC will be looking for major problems that crop up, and I think that will ensure broadband providers continue to consider cautious approaches."
Shaq Katikala, CIPP/US, CIPT, FIP, of Morrison & Lee and previously with the National Advertising Initiative, said there's a lot of misinformation about what broadband providers are even doing with data. While it's legally possible to do things like sell an individual's granular browsing data, "There's terrible PR with that," he said. Rather, "What they sell are audiences." So data is aggregated and sold in packages. A carrier might sell the device IDs of 1,000 users between 25 and 35 years old who like shoes so the advertiser can send targeted ads. But the data isn't so granular as it's being reported, he said.
Davis Wright Tremaine Partner Christin McMeley, CIPP/US, agrees with Katikala.
"The ISPs have ongoing relationships with customers, so they do try to do privacy protective things because they want to make sure they’re treating their customers right," she said. "If you think about how much data is out there, they are not tracking their individual customers. They don’t want to know what Christin McMeley is doing; that’s not what they’re interested in. Unless of course there’s a warrant in place and the government is asking them where they’re going [online], but they're certainly not doing that for their own business purposes and certainly are not selling it that way."
Peter Karanjia, formerly deputy general counsel at the FCC and now a partner at Davis Wright Tremaine, said it's important to remember, too, that it's not like we've now entered an era of lawlessness. The FCC still has Section 222 of the Communications Act in its enforcement belt, which regulates telecommunications companies' handling of customer propriety network information (which is essentially PII in FCC speak). ISPs also acting as cable operators are obligated to abide by Section 631 of the Communications Act, as well, which regulates the protection of subscriber privacy.
"The fact that the privacy rules for ISPs have been nullified doesn't necessarily mean the FCC can have no role in protecting privacy moving forward." — Peter Karanjia, Davis Wright Tremaine, former FCC deputy GC
Karanjia said, in addition, "The fact that the privacy rules for ISPs have been nullified doesn't necessarily mean the FCC can have no role in protecting privacy moving forward." Sure, the rules that were in place have been killed by the bill signed by President Trump, but that "does not have the effect of precluding the FCC from adopting privacy rules of any kind." Rather, the new rules would simply have to be different than what had been previously adopted.
What kind of reactions will follow the rollback?
McSweeny is still hoping for consistency in the form of comprehensive, federal privacy legislation: "We don't think the FCC shouldn't act where it has authority and expertise, we just think it would be helpful if we had privacy legislation that was comprehensive so that we could establish the same approach."
But Karanjia said there's way too much happening in the federal government to roll back Obama-era rules for federal privacy legislation to take a front-seat.
"Bandwidth is limited at the moment," he said, adding that if there's legislative action in the communications space, it's probably going to be on net neutrality first. "I would not expect that type of far-reaching, fairly significant reform."
What seems most likely, according to a recent, joint-statement by FCC Chairman Ajit Pai and FTC Chairman Maureen Ohlhausen, is the FCC will give enforcement power back to the FTC.
"We still believe that jurisdiction over broadband providers’ privacy and data security practices should be returned to the FTC, the nation’s expert agency with respect to these important subjects," the two commissioners said. "All actors in the online space should be subject to the same rules, enforced by the same agency."
According to Katikala, that will happen via FCC re-classification of broadband providers so they aren't considered communications companies under Title II of the Telecommunications Act. Katikala said Pai is waiting for the FCC to fill the commission's remaining empty seats before taking action. And that's another reason why ISPs aren't going to suddenly start engaging in nefarious practices during this time of regulatory uncertainty. It won't be long, he said, before the FTC is running the show again. And companies know that.
Some say the FTC will regain enforcement power in the space via a repeal of the exemption on common carriers in the FTC Act. Maneesha Mithal of the FTC’s Bureau of Consumer Protection said the FTC has for several years “supported the repeal of the common carrier exemption in the FTC Act” and added the FTC should in fact “have jurisdiction over broadband.”
The former government attorney, however, doesn't see a repeal of the exemption happening in a standalone bill. But he said it could potentially get slipped into a bigger bill.
"That's how a lot of things get passed by Congress," he said, "something gets slipped into something else, and I think there will be more pressure to have that happen."
McSweeney wouldn't mind. She said she and Ohlhausen are both vocally in favor, as the exemption is at this point "anachronistic" and "no longer relevant in today's economy and marketplace."
Is it likely to happen? Well, "It takes an act of Congress," she laughs, as if to say: Not likely.
If you want to comment on this post, you need to login.