The U.S. House of Representatives passed a bill on 28 March 2017 eliminating some Federal Communications Commission (FCC) jurisdiction over online users’ private data, most notably information about their “web browsing and app usage.”
The measure, which has been supported by President Donald Trump, dictates through the Congressional Review Act (CRA) that the FCC’s December 2016 directive regarding Rules to Protect Broadband Consumer Privacy “shall have no force or effect.” It also forbids the FCC from instituting similar regulations in the future.
Sen. Jeff Flake (R-AZ), who first introduced the bill wrote in a Wall Street Journal op-ed that the FCC had conducted a “power grab” against the Federal Trade Commission (FTC) and criticized that agency for placing internet service providers (ISPs) under rules that deviated from what he called the FTC’s “successful sensitivity-based model”:
The FCC rules subject all web browsing and app usage data to the same restrictive requirements as sensitive personal information. That means that information generated from looking up the latest Cardinals score or checking the weather in Scottsdale is treated the same as personal health and financial data.
The new rules also restrict an ISP’s ability to inform customers about innovative and cost-saving product offerings. So much for consumer choice.
The FCC’s overreach is a dangerous deviation from successful regulation and common-sense industry practices. But don’t just take my word for it. The FTC concluded that the FCC’s decision to treat ISPs differently from the rest of the internet ecosystem was “not optimal”—agency-speak for “a really bad idea.”
Flake’s statement made reference to recommendations the FTC submitted to the FCC in May 2016, which included this assessment:
FTC staff is mindful that the FCC’s proposed rules, if implemented, would impose a number of specific requirements on the provision of BIAS services that would not generally apply to other services that collect and use significant amounts of consumer data. This outcome is not optimal.
The FTC recommended that ISP consumers should have the chance to “opt in” or “opt out” of sharing their information with their Internet service providers based on the sensitivity of the data they wanted to share.
Online advocacy groups such as the Electronic Frontier Foundation (EFF) and the Center for Democracy and Technology (CDT) have already criticized Flake’s bill. The CDT said in a statement that the FCC’s rule fulfills Congress’ mandate regarding “information privacy and security”:
The Commission is the only agency with Congressional authority to ensure that internet service providers (ISPs) protect the confidentiality of the vast amounts of data they collect as a result of providing internet access. Reversing the broadband privacy rules would create enormous uncertainty regarding privacy and security protections for the sensitive personal information broadband customers must share with their ISPs.
Ernesto Falcon, the EFF’s legislative counsel, cited a September 2016 ruling from the 9th U.S. Circuit Court as reason for concern over the measure.
In that ruling, the court held that because AT&T is a telecommunications company — one of several industries known as “common carriers” — it is exempt from FTC regulations concerning “unfair or deceptive acts or practices in or affecting commerce,” an exemption that applies to its Internet service as well. Of that decision, Falcon noted:
For the states that are bound by the Ninth Circuit’s decision (that is Arizona, Alaska, Hawaii, California, Idaho, Montana, Nevada, Oregon, and Washington) it is in fact the law that the FTC cannot act to protect consumers from deceptive acts by the cable and telephone industry. In other words, the cable and telephone industry could not only harvest your personal information but they do not have to be transparent about their activity. They can even go so far as being deceptive without facing repercussions from the federal consumer protection agencies.
Falcon told us in a 14 March 2017 interview that if other circuit courts follow the Ninth’s precedent, the FTC could be prevented from exerting any authority over broadband Internet service providers:
It would require the ISP to essentially look at your data and make that judgement call — “OK, looks like it’s getting into sensitive territory” — or not. The FCC decided to make it a lot more clear: ‘OK, browser history? Off the table.” That way you don’t have an ISP essentially saying, “Let me look at your stuff … OK that looks sensitive, I’ll stop looking now.”
According to the FCC’s rules, “sensitive customer personal information” includes not only Social Security numbers, financial and health-related data, but web browsing history, content of users’ online communications, and “the functional equivalents of web browsing history or application usage history.” ISPs can still collect such data, the commission found, even if users employ encryption techniques.
“We find that because broadband providers are able to view vast swathes of customer data, customers must be empowered to decide how broadband providers may use and share their data,” their rule stated.
Flake’s bill was co-sponsored by 23 fellow senators, all of them Republican. Rep. Marsha Blackburn (R-TN) introduced the House resolution. However, 15 of her GOP colleagues voted against the measure.
We have contacted Senator Flake’s office seeking additional comment on the measure but have not yet received a response.