Congress and President Trump dismantle Obama Administration rule aimed at bolstering Internet privacy.
The average Internet user engages in a host of online activities, from reading the news to shopping. But few users know that Internet service providers (ISPs)—the companies that provide the online connection—have near complete access to users’ online activity. They can track the websites you visit, the apps you use, and if you own a mobile device, even your physical location.
Few users may also know that recent legislation passed by Congress—and signed by President Trump—has overturned key regulations intended to prevent ISPs from sharing private user data with third parties without users’ consent.
The rule by the Federal Communications Commission (FCC) was enacted under the Obama Administration and required broadband ISPs to protect customers’ sensitive browsing data. Originally adopted in October 2016, the rule established a framework that required broadband ISPs to obtain affirmative “opt-in” customer consent before they used or shared their customers’ sensitive Internet data—including precise geo-location information, financial information, health information, children’s information, web browsing history, app usage history, and the content of communications. The rule included transparency requirements that instruct ISPs to provide customers with “clear, conspicuous and persistent notice” about the information collected, how it is used, and with whom it is shared. Additionally, the rule outlined steps that ISPs could take to protect consumer privacy and required ISPs to take “reasonable” steps to protect sensitive customer data.
In late March 2017, the U.S. Senate passed a joint resolution introduced by U.S. Senator Jeff Flake (R-Ariz.) to repeal the FCC rule, expressing the Senate’s view that the rule should be given “no force or effect.” The Senate passed the measure in a 50-48 vote along party lines, with Republicans voting in favor and Democrats opposed. The U.S. House of Representatives passed similar legislation less than a week later.
The House and Senate voted to repeal the rule using their authority under the Congressional Review Act (CRA), which allows Congress to repeal certain regulations if a joint resolution is passed by both the House and Senate and signed by the President. Intended as a check on federal agencies, the law gives Congress the power to review and revoke recent regulations that were adopted under the prior administration.
In introducing legislation to repeal the FCC rule, Sen. Flake asserted that the rule would impose data restrictions on ISPs that could hurt both consumers and Internet innovation. Moreover, he stated that the legislation halts the unnecessary expansion of FCC jurisdiction that occurred under the Obama Administration by taking “the first step” toward restoring the Federal Trade Commission’s (FTC) “light-touch, consumer-friendly approach,” which otherwise applies in the absence of FCC rules.
Sen. Flake also argued that the FTC has been America’s sole online privacy regulator for more than two decades, and he asserted that the agency has an effective, evidence-based approach to online privacy and data protection—evidenced by the increasing number of people who engage in online activity. But when the FCC reclassified broadband ISPs as “common carriers” in February 2015—a move that allocated greater authority over ISPs to the FCC—it “unilaterally stripped” the FTC of its ability to regulate ISP treatment of consumer data privacy. According to Sen. Flake, the FCC’s creation of a new privacy standard represents “a dangerous deviation” from the FTC’s previous regulatory practices and creates a confusing two-track system where the FCC applies its own rules to ISPs while the FTC monitors the rest of the Internet.
The recently installed Chairman of the FCC, Ajit Pai, echoed these sentiments in his explanation of the Commission’s recent decision to suspend the requirement under the FCC’s privacy rule that ISPs take “reasonable measures” to protect sensitive customer information. In a statement released less than a week before Sen. Flake introduced his resolution under the CRA, Pai argued that a comprehensive and consistent regulatory regime would best protect the online privacy of American consumers, rather than the two different standards that the FTC and the FCC currently have in place. Americans are concerned with their “overall privacy” online, Pai explained, and “they shouldn’t have to be lawyers or engineers to figure out if their information is protected differently depending on which part of the Internet holds it.”
Nevertheless, several public interest groups and other commentators have criticized the recent moves by the FCC and congressional Republicans.
U.S. Senator Brian Schatz (D-Hawaii) has warned against the potential ambiguity that overturning the FCC privacy rule could create. If Congress passes the resolution, Schatz stated, “neither the FCC nor the FTC will have clear authority when it comes to how Internet Service Providers protect consumers’ data privacy and security.” Sen. Schatz asserted that “allowing ISPs to operate in a rule-free zone without any government oversight is reckless.”
Eric Null, Policy Counsel at the Open Technology Institute, similarly argued that repealing the FCC rule allows for greater intrusion into sensitive customer data, precisely because it relies on the FTC’s privacy standards. Reportedly describing the FTC regime as a weaker and broader “lowest common denominator” approach, Null explained that the reach of the FTC’s regulation would depend on the extent to which an ISP is acting deceptively—that is, whether the ISP is informing its customers of its practices. In contrast, the FCC’s regulatory mandate over ISPs gives it greater ability to ensure that privacy practices are fair, as opposed to simply making sure that ISPs inform consumers about their policies.
The “opt-in” consent requirement of the FCC rule was originally scheduled to take effect on December 4, 2017. But now—because of the rule’s repeal under the CRA—neither the FCC rule nor “a new rule that is substantially the same” can be issued again unless it “is specifically authorized by” future legislation.