Information Privacy Law Blog Post

Joshua R. Fattal

Professor Ira Rubinstein

February 28, 2017

Reasonable or Unreasonable: FCC’s Privacy Rule for ISP’s

The new Republican majority on the Federal Communications Commission is planning to halt implementation of a privacy rule that was unveiled this fall alongside the more heavily publicized requirement that ISP’s get opt-in consent before sharing Web data and other consumer information with third parties. The part of this privacy order now at issue would require ISP’s and phone companies to take “reasonable steps” to protect customer proprietary information, such as Social Security numbers, financial and health information, and Web browsing data, from unauthorized use, disclosure, or access—aimed at preventing theft and data breaches.

These security obligations are scheduled to take effect on March 2, but the new chairman, Ajit Pai, is looking to act on a request to stay this rule before then. Procedurally, Pai has little standing in his way because even if a majority of the commissioners supported keeping the rule in place, he can personally guide the FCC’s Wireline Competition Bureau to hold off on implementing the rule.

Pai’s argument for rescinding this part of the rule is that ISP’s should not face stricter rules than online providers like Google and Facebook, which are regulated by the Federal Trade Commission. Instead, he supports a “technology-neutral policy framework for the online world” that is based on the FTC’s standards, and argues that the FTC standard should apply to everyone, saying “it did not matter whether an edge provider or internet service provider obtained your data.” But unless ISP’s are reclassified, they will not be protected under FTC rules because the FTC is barred from regulating common carriers.

The FCC privacy rule notably does not mandate any specific data security practices. It identifies four factors that a provider must take into account when implementing data security measures, including the nature and scope of its activities, the sensitivity of the data it collects, its size, and its technical feasibility, though it notes that “no one factor, taken independently, is determinative.” The rule also supplies recommendations such as the National Institute of Standards and Technology (NIST) Cybersecurity Framework and best practices recommended by the FCC’s Communications Security, Reliability, and Interoperability Council, but stresses that following these standards is voluntary, and that providers retain the option to use whatever risk management approach best fits their needs.

When the privacy rule was originally announced and approved, former Chairman Wheeler had argued in favor of it in light of the fact that ISP’s are uniquely capable of collecting consumers’ Internet traffic because they can monitor everything that happens over the connection, and because costumers have difficulty voluntarily switching ISP’s (unlike how they can voluntarily switch use of web browsers). The FTC itself has recognized these heightened concerns regarding ISP’s in its March 2012 Protecting Consumer Privacy in an Era of Rapid Change report, and has supported the FCC’s ruling, noting that consumers will be better protected under the FCC’s standards than they would be under the FTC, which does not have rule-making authority.

In light of these arguments, while Chairman Pai is correct in pointing out the significant appeal of a uniform standard—something that the 2015 draft Consumer Privacy Bill of Rights as well as the above-mentioned FTC report have also called for—this privacy rule continues to offer the ISP’s flexibility while still making sure reasonable security measures are undertaken.

Some privacy advocates, even though they oppose the pending stay, say Pai’s move could discourage Congressional Republicans from taking the drastic step of revoking the entire privacy order. If Congress were to rescind the rules under the Congressional Review Act, then the FCC would not legally be allowed to replace them with other rules covering ISP protection. And while Chairman Pai may believe the FTC’s “unfair or deceptive” standard is more flexible and therefore preferable over this proposed reasonable care standard for ISP’s, costumers would surely be the ones left to suffer the consequences if there were no standards for ISP’s at all.

Related documents:

http://transition.fcc.gov/Daily_Releases/Daily_Business/2017/db0224/DOC-343623A1.pdf

https://apps.fcc.gov/edocs_public/attachmatch/FCC-16-148A1.pdf

Sources for more information:

https://arstechnica.com/tech-policy/2017/02/isps-wont-have-to-follow-new-rule-that-protects-your-data-from-theft/

http://www.consumerreports.org/privacy/new-fcc-chair-plans-to-block-net-privacy-rule/

http://www.mediapost.com/publications/article/295886/fcc-to-block-portion-of-broadband-privacy-rules.html