Author: Ashley Jacques

Leland Chang

Information Privacy  Law

Professor Ira Rubinstein

March 21, 2017

Alexa – Amazon’s internet connected home assistant device, man’s new best friend or law enforcement’s greatest spy.

Prosecutors in Arkansas have issued a warrant against Amazon to hand over data Alexa may have gathered its owner James Bates, a murder suspect. Amazon refused and has filed a motion to quash the search warrant; in a statement they said it “will not release customer information without a valid and binding legal demand properly served on us. Amazon objects to overbroad or otherwise inappropriate demands as a matter of course.”

This case puts the spotlight on several interesting issues. First is the implications of “always on” machines and the data they gather. Amazon insists “always on” is a misnomer, because while Alexa is always listening for the programmed wake words to activate, prior to activation the inputs it receives are not uploaded to the cloud nor are they recorded. However, as technology advances and more microphones are put into more devices operated through the Internet of Things, it seems more likely data will leak through. Second is how this changes a consumer’s reasonable expectation of privacy, especially in the sanctity of one’s own home (which is under the purview of 4^th amendment protection). Data is collected from physical conduct inside the house, but also collected and stored in the hands of a third party. Third is the precedent this case sets for digital rights. Amazon objects to the warrant that they deemed to be “overbroad”, but what then is the standard that prosecutors must meet? Technology companies, like Amazon, must learn to thread the needle between complying with legitimate warrants that will bear relevant evidence and protecting the data and rights of their consumers.

The Prosecutor intends to file a response to Amazon’s motion. Even though this case is about a murder, tech companies, privacy experts, and digital rights enthusiasts will be wise to follow closely

 

Related Links

• http://www.nbcnews.com/tech/internet/prosecutors-get-warrant-amazon-echo-data-arkansas-murder-case-n700776
• https://www.washingtonpost.com/news/the-switch/wp/2016/12/28/can-alexa-help-solve-a-murder-police-think-so-but-amazon-wont-give-up-her-data/?utm_term=.2e180fe85dfa
• http://www.cnn.com/2016/12/28/tech/amazon-echo-alexa-bentonville-arkansas-murder-case-trnd/
• http://www.snopes.com/2017/02/23/amazon-subpoena-alexa-data-murder

Joyce Chang

Information Privacy Law

Professor Ira Rubenstein

March 21, 2017

As part of a broader government reaction to recent eruptions of deadly violence in the region of Xinjiang, Chinese authorities have ordered all drivers there to install a Chinese-made satellite navigation system in their vehicles. Under this compulsory measure, all private, secondhand, and government vehicles as well as heavy vehicles such as bulldozers and big rigs in Bayingolin Mongol Autonomous Prefecture must install the navigation system by June 30, 2017. Drivers who refuse to do so will not be allowed to buy fuel at gas stations.

According to official announcements, the new requirement is intended to help the government “ensure social security and safety and promote social stability and harmony.” More specifically, the rule is aimed at helping authorities track people in a vast but sparsely populated region where ethnic tensions have given rise to regular terrorist attacks. Government officials have pointed to cars as a key means of transport for terrorists and a consistent weapon of choice when justifying the need to monitor and track all vehicles in the area.

Because this new measure will eventually affect hundreds of thousands of vehicles in the prefecture, the government will be able to add a large amount of personal data by way of tracked vehicle movements to its existing records of its citizens. The scope of this measure greatly increases the reach of government surveillance. The government’s ability to access and use the location and movement data is also guaranteed by the fact that the vehicle-tracking program will use China’s homegrown Beidou satellite navigation system instead of the U.S. Global Positioning System (GPS).

The intrusiveness of location tracking, especially of permanent long-term location and movement monitoring, is apparent, but individual privacy in China consistently cedes ground to security concerns. This issue is not limited to China alone as governments around the world struggle to strike a balance between privacy and security concerns. However, given China’s ability to pass and enforce security measures with relative ease and its recent investments into both low-tech and hi-tech methods of surveillance, it seems as if it is only a matter of time before there is little individual privacy, if any, left in the country.

Sources:

http://www.bbc.com/news/world-asia-china-39038364

https://www.nytimes.com/2017/02/24/world/asia/china-xinjiang-gps-vehicles.html?_r=0

https://chinadigitaltimes.net/2017/02/gps-car-tracking-military-rallies-follow-xinjiang-attack/

https://www.theguardian.com/world/2017/feb/21/china-orders-gps-tracking-of-every-car-in-troubled-region

Alex Siegel

Information Privacy Law

Professor Ira Rubinstein

March 21, 2017

Judge Gorsuch and the Fourth Amendment

United States Supreme Court nominee Neil Gorsuch is perhaps best known for being two things: a controversial replacement for President Barack Obama’s candidate, Merrick Garland, and a judge selected precisely because his jurisprudential philosophy hews strongly conservative. However, when it comes to the Fourth Amendment – an especially unsettled body of law given advancements in modern technology – Gorsuch’s record has proven less predictable than his generally originalist philosophy might suggest.

While Gorsuch has sided with the government more often than not (which is the case for most appellate judges across the ideological spectrum), his record includes various instances in which Gorsuch sided with citizens against unlawful government searches. Gorsuch has diverged from a traditionally conservative law-and-order approach to the Fourth Amendment by siding with a child pornography trafficker (United States v. Ackerman) and a methamphetamines user (United States v. Carloss) who were both subjected to searches that Gorsuch found objectionable.

Moreover, while Gorsuch has extended Justice Scalia’s common law trespass approach to the Fourth Amendment with respect to searches of homes and personal property, he has favored something closer to a totality of the circumstances test when ruling on Terry stops.

Scalia believed the reasonable-expectation-of-privacy test developed in U.S. v. Katz was an addition to the common law trespass test, not a substitution for it. Gorsuch has held similarly in cases where personal property has been subjected to an alleged search, applying the trespass test in both the physical (Carloss) as well as digital (Ackerman) realms.

However, in United States v. Nicholson, Gorsuch dissented from the majority’s view that an officer’s mistake of law could not justify a Terry stop. He advocated for a case-by-case approach to determine whether the government had acted reasonably given the circumstances, taking into account the possibility of human error. Gorsuch’s minority approach, later adopted by the Supreme Court in Heien v. North Carolina, suggests a reluctance to use an originalist method to limit government discretion with respect to Terry stops. Gorsuch has regularly sided with law enforcement in their use of stops and seems more protective of the current doctrine, with all its discretion, than he is of traditional common law notions of trespass.

While Gorsuch’s Fourth Amendment jurisprudence certainly indicates a law-and-order approach, his views aren’t as consistently conservative as Scalia’s were. His record doesn’t indicate an interest in developing a unified originalist approach to the Fourth Amendment. Moreover, unlike Scalia, who was predisposed to finding exceptions to the trespass test for law enforcement efforts (as he did in Florida v. Jardines and United States v. Jones), Gorsuch has proved more willing to view law enforcement searches with some level of skepticism.

Sources:

https://www.nytimes.com/2017/02/02/us/politics/neil-gorsuch-supreme-court-fourth-amendment.html?_r=0

https://www.stanfordlawreview.org/online/spotlight-fourth-amendment/

http://www.scotusblog.com/2017/03/gorsuch-fourth-amendment/

Christian Abouchaker

Information Privacy Law

Professor Ira Rubinstein

March 21, 2017

Fourth Amendment Protection and “Smart” Homes

While the use of smart meter technology in homes across the country offers notable benefits with respect to energy monitoring and cost reduction, it also gives rise to important privacy concerns.

In Naperville Smart Meter Awareness v. City of Naperville, a federal district court in Illinois held that there is no reasonable expectation of privacy in data collected by smart meter devices, and that such data is outside the scope of Fourth Amendment protection. In this case, the Naperville Smart Meter Awareness Association (NSMA) alleged that the City’s installation of smart meters constituted an unreasonable search and an invasion of privacy under the Fourth Amendment. Smart meters collect energy use data at high frequencies, typically every 5, 15, or 30 minutes. In doing so, smart meters provide aggregate measurements of a household’s electrical usage. NSMA further alleges that smart meters have the capability of capturing detailed information about electricity usage, such as remote daily tracking of time patterns and power loads associated with power usage, therefore providing information about the personal details of a person’s private life. However, the Court held that NSMA members had no expectation of privacy in the aggregate measurements of their electrical usage. The court’s decision is based on the presumption that data collected from smart meters is no more informative than the data collected by analog meters.

This case is currently on appeal to the U.S. Court of Appeals for the Seventh Circuit. EFF and Privacy International have requested to file a brief addressing the broader impacts of the District Court’s decision. In their brief, EFF and Privacy International offer that smart meter data constitutes “intimate information regarding a person or family’s private, in-home activities”, given the time granularity of such data (i.e. a reading every 15 minutes, or 2,800 readings in a 30-day month). Given the intimate nature of this information, it is argued that smart meter data should be afforded the utmost Fourth Amendment protection. Further, the brief presents data from a normative inquiry into Americans’ privacy expectation surrounding data regarding their in-home activities, which indicates that Americans are particularly concerned about the privacy of data tied to their homes. Based on these findings, and given that certain states have enacted laws protecting data collected via smart meters (e.g. Cal.Pub.Util.Code §§ 8380–8381 prohibits utilities from sharing or disclosing customers’ consumption data to third parties without consent, and also requires the maintenance of “reasonable security procedures”, including encryption, for consumers’ electricity usage data), EFF and Privacy International allege that there is a reasonable expectation of privacy with respect to smart meter data.

Considering that more than 40% of American households currently have a smart meter, and that this figure is expected to reach 80% by 2020, the outcome of this case will have significant implications for the privacy of Americans.

Sources:

https://www.eff.org/deeplinks/2017/03/illinois-court-just-didnt-get-it-we-are-entitled-expect-privacy-our-smart

https://www.eff.org/document/naperville-smart-meter-awareness-v-naperville-eff-and-privacy-international-amicus-brief

Mason Fitch

Blog Post

Professor Ira Rubinstein

March 21, 2017

The California legislature is considering a bill that would remove California’s leading privacy protections—passed in a bill dubbed “CalECPA”—from school halls. A.B. 165, introduced by Assemblymember Jim Cooper, is short: all it says is that CalECPA does not apply to local educational agencies or individuals acting on their behalf.

CalECPA, heralded as the nation’s best digital privacy law, prohibits a government entity from compelling the production of or access to electronic communication information without a warrant. The protections apply to both data and metadata.  Largely, CalECPA extends the privacy protections afforded to physical belongings to the digital arena.

As the EFF and other privacy watchdogs have pointed out, passage of A.B. 165 would have dangerous implications for California’s students and parents. As described more fully in the linked article below, removing CalECPA protections from schools would mean that any teacher, administrator, or staff member could conduct an almost unlimited search of a student’s digital presence. It hardly needs to be pointed out at this point, but our digital devices contain an extraordinary amount of extremely sensitive information. Gone are the days where the most embarrassing thing a teacher could do is read aloud what you passed in a crumpled note to your friend across the aisle; the passage of A.B. 165 would give school employees access to anything from your geolocation history to your health information, not to mention personal messages and pictures.

The disappearing communications platform Snapchat, already immensely popular among students, may become even more popular (and necessary) should A.B. 165 gain passage in the California legislature.

Even more troubling is the bill’s application to individuals acting on behalf of the educational organization. A.B. 165 would allow on-campus police officers to search students’ digital devices, and there are no limitations on how that information is shared. An undocumented student’s status may be revealed through such a search, and there’s nothing to stop the person conducting the search from sharing that information with federal officials.

Schools often reside in a special zone when it comes to student privacy as there are special concerns about student safety and development. Every individual, however, maintains an interest in some modicum of privacy; giving schools officials unrestricted access to students’ digital lives—often inseparable from their physical lives—may be a step too far.

https://www.eff.org/deeplinks/2017/03/dangerous-california-bill-would-leave-students-and-teachers-vulnerable-warrantless

Jorge Peniche Baqueiro

Information Privacy Law

Ira S. Rubinstein

March 7, 2017

The EU and US approaches on privacy issues: the battle could escalate even more but find some convergence

Yale’s law professor James Q. Whitman has described the differences about privacy law approaches in the United States and Europe as a clash that has actually deeper roots. The core of the conflict is found, he argues, on the consideration that these cultures respectively pay to the fundamental values of liberty and dignity – a matter deeply concerned with their particular experiences, sufferings and traumas through history.

The distinction is not merely theoretical however. It has provoked some tensions, costly litigation and trade battles during the last decades following the rocketing of transatlantic data traffic. Well, the battle could have reached last year a new stage with the enactment, by both the European Parliament and Council, of the Regulation (EU) 2016/679. The General Data Protection Regulation (GDPR) will take effect on May 24, 2018 and it will repeal former Directive 95/46/EC.

Those experts in EU law know that the opted legal design and architecture is not only about semantics with regard to the use of the word regulation instead of directive. The GDPR aims to create a more unified framework, binding on the State parties, that substitutes the bunch of domestic legislations promulgated in implementation of the former directive.

This battle has seen some remarkable episodes and also some interesting truces. First, to guarantee adequate levels of protection and allow to send personal data to “third countries” outside the scope of the former directive, i.e. the European Economic Area, the US-EU Safe Harbor Framework was developed between 1998-2000. The European Commission issued then a crucial decision endorsing the “safe harbor scheme” by stating that US companies certified in meeting EU requirements were allowed to transfer data from the EU to the US. Nevertheless, the European Court of Justice held recently, in 2015, that the “Safe Harbor Decision” was invalid. As a consequence, the EU-US Privacy Shield was announced by both sides last year in order to provide stronger protections.

The GDPR introduces significant novelties and constitutes indeed a milestone towards a more robust protection. To mention a few: a broader scope of application for data controllers established outside the Union and stricter “valid consent” controls. But as the due date approaches and some on-going litigation cases are being now discussed in the American courts, some have raised concerns about the coming storm in the horizon.

Ricci Dipshan writing last February for the renowned legal news website “Law.com” pointed out, the issue of litigation-related international data transfers – new perils will be faced when personal data must be transferred from the EU to the US for use in e-discovery

In short, the GDPR forces e-discovery practitioners in the US to target the data, subject to discovery, in a narrow fashion. This imperative certainly is against odds the US common practice of taking the wholesale data sets and move it into the e-discovery process. Proportionality is the new king in the hill.

Practitioners Christian Schröder, Jeffrey McKenna and Renne Phillips have sailed into the GDPR sea in the search for options.  They argue that articles 46 and 49 provide the most useful mechanisms for transfers to the US during discovery. EU Standard Contractual Clauses (SCCs), as proposed by the EU Commission, could be a good alternative for facilitating data transfers for smaller companies or one-off data transfers. On the bright side, as Article 49(1) didn’t include a restriction commonly used on domestic implementing legislations, there seems to be room to argue in favor of pre-trial discoveries as opposed to the concept of transfers only allowed for “pending litigation” and not mere controversy between the parties.

 

Although the main recommendation is a careful case-by-case assessment, which just for this reason seems to foster the deterrent goal pursued by the GDPR, Brian Corbin, assistant general counsel of legal discovery management at JP Morgan Chase & Co, notes that there is nothing new under the sun. Under the 2015 amendments to the Federal Rules of Civil Procedure and its similar requirement of proportionality in e-discovery there is sufficient overlap to have a good starting point for US practitioners and companies to approach data collection under the GDPR.

Probably there are more episodes to come in the battlefield of the way privacy law is understood in the US and the EU. Still, there seems to be also a compromise point, beneficial for the citizens indeed.

For more information

http://www.lexology.com/library/detail.aspx?g=27ae467a-e2ed-4efc-ba4d-16d74c95e661

http://www.law.com/sites/almstaff/2017/02/06/the-storm-on-the-horizon-4-things-to-know-in-prepping-for-general-data-protection-regulation/?slreturn=20170206133625

Joshua Shirley

Information Privacy Law

Professor Ira Rubinstein

March 7, 2017

Privacy Blog Post – GDPR Compliance with Risk Management

Despite the General Data Privacy Regulation having the force of law, Gartner has issued two different predictions that less than 50% of organizations covered by the law will be in compliance by the 25 May 2018 deadline. A recent Dell survey also found that only 3% of those covered had finalized a strategy to be compliant while 37% had started such a strategy. Ergo 60% – a majority of entities covered by the regulation – currently have no plan to be compliant. By all accounts, being compliant with the new GDPR obligations will require adjustments from the majority of covered entities that are so extensive, the groundwork for compliance ought to be underway, so industry’s sluggish reaction is raising some eyebrows.

However, at least some experts remain convinced that the GDPR is already changing and will continue to influence industry behavior. Speaking at an International Association of Movers (IAM) conference in London last week, Gartner research director Bart Willemsen highlighted several features of the GDPR that in his opinion will carry the greatest weight for covered entities.

Willemsen stressed the GDPR’s emphasis on a data life cycle, and its new rules and regulations governing the end of that life cycle, the currently problematic part of the status quo for EU citizens. Specifically, he highlighted the maximum penalty: the higher of 20 million Euros or 4% of annual turnover for the most serious infringements, or half that for less serious infringements. He also highlighted that individuals now may bring class actions, and breaches such as the Yahoo breach of 2016 would cost 860,000 dollars per occurrence.

He also highlighted the strengthened and expanded rights of access, correction, portability and erasure. All in all, despite the current inaction suggesting non-compliance, he remained optimistic Industry would follow the GDPR. “This is a regulation, it is a law, and I am not telling you to break a law” he said. I drive a motorbike and don’t willfully break the speed limit, that’s breaking law. GDPR is law but I have faith in you.”

https://www.infosecurity-magazine.com/news/gdpr-compliance-risk-management/

Lauren Kreps

Information Privacy Law

Professor Ira Rubinstein

March 6, 2017

Amidst the steady current of Executive Orders President Trump has issued in his first two months in office, it would have been all too easy to miss his January 25, 2017 Executive Order threatening to place US-EU agreements on privacy regulation in jeopardy. After all, just two days later the President issued another Executive Order announcing an unprecedented travel ban on refugees and citizens of certain predominantly Muslim countries into the US, inciting nationwide protest and rebuke.

Though the human toll implied by the latter justifiably dominated national debate, both Executive Orders presented potentially seismic shifts in their respective international policy landscapes – one concerning the movement of people, the other of data.

Having already been rattled by the fall of the decades-long Safe Harbor agreement that facilitated data flow between Europe and the US, those with a political, commercial or philosophical stake in the transnational flow of information saw the January 25 Executive Order as an open threat – albeit one of a lesser order of magnitude than what was to follow. Particularly concerning was Section 14 of the January 25 presidential order, mandating that US agencies “shall, to the extent consistent with applicable law, ensure that their privacy policies exclude persons who are not United States citizens or lawful permanent residents from the protections of the Privacy Act regarding personally identifiable information.”

This came as a surprise to European officials, who in the wake of the Safe Harbor invalidation had spent months collaborating with the Obama administration to ensure the July 2016 enactment of The EU-US Privacy Shield. Addressing privacy “holes” that Safe Harbor had left untended, the Privacy Shield aims to guarantee the continued flow of commercially-essential personal information (PI) from the EU to the US, while also allaying European fears of surveillance by American security services.

The implications of the unwinding of US-EU cooperation on privacy regulation are extensive. Over 2,000 companies have already signed on to the Privacy Shield framework – companies including Google, Facebook, Twitter and Microsoft, whose businesses rely on the ability to store data about EU citizens on US servers. A recent New York Times article stated that the Privacy Shield made possible as much as $260 billion of trade in digital services. Commercial interests aside, assurances of equal treatment of EU citizens are also crucial to cooperation on the Umbrella Agreement, which enables the sharing of law enforcement data between the US and the EU.

Concerned by the potential effects of President Trump’s unilateral decree, EU Justice Commissioner Vera Jourova expressed in an interview with Bloomberg that she would require assurance from the Trump administration that Privacy Shield would not be affected by the Executive Order. Otherwise, she claimed the EU would be prepared to suspend the pact.

Apparently responsive to these concerns, the US Department of Justice wrote a letter to Jourova’s office stating that “Section 14 [does not] affect the commitments the United States has made under the DPPA (Umbrella Agreement) or the Privacy Shield.” Still, Jourova will be traveling to Washington to meet with officials from the Trump administration regarding the ongoing viability of Privacy Shield at the end of March, where she has stated she will expect “reconfirmation and reassurances.”

Whether this most recent EU-US data transfer mechanism can truly survive in the face of diminished privacy protections for non-US citizens remains to be seen. For now, at least the data doors remain open.

Sources:

https://www.whitehouse.gov/the-press-office/2017/01/25/presidential-executive-order-enhancing-public-safety-interior-united

https://www.nytimes.com/reuters/2017/02/27/business/27reuters-eu-dataprotection-usa.html?_r=1

https://www.bloomberg.com/news/articles/2017-03-02/if-trump-spoils-privacy-pact-we-ll-pull-it-eu-official-warns

https://www.privacyshield.gov/list

Giulia Checcacci

Information Privacy Law

Professor Ira Rubinstein

March 6, 2017

The European Commission proposes a new set of rules for protecting all electronic communications

On January 10, 2017 the Commission of the European Union has presented a proposal for a regulation concerning the protection of personal data in all electronic communications. The new rules are in line with the latest European legislation adopted within the Digital Market Strategy to increase the security and confidence in digital services.

As clarified in the explanatory memorandum, the proposal aim to complement the General Data Protection Regulation (Regulation EU 2016/679) with specific regard to electronic communications, such as e-mails or instant messaging. In fact, these services are generally not subject to the current Union legal framework on electronic communications, including the ePrivacy Directive (Directive 2002/58/EC).

The Proposal provides for the protection of both data and metadata (e.g. location), requiring their anonymization and deletion if end-users have not given their consent and as soon as their collection is not more necessary. This way the Commission wants to ensure the confidentiality of all electronic communications.

The main innovations, though, concern cookies and spam.

As for cookies, the proposal simplifies the way the user can give his consent to the tracking of cookies and other identifiers. Instead of requiring the consent for every website visited, as it is now under the current ePrivacy directive, the user will be able to set the privacy settings of his browser in order to accept (or refuse) the tracking of cookies once for all. This consent rule, though, does not apply to all types of cookies. Non-privacy intrusive cookies (e.g. cookies to count the number of visitors to the website) or the ones necessary to provide information or a service requested by the user (e.g. cookies that allow the website to remember the shopping cart history) do not require consent anymore.

Moreover, the Proposal forbids any type of unsolicited electronic communication. Number-based interpersonal communications services providers should give users the possibility to easily block marketing calls. The proposed rules also ban anonymous marketing calls, requiring marketers to show their numbers or to use a special pre-fix for marketing calls (articles 12-14).  Stricter requirements are set up also for e-mail. In particular, electronic contact details can be used for marketing purpose only if customers have given the possibility – easily and free of charge – to refuse such use (articles 15-16).

The Regulation will have to be fully aligned with the General Data Protection Regulation. The choice of using regulations – over directives, which are not directly applicable – will lower the risk of dissimilarities in the application of the legislation in the Member States. This proposal seems to confirm the main goal of the European legislator: the creation of a system of rules more and more uniform for the protection of privacy rights.

While the scope of the actual ePrivacy Directive is limited to traditional telecoms companies, the proposed Regulation should apply to all the providers of electronic communications, WhatsApp, Facebook, Skype, Gmail included.

However, the Proposal has been criticized by ETNO (European Telecommunications Network Operators) and GSMA (a trade association that represents the interests of mobile operators worldwide). Their main concern is that the new rules combined with the General Data Protection Regulation could result in a “double regime with blurred boundaries”, impairing their ability to process big data analytics in the interest of customers or to provide mapping services that compete with those already provided by other players.

The Regulation should apply from 25 may 2018. However, we need to wait to see if the Regulation will be adopted and, if so, it will embed all the requirements included in the proposal or if there will be some changes.

 

Related documents

1. Proposal for a Regulation of the European Parliament and of the Council concerning the respect for private life and the protection of personal data in electronic communications

http://ec.europa.eu/newsroom/dae/document.cfm?doc_id=41241

 

2. General Data Protection Regulation

http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=OJ%3AL%3A2016%3A119%3ATOC

 

3. ePrivacy Directive

http://eur-lex.europa.eu/legal-content/EN/TXT/?qid=1481215473410&uri=CELEX:02002L0058-20091219

 

For more information

http://europa.eu/rapid/press-release_IP-17-16_en.htm

 

https://www.theguardian.com/technology/2017/jan/10/whatsapp-facebook-google-privacy-rules-ec-european-directive

 

http://www.gsma.com/newsroom/press-release/etno-and-gsma-about-new-e-privacy-regulation/

Heather Garvey

Information Privacy Law

Professor Ira Rubinstein

February 28, 2017

Plans to Destroy FCC Privacy Regulations Could Signal Future Structural Changes to Privacy Regulation by the FTC

Congress and the Chairman of the Federal Communications Commission have recently been attempting to kill the FCC’s internet privacy rules.  These FCC opt-in rules, that were created during the Obama administration, require broadband service providers to obtain permission from consumers prior to using their information for marketing purposes and to take steps to protect personal data and notify customers of a breach.  In particular, the FCC Chairman, Ajit Pai, seeks to halt the rules before they go into effect this Thursday, claiming that all online entities should be regulated by the same guidelines.  Similarly, Senator Jeff Flake (R-Ariz.) announced his plan to introduce a resolution to undo the privacy rules, noting that the Federal Trade Commission (FTC) should have control over all privacy issues.

Commissioner Pai plans to hold a FCC vote to stay the implementation of the new rules.  Currently, there are two vacancies on the FCC, leaving only three FCC commissioners total.  Commissioner Michael O’Rielly supports Pai’s efforts to block the new rules, while Commissioner Mignon Clyburn wants to keep the rules and could potentially block a vote by denying a quorum.  However, Pai could direct the FCC staff to to stay the provisions and push for a vote later.  Either way, it appears Pai is likely to be successful in halting the implementation of the rules this week.  Since a future Democratic administration of the FCC could simply reinstate the rules, concrete change would be more effective coming from Congress than the FCC.

Senator Flake instead is focusing on using the Congressional Review Act (CRA) that allows Congress to revoke a regulation within 60 legislative session days, with only a simple majority and the president’s signature, to remove the FCC rules.  With the Republicans in control of both the House and Senate and with President Trump in the White House, the CBA can be used effectively to strip away many of the regulations passed under President Obama.

These recent efforts by both Congress and the FCC shed light on the future of the FCC’s privacy regulation of broadband companies and the FTC’s effort at privacy reform.  We may see a greater push to have privacy regulation of all online companies, including broadband companies, come under the purview of the FTC, rather than continuing with the carve-out of broadband companies with the FCC.  For example, Representative Frank Pallone (D-N.J.) has asked the Government Accountability Office (GAO) to study the status of broadband privacy regulation and the authority of the bifurcated process by the FCC and FTC.  Since technology increasingly is flooding our everyday lives, perhaps individual privacy and data security should be addressed via a constant regulator, rather than a fluctuating, unstable system.

One of the main concerns from Republicans and Pai is the opt-in system regulating broadband companies, where individuals must affirmatively consent to allow the companies to use their personal information.  This standard is higher for broadband companies than for other online businesses who only need to use an opt-out system.  For example, under the Administration Discussion Draft: Consumer Privacy Bill of Rights Act of 2015, online companies would be required to provide individuals a means to withdraw consent.  Instead of entirely eliminating data privacy rules as applied to the broadband companies, perhaps a future solution would be to have the FTC regulate the entire industry with uniform rules, such as those proposed in the Consumer Privacy Bill of Rights Act of 2015.  This change would eliminate the concerns of Republicans and Pai that broadband companies are treated unfairly, while simultaneously alleviating Democrats concerns about leaving online privacy entirely unregulated.  Nonetheless, while unification of the rules might solve unfairness concerns, there would still be a significant fight ahead of whether to regulate all online companies under an opt-in system or an opt-out one.

Sources

http://www.latimes.com/business/la-fi-fcc-privacy-20170227-story.html

http://thehill.com/policy/technology/320196-gop-sets-sights-on-internet-privacy-rules

http://thehill.com/policy/technology/321433-dem-senator-pushes-back-against-gop-efforts-to-rescind-internet-privacy

http://www.multichannel.com/news/congress/pallone-seeks-gao-study-broadband-privacy-oversight/411172