FCC, FTC are playing a shell game with online privacy

(By Gigi Sohn, opinion contributor via thehill.com) The Federal Communications Commission (FCC) and Congress are taking steps to weaken and eliminate the FCC’s privacy rules for broadband Internet service providers (ISPs) like Comcast and AT&T. Adopted in October 2016 under then-Chairman Tom Wheeler, the rules give consumers the tools they need to choose how their ISP uses and shares their personal data. The rules also require that ISPs keep customer data secure and notify customers and law enforcement in the event of a major data breach. The rules are the strongest consumer privacy protections in U.S. law, and were widely praised by consumer and privacy groups when they were adopted. Even ISPs like Verizon found the rules to be consistent with their own best practices. 

But that isn’t stopping the Trump FCC or Congress from moving full tilt to limit consumers’ online privacy. At the behest of ISP lobbying groups, the FCC already has stopped the data security rules from going into effect, and many of these same groups have petitions in front of the agency that would roll back the rules entirely. Meanwhile on Capitol Hill, Republicans in both houses of Congress have introduced “resolutions of disapproval” under the Congressional Review Act. Passage of these resolutions would not only repeal the current rules, they would prohibit a future FCC from adopting “substantially similar” protections.

 The proponents of these efforts make two arguments – neither of which will leave consumers with the privacy protections they now have and deserve. The first is that there should be one set of privacy rules for ISPs and so-called “edge” companies like Google and Facebook, and that these privacy practices should be overseen solely by the Federal Trade Commission (FTC), which currently has no legal authority over ISPs. As FCC Chairman Ajit Pai and Acting FTC Chairman Maureen Ohlhausen said in a recent statement: “We…believe that jurisdiction over broadband providers’ data and security practices should be returned to the FTC … All actors in the online space should be subject to the same rules, enforced by the same agency.”

I agree that one set of rules for the Internet ecosystem might be desirable, but why shouldn’t they meet the higher FCC standard that affords consumers more protection? And while the FTC is an important partner to the FCC on a variety of consumer protection and competition matters, including privacy, it lacks the ability to adopt rules – a critically important tool when it comes to protecting consumers. Rules give certainty to industry, moderate the behavior of all but the worst actors, and give consumers the ability to enforce their rights.

Moreover, it is not only common, but prudent, to have more than one agency oversee a vital segment of our economy like broadband (I, for one, would like to see both agencies have oversight over this market. Congress can and should restore the FTC’s authority over ISPs.) 

Finally and perhaps most important, giving the FTC sole legal authority to regulate the privacy practices of ISPs would require the FCC to relinquish its power to protect consumers and competition in the broadband marketplace. But that is exactly what Pai would like to do, because it would leave network neutrality rules and other consumer protections against billing fraud and price gouging without a legal foundation. And without that foundation, these and other rules moderating ISP behavior cannot stand.

The second argument is that even without the broadband privacy rules, the FCC can still protect consumer privacy under Section 222 of the Communications Act, which requires telecommunications carriers to protect the privacy of their customers’ information. Rules aren’t needed, say the ISPs and their supporters – the FCC can still enforce the law against bad actors. However, as discussed above, when it comes to consumer privacy, it is important to have rules that protect consumers *before* they are harmed.

But there is a more fundamental problem. If, as Pai believes, that the FTC, and not the FCC, should have the legal authority to regulate the privacy practices of ISPs, why would his agency enforce Section 222 at all? Indeed, his colleague Commissioner Mike O’Rielly made clear in his dissent to the October privacy decision that he does not believe the FCC has that authority today.

Nobody should fall for this privacy shell game. The FCC’s broadband privacy rules are currently the best protection consumers have for their personal information online. They would make a fine template for rules governing edge provider practices. Any weakening of the rules by either the Trump FCC or Congress will leave consumers unprotected from ISP data collection, use and security practices that might violate their privacy. That is certainly not the result the American people want or that policymakers should support.

Gigi B. Sohn is an Open Society Foundations Leadership in Government Fellow. From November 2013 through December 2016, Gigi served as Counselor to the Chairman in the Office of FCC Chairman Tom Wheeler. Gigi has served on the board of the Telecommunications Policy Research Conference (TPRC) and on the Advisory Board of the Center for Copyright Information.

The views expressed by contributors are their own and are not the views of The Hill.