Congress Rolls Back FCC Broadband ISP Privacy Rules

Privacy Telecommunications

Last week on March 23, 2017, the US Senate voted 50-48 to roll back the Federal Communication Commission’s broadband privacy rules adopted last October under former Chairman Tom Wheeler. The House has also passed the resolution, and President Trump signed the bill on Monday. The rules were scheduled to go into effect later this year, and would have required Internet service providers (ISPs) to obtain consumer consent before using or sharing consumer information for commercial purposes.

Wheeler’s successor, Ajit Pai, has been an opponent of expanded ISP consumer privacy requirements and has worked to undo many of the pro-consumer proposals passed under Wheeler’s FCC. After the FCC reclassified Internet providers as telecommunications services, broadband providers became subject to Title II of the Telecommunications Act, governing consumer privacy under 47 U.S.C § 222 (2012). The broadband privacy rules were designed to apply the general statutory requirements to protect customer proprietary information to ISPs. The rules would have required broadband ISPs to inform consumers of the types of information collected about customers, and would have mandated ISPs to gain affirmative opt-in consent from users before using or sharing “sensitive” information. Information termed “sensitive” included web browsing history and email communication content, in addition to information such as Social Security numbers, medical, and financial data. The rules would also have required ISPs to take “reasonable” steps to protect consumer information from data breaches, but under Chairman Pai, the FCC voted to stop this from taking effect as scheduled on March 2.

Congress has used its power under the Congressional Review Act (CRA) to block the new rules from taking effect, as well as prevent the FCC from passing similar regulations in the future. The CRA was passed in 1996 and “gives Congress and the president the authority to repeal a federal regulation within 60 legislative days of it being implemented.” Because Congress still needs the president’s signature to repeal laws under the CRA, the Act is generally only useful during transition periods from one party to another — as it was during the Clinton-Bush transition, where the Republican Congress used the CRA to undo a law “10 years in the making” in about a day.

The votes have been met with varied reactions from consumer privacy advocates. Several advocacy groups, including Free Press, Demand Progress, and the ACLU delivered petitions of almost 90,000 signatures in opposition to the resolution before the Senate vote. Democrats in the Senate decried that “ISP” now stands for “information sold for profit” and “invading subscriber privacy.” FCC Commissioner Mignon Clyburn and FTC Commissioner Terrell McSweeny released  a joint statement, stating that if President Trump signs the resolution, the law would “repeal the FCC’s widely-supported broadband privacy framework” and eliminate the requirement for broadband ISPs give customers a choice in managing their sensitive personal information.

Other advocates argue that because the FCC rules would have unfairly imposed obligations on ISPs inconsistent with the responsibilities of Silicon Valley companies like Google and Facebook, the rules were an imperfect solution to a larger problem — the lack of a baseline law governing online privacy in the United States. These advocates have expressed hope that, should Congress drop the FCC rules, a more consistent approach to online data privacy, potentially administered by the FTC, might prevail in the future.

In any case, it remains to be seen what the tangible effects of rolling back these relatively new rules will be on consumers, ISPs, and U.S. privacy law.