Repeal of ISP Privacy Rules not End of World for Consumers
March 31, 2017 | by Andrew Regitsky
It appears that as long as Donald Trump is President, every action taken by the federal government will be portrayed as catastrophic for the public. This is certainly true for how the media has characterized the Congressional resolution this week to repeal the FCC’s recent ISP Privacy Order. The resolution, which is expected to soon be signed into law, has been described as providing an open door for ISPs to abuse all customer data with no limits on their behavior. This is a remarkable characterization for a rule that has never taken effect, and willfully ignores the checks on ISP behavior that have existed for years, will continue to exist, and have worked well.
The Congressional resolution which was approved largely on a party line vote states:
Resolved by the Senate and House of Representatives of the United States of America in Congress assembled, that Congress disapproves the rule submitted by the Federal Communications Commission relating to 'Protecting the Privacy of Customers of Broadband and Other Telecommunications Services,' and such rule shall have no force or effect.
The repeal means that:
The new legislative measure would effectively allow providers to access and use a wide range of customer data without seeking their users' explicit consent, much as Google and Facebook do now. It also releases Internet providers from obligations to increase protections of customer information against hackers and thieves. And it prohibits the nation's top telecom regulator, the Federal Communications Commission, from seeking to restore its privacy regulations in the future. (March 28, 2017 Washington Post on-line article by Brian Fung).
Moreover, since the repeal was passed under the Congressional Review Act, the ISP privacy rules cannot be reinstated by any future FCC. The only future change can be made on a legislative basis.
Reading the numerous articles on the repeal this week one can easily believe that the Internet privacy world has become the lawless “Wild West” where ISPs are now free to use (or abuse) consumer data in every imaginable way. This is especially ironic since, as noted above, the section of the FCC”s Privacy rules pertaining to the proper use of sensitive consumer data has never taken effect and would not become effective until December of this year.
Here are several reasons why the Congressional repeal is not the end of the world for consumers:
The FCC Maintains Authority over ISP Privacy - As long as ISPs remain common carriers as designated in the 2015 Open Internet Order, the FCC continues to have authority over any potential misuses of consumer privacy committed by ISPs. Specifically, under Section 201(b) of the Telecommunications Act, the FCC has the authority to ensure that ISP privacy actions are “just and reasonable.” The only difference without the repealed privacy rules is that the Commission would take action on a case-by-case basis rather than proactively prohibiting certain privacy acts.
States Can Sue Deceptive ISPs - Every state has a law making it illegal for companies to engage in deceptive practices including actions that violate a company’s privacy practice. If consumers in a state believe they are being deceived by an ISP, they can complain to the state the state attorney general who can go to court to stop a company from deceiving consumers.
Consumers Can Sue ISPs for Breach of Contract - Every ISP maintains a privacy policy or terms of service that sets forth its rules for collect and disclosing subscriber information, including users’ communications over the provider’s network. If a customer believes the ISP has not lived up to its terms of service, he or she is free to file suit against the ISP for violating its contract.
Bad Publicity – We live in such a polarized country in which every action taken by an individual or company is seen as good or evil depending on one’s political beliefs. If an ISP were to engage in systematic misuse of consumer data, the intense media scrutiny and resulting bad publicity could significantly damage a company’s bottom line. Why take a risky action that could inflame half your customer base?
Sometime in the next year or two, Congress or the FCC will eliminate the Commission’s 2015 net neutrality rules and reclassify broadband access to the Internet as an information service. At that point the authority for regulating ISP privacy will return to the Federal Trade Commission (FTC), and ISPs and edge providers will have identical privacy rules. When the FTC takes over, it will be important for the agency to ensure that it spells out privacy rules that are easy for the public and ISPs to understand. Privacy rules must not be so overly restrictive that they stymie broadband investment while also ensuring that sensitive customer data is not misused or abused. We believe a case-by-case review of accused bad actors provides a better balance rather than global up-front restrictions on all ISP and edge company behavior, but this is certainly a debate that will continue.
