Here are the Facts. Congress Did Not Give Away Your Internet Privacy.

On Tuesday, the House of Representatives sent a bill to President Donald Trump using the Congressional Review Act (CRA) to roll back the Federal Communications Commission’s (FCC) midnight broadband privacy rules. Activists groups since then have made accusations that Congress has authorized broadband providers to indiscriminately sell their data to third parties. Some members of Congress and other special interest groups have equated the passage of the CRA bill to the creation of an “Internet Wild West.” These arguments could not be any further from the truth, and the facts about the broadband privacy rule require that the record be set straight.

Myth: Congressional Republicans have taken away consumers’ privacy rights

If blame is to be assigned for any privacy protection “gap,” one need not look further than former FCC Chairman Tom Wheeler who led the charge to classify internet service providers (ISPs) like a public utility.

Before the FCC’s 2015 Open Internet Order, the Federal Trade Commission (FTC) retained jurisdiction to regulate the privacy practices of broadband providers as well as edge providers like websites and streaming video services. Chairman Wheeler’s Open Internet Order reclassified broadband providers as “common carriers” under the rotary-phone era Communications Act, effectively treating the internet as a public utility and stripping the FTC of its authority to regulate broadband.

The reclassification of broadband by the former leadership at the FCC enabled the commission to impose stricter privacy rules than those applied by the FTC to other members of the internet ecosystem.

The CRA bill merely returns privacy regulations to the status quo since the rule never went into effect in the first place. According to current FCC Chairman Ajit Pai, the best way to ensure consumer privacy is to “return jurisdiction over broadband providers’ privacy practices to FTC, with its decades of experience and expertise in this area.

The broadband privacy dilemma is one created by former FCC leadership that can be fixed by returning broadband to the jurisdiction of the FTC.

Myth: The broadband privacy CRA bill eliminates all consumer privacy protections for broadband customers

Although the CRA bill would eliminate the broadband privacy rule, use of the Congressional Review Act does not eliminate the underlying statute that authorizes a rule.

In May 2015, after assuming authority to regulate broadband privacy, the FCC issued an enforcement advisory requiring broadband providers to take good faith and reasonable steps to comply with Section 222 of the Communications Act which regulates the privacy practices of common carriers.

The FCC still retains the ability to undertake enforcement actions against unreasonable and bad faith data practices, as described in its 2015 enforcement advisory, under Section 222 of the Communications Act.

Myth: The FCC cannot issue any new broadband privacy rules

The FCC still possesses the authority to propose new privacy rules for broadband providers. The Congressional Review Act only bars the Commission from issuing new rules that are “substantially similar’ to those disapproved by Congress. For example, if the FCC sought to propose privacy rules in line with the FTC’s long-standing and effective framework, the CRA would not prevent such a measure.

According to the CRA, “[n]o determination, finding, action, or omission under this chapter shall be subject to judicial review.” In fact, according to a Congressional Research Service report, “[t]wo federal appeals courts and several federal district courts have examined [judicial review] and determined that [the CRA] unambiguously prohibits judicial review of any question arising under the CRA.” So, in practice, if the FCC were to conduct another privacy rulemaking, a federal court is unlikely to overturn new rules based solely on CRA claims.

Myth: Broadband companies want to sell consumers sensitive data

Broadband providers prefer a privacy approach that is consistent with the FTC’s privacy enforcement framework that protects consumers’ sensitive data. In January, broadband providers came together and announced shared privacy principles including provisions that would require providers to obtain customers’ permission before using their sensitive data. 

Unfortunately, the use of the CRA to eliminate the broadband privacy rule has been mischaracterized as an opening of the floodgates for ISPs to use their customers’ sensitive data. Previous leadership at the FCC ignored FTC recommendations and went so far as to regulate the use of nearly all consumer data as opposed to merely sensitive data.

During the rulemaking proceeding for the broadband privacy rule, the FTC submitted staff comments to the FCC suggesting that the Commission adopt its previously effective privacy approach of requiring up-front consumer permission for only the use of sensitive data such as “Social Security numbers, and children’s, financial, health, and geolocation data.” The FCC’s final rule regulates data way beyond that proposed by the FTC essentially requiring customer permission of the use of any data.  

Congress’ use of the CRA to eliminate Chairman Wheeler’s midnight broadband privacy rule is a step to restore regulatory balance and the status quo. The FCC still has the ability to protect consumers’ sensitive data which broadband providers agree should be respected.

The best approach to guaranteeing that sensitive data of ISP customers is protected is to return broadband privacy to the FTC’s privacy mechanism which fostered innovation and the low-cost internet consumers enjoy.