By John Kincaide, Privacy and Security Policy Attorney at Intel
On May 11, 2016 the US Senate Judiciary Subcommittee on Privacy, Technology and the Law held a hearing on “Examining the Proposed FCC Privacy Rules”. The objective of the hearing was to discuss the Federal Communications Commission’s (FCC) Notice of Proposed Rulemaking (NPRM) for Internet Service Providers (ISPs) proposed privacy rules. The FCC’s NPRM is open for public comment until May 27th. The hearing included testimony from the FCC Chairman Tom Wheeler, FCC Commissioner Ajit Pai, FTC (Federal Trade Commission) Chairwoman Edith Ramirez, and FTC Commissioner Maureen Olhausen.
FCC Chairman Tom Wheeler’s prepared testimony focused on the agency’s authority to protect consumer privacy, the importance of having the proposed privacy rules to protect consumers, and the FCC’s core principles for privacy protection. The Chairman stated Section 222 of the Communications Act expressly grants the FCC the authority to protect the privacy of customer information.
The Chairman stated the ISPs present unique privacy challenges when compared to internet websites. For example, the Chairman cited that consumers may be aware that internet sites collect personal information but may not realize the ISP is also collecting this information. The Chairman also noted that consumers may quickly choose to stop using an internet site but may not have the option to quickly change ISPs. Further, stated the Chairman, ISPs handle all of the consumer’s network traffic giving the ISPs the ability to collect significant amounts of information about consumers.
The FCC’s proposed privacy rules are built on three core principles: transparency, choice and security. The proposed privacy rules would permit ISPs and affiliates offering communications-related services to market other communications-related services to consumers unless a consumer affirmatively “opts out”. Consumers would need to affirmatively “opt in” for any other use or sharing of their data. The Chairman’s statement specifically noted that the proposed privacy rules are narrowly focused on consumer personal information collected by ISPs and do not regulate “edge” providers like internet applications and services accessed over the internet.
FTC Chairwoman Edith Ramirez’s prepared testimony focused on the agency’s long history of consumer privacy protection, its authority for enforcement, the agency’s privacy and data protection policy and regulatory strategies, and the FTC’s history of cooperation with the FCC (and other agencies) to use “complementary authority” to effectively protect consumers.
The FTC’s enforcement authority derives from Section 5 of the FTC Act which enables the agency to take action against companies engaged in “unfair” or “deceptive practices” involving the privacy and data security of consumer’s information. The Chairman noted the FTC has brought over 500 enforcement actions focused on protecting consumer privacy and these cases covered “all parts of the internet ecosystem” included ISPs. The FTC’s enforcement actions “send and important message to companies about the need to protect consumer privacy”.
In addition to its enforcement actions, the FTC provides proactive policy guidance. For example, the FTC provided guidance for new technologies as noted by the agency’s Internet of Things staff report (2015) and its Big Data best practices report (2016). The FTC also holds public events to help consumers and companies better understand the importance of privacy and data protection. Recent examples include PrivacyCon, Start with Security, and IdentityTheft.gov.
Regarding the FCC’s proposed privacy rules, the FTC Chairwoman cited the agency’s long history of successful cooperation with the FCC on consumer protection issues, including privacy and data security. One example of the agencies cooperation is the Memorandum of Understanding which formalized cooperation between the agencies and outlined how the FCC and FTC will coordinate consumer protection efforts. Finally, the FTC is “carefully considering the FCC’s proposed privacy rules and intends to file comment” and believes it can provide “unique insights” to the FCC.
Intel encourages the FCC and FTC to work closely together to develop privacy protection rules which adequately protect broadband ISP consumers and consumers using online businesses or services. In addition, the FTC and FCC should work closely together to help broadband ISPs, and businesses providing services over the internet, clearly understand the applicable (ISP vs. the “edge”) rules to enable good faith compliance. Individuals’ trust may be jeopardized if multiple agencies have vastly different privacy rules which thwart ISPs and internet companies’ good faith efforts for regulatory compliance.
Finally, trust in technology may be placed at risk if there is confusion regarding how data is protected when using all aspects of the internet. Key questions for the FCC and FTC to consider include whether individuals clearly understand the distinctions between how their personal data is collected and used with an ISP vs. a website/web application, and what individuals’ privacy and data protection expectations are as their personal data flows between ISPs and internet websites/web applications.