The Internet Privacy Rule Is Dead, But Could Anyone Bring It Back?

Image courtesy of Chris Blakeley

The laws, rules, and regulations governing our world aren’t etched into mountains; they can be changed. That’s how we got new rules intended to protect our private information from being used and abused by internet service providers, and how we lost those very same rules just a few short months later. Could the pendulum swing back and restore these privacy guidelines? Not likely.

There are three entities — the Federal Communications Commission, the Federal Trade Commission, and Congress — that could make broadband privacy a priority. However, two of them can’t make the privacy push anytime soon, and the third probably won’t. Let’s look at why.

The FCC

The FCC may seems like the obvious choice here. After all, until April 3, it had a privacy rule limiting how ISPs could use sensitive consumer data without first getting permission to do so.

That FCC went through the full rulemaking process: proposing the rule, voting on whether to consider that rule, seeking public comment, tweaking, then finalizing and voting again.

When the Trump administration moved into the White House, promoting Ajit Pai to FCC Chairman, there were two ways for the federal government to undo the privacy rules.

The FCC could have repealed the rule, but as telecom lobbyists requested, but that effectively involves going through the entire, lengthy rulemaking process all over again. Plus, any new rule — especially one that undoes a regulation that was approved only months earlier — could be challenged in federal court.

Lawmakers chose a second, much more permanent route: The Congressional Review Act, which gives Congress the authority to look over and approve or disapprove any new, major federal regulations. After majorities in the House, Senate signed a joint resolution of disapproval, President Trump’s signature killed the rule for good.

In regulatory terms, using the CRA is a scorched-earth tactic. Congress and the President not only undid the privacy rule, they made it so the FCC can’t replace it with anything that even resembles the rolled-back rule.

Buried in the text of the CRA, it explains that when a rule is repealed through this method, the agency that wrote the rule isn’t allowed to create a similar regulation:

A rule that does not take effect (or does not continue) under paragraph (1) may not be reissued in substantially the same form, and a new rule that is substantially the same as such a rule may not be issued, unless the reissued or new rule is specifically authorized by a law enacted after the date of the joint resolution disapproving the original rule.

Additionally, unlike a traditional piece of legislation or a new regulation, CRA resolutions can not be challenged in court.

BOTTOM LINE:
That means that the FCC would effectively have to get permission from Congress, in the form of new law, to create another rule doing “substantially” the same thing as the ISP privacy rule we lost. Until or unless that happens, the FCC’s hands are tied.

The FTC

Until very recently, the FTC was the federal privacy watchdog for just about everything, including broadband providers. And opponents of the FCC privacy rule have repeatedly argued that the FTC should still be overseeing privacy matters for ISPs — or at the very least that the two agencies should have identical frameworks for dealing with the issue.

New FCC chair Ajit Pai and new FTC chair Maureen Ohlhausen have both repeatedly said as much, most recently in a heavily criticized Washington Post opinion piece.

But there are two roadblocks here: The FTC legally can’t regulate broadband providers; and even if it could oversee ISPs’ privacy practices, the FTC doesn’t have the authority to make a rule like the one approved by the FCC.

The FTC Act is what gives the Commission the authority to exist and to regulate the unfair and deceptive business practices in the way it does. But Section 5 of the law includes explicit carve-outs for banks, credit unions, and common carriers… like telecommunications services.

Broadband providers officially became common carriers, regulated by the FCC, when the FCC voted in 2015 to adopt the Open Internet Rule (a.k.a. net neutrality).

In case there were any doubts, in 2016 a federal appeals court threw out an FTC lawsuit against AT&T, saying the agency had no authority to sue common carriers.

The FTC is also very limited in its authority to make new regulations. The agency is allowed to create industry-specific trade regulation rules, but generally these are to limited to restricting “unfair and deceptive acts or practices.” While the FTC has gone after websites and online services for misleading consumers about their privacy practices, the Commission has not come to the conclusion that the mere act of collecting user data is itself unfair or deceptive.

BOTTOM LINE:
The FTC simply can’t regulate broadband providers, and unless it wants to argue that the mere act of data collection is unfair or deceptive, it can’t issue a rule similar to the one the FCC tried to put in place. Thus, if the FCC is going to continue to model its privacy approach on the FTC’s, it’s unlikely that consumers will ever see more stringent restrictions on data collection and sharing.

Congress

Sure, it’s Congress’s fault that we lost the ISP privacy rule before it ever went into effect, but the House or Senate could do one of several things to remedy this error: Introduce a law that does what the FCC privacy rules tried to do; amend the FTC Act to rescind the common carrier exception and to give the FTC more rulemaking authority; or broaden the FCC’s scope.

In fact, last week Sen. Ed Markey (MA) introduced S.878, a bill to re-establish privacy protections for U.S. internet consumers. The bill [PDF] seeks to amend Section 222 of the Communications Act to include provisions defining sensitive information and restoring the opt-in and opt-out requirements the now-scrapped FCC rule sought to put in place.

Markey was joined by cosponsors Sens. Tammy Baldwin (WI), Richard Blumenthal (CT), Al Franken (MN), Martin Heinrich (NM), Patrick Leahy (VT), Jeff Merkley (OR), Tom Udall (NM), Chris Van Hollen (MD), and Elizabeth Warren (MA), who all have one thing in common: They’re all Democrats.

The Senate vote to repeal the privacy rule was strictly along party lines. Democrats don’t have the majority number needed to get this bill out of committee, let alone the 60 votes needed to pass it on to the House, where only 15 Republicans crossed party lines to vote against undoing the FCC rule.

Even if Congress were to pass broadband privacy legislation, it would likely face a veto from President Trump, whose administration has characterized the FCC rules as “federal overreach.”

Congress may be the best — and really only viable — option for protecting customers’ data from prying eyes of providers, but it seems unlikely that legislators will act so long as privacy continues to be a partisan dispute.