On Wednesday, President Trump's new Federal Communications Commission chair blocked privacy rules designed to protect customers of Comcast, Verizon, and other internet service providers from malicious hackers and data breaches.
The FCC created the sweeping new privacy rules last year to limit how broadband companies can share and sell sensitive information about you. One aspect of the rules, which would have taken effect Thursday, required broadband companies to take "reasonable" security measures to shield sensitive information like customers' social security numbers, browsing history, and geo-location data. The rules also required internet providers to contact law enforcement within seven days of a data breach, and to notify customers within 30 days.
These rules are now on hold, despite a history of massive hacks that targeted internet providers.
The FCC's new chair, Ajit Pai, said the data security rules are an unfair requirement for internet providers. Rather than imposing FCC privacy rules only on broadband companies, Pai said he wants to work with the Federal Trade Commission to create a comprehensive privacy policy that applies to all online companies, including Google, Facebook, and Twitter. While these web companies have their own privacy policies, and are bound by a patchwork of state laws that mandate data breach notification, no comprehensive federal law exists that provides a national baseline for their privacy and data security practices.
While the FCC has the authority to regulate broadband providers, Pai argued that the FTC has more expertise in policing privacy violations, and is better suited to shape privacy rules that apply to broadband companies, as well as to every other online business.
"All actors in the online space should be subject to the same rules, enforced by the same agency," Pai said in a joint statement with Acting FTC Chair Maureen Ohlhausen. Trump also appointed Ohlhausen.
“The federal government shouldn’t favor one set of companies over another — and certainly not when it comes to a marketplace as dynamic as the Internet," they said. "So going forward, we will work together to establish a technology-neutral privacy framework for the online world."
Proponents of the privacy rules see this move as a blow to consumer protections, and the first step in dismantling desperately needed privacy safeguards as Americans face a barrage of data breaches.
The FCC's sole democratic commissioner (out of three), Mignon Clyburn, voted unsuccessfully to uphold the privacy rules. In her dissenting statement, she described Pai's efforts as a clumsy and disingenuous ploy. "This Order is but a proxy for gutting the Commission’s duly adopted privacy rules — and it does so with very little finesse," she said.
"With a stroke of the proverbial pen, the Federal Communications Commission — the same agency that should be the 'cop on the beat' when it comes to ensuring appropriate consumer protections — is leaving broadband customers without assurances that their providers will keep their data secure," she said.
After the privacy rules were approved last year, internet service providers including Comcast, T-Mobile, AT&T, and Cox pledged to adopt reasonable security measures and to notify customers of data breaches. But Clyburn argued that without the rules, Americans will be hard-pressed to hold these companies accountable. "What it actually does is permit providers to shift the costs for corporate negligence onto private citizens," she wrote. "If a provider simply decides not to adequately protect a customer’s information and does not notify them when a breach inevitably occurs, there will be no recompense as a matter of course."
Other critics of Pai and Ohlhausen's plan point to the limited power of the FTC to create new privacy rules. Unlike the FCC, which has broad rule-making authority, the FTC is primarily an enforcement agency; it can go after corporate law-breakers and ensure that they keep their public promises, but it can't create privacy rules that would apply to all web companies. "The FCC has a clear mandate to protect people's privacy, but the FTC has nothing like that," said Matt Wood, the policy director of Free Press.
Other portions of the privacy rules that require internet providers to get your consent before they can share sensitive information about you with a third party don't kick in until later this year. And while today's actions don't affect these opt-in privacy requirements, critics say Pai's move on data security is the first stage in halting the privacy rules entirely.
For his part, Pai said he and the FTC will work to create a uniform plan as the data security rules remain on hold. He acknowledged concerns that an absence of privacy rules may leave Americans exposed, but, he said, "It does not serve consumers’ interests to create two distinct frameworks — one for Internet service providers and one for all other online companies." No timeline was given for the rollout of the revamped privacy rules.