Business interests and consumer concerns clash at Senate hearing on FCC’s broadband privacy rules

Sen. John Thune (R-SD)

On the morning of Tuesday, July 12th, members of the U.S. Senate Committee on Commerce, Science, & Transportation convened for a hearing on a notice of proposed rulemaking recently issued by the Federal Communications Commission (FCC). The hearing, titled How Will the FCC’s Proposed Privacy Regulations Affect Consumers and Competition, did much to talk about the potential effects of the FCC’s increased oversight of broadband Internet service providers even as partisan viewpoints among committee members were exposed.

This day’s hearing focused specifically on rules drafted by the FCC and released on April 1st which deal with privacy regulations for broadband Internet access service (BIAS). The 147-page document was drawn up to provide “additional, concrete guidance explaining the privacy responsibilities created by the Communications Act.” The FCC believes this will benefit both consumers and Internet service providers (ISPs), the latter of which the FCC called “the most important and extensive conduits of consumer information” having unique access to sensitive and personal information. The rules aim to give consumers more privacy options by seeking to close what the FCC sees as a gap between traditional American principles of privacy protection and the current federal privacy regime as put in place by the Federal Trade Commission (FTC). The FCC’s reclassification of ISPs as Title II common carriers last February wrested regulatory authority over ISPs from the FTC. At the same time, consumers have the opportunity to opt-in to data collection practices of ISPs under the proposed rules.

“The protection of privacy on the Internet is vital,” said Sen. John Thune (R-SD) at the top of his opening remarks as chairman of the Senate commerce committee. “It’s fundamental for allowing the Internet and the information economy to thrive.” Thune noted that Internet usage has increased by an astounding 900,000 percent since passage of the Telecommunications Act of 1996. He also pegged the broadband Internet industry’s investment to meet increased demand over the years at $1.4 trillion. Thune then turned to comment on what he seemed to feel was an unbalanced regulatory scheme, one which applied to BIAS but not to many other Internet entities collecting data. Additionally, Thune worried about the burden of increased regulation on small ISPs, such as ones in his own state catering to a few thousand subscribers in areas without great population density. “How are they supposed to pay for additional staff, software licenses, training and other expenses that would be required to comply with the Commission’s proposed rules?”

“It seems to me that the question is ultimately how to preserve the benefits of online commerce but in a way that takes into account a consumer’s right to […] control the collection and use of their personal information,” said Sen. Bill Nelson (D-FL), the ranking Democrat on the Senate commerce committee. He said that the FCC was the “expert agency” for regulating communications networks and had a flexible, forward-looking authority for consumer protection. “If the content is governed by the FTC under the Fair and Deceptive Practices [sic], isn’t it right for the FCC […] to use that authority to protect privacy?” Although regulators need to act in a restrained manner, Nelson also noted that regulators should not be afraid to use authority whenever necessary. “At the end of the day, this Senator is going to side with consumers and whichever approach that I conclude best protects the privacy of broadband subscribers.”

At this moment in time, the idea that blanket approval of privacy regulations for ISPs can only be positive for consumers could be challenged. The net neutrality regime put in place by the FCC, which allows for greater regulations of ISPs as Title II common carriers by that agency such as the proposed privacy rules, could have real unintended consequences which hurt the American consumer. Preventing ISPs from charging paid prioritization protects the interests of large content providers like Facebook (NASDAQ:FB) and Netflix (NASDAQ:NFLX), which now cannot be charged by ISPs for the large amount of bandwidth those services use. Also interesting is the fact that sharing information with advertisers is cited as an area of consumer protection need prompting the FCC’s privacy rules. And yet Facebook is able to improve its own fortunes through advertising on multiple platforms while unfettered by the federal government. Somehow Facebook, which engages in interstate and foreign by wire or radio over the Internet (the definition for “common carrier” found in the Communications Act of 1934), doesn’t fall under Title II regulations.

Jon Leibowitz, 21st Century Privacy Coalition

Most of the day’s panel had criticisms of the FCC’s proposed rulemaking beginning with Jon Leibowitz, former FTC chairman and current co-chair of the 21st Century Privacy Coalition, an industry group representing ISPs. He found the FCC’s privacy rules to be a restrictive set of requirements applying to ISPs and not other Internet entities. He felt the proposed rules had four major flaws, namely that they were not technology neutral, that they targeted non-sensitive data, they created no consumer benefits and the notification timeline for privacy breaches was unrealistic and could lead to massive over-notification for consumers. On this last point, the FCC’s proposed rules would require ISPs to notify the FCC of a breach within seven days of detection and consumers within 10 days. “Even if you don’t believe that the FCC’s current proposal is a solution in search of a problem, it would nevertheless create inconsistent standards across the Internet, confuse consumers and undermine innovation that benefits consumers as well,” Leibowitz said.

The ideals of privacy and security were very important to Dean Garfield, president and CEO of the Information Technology Industry Council. “No two issues are more important to building and retaining trust with our customers,” he said. However, the FCC’s approach is getting the agency involved in an area where self-regulatory standards already applied. The overly broad definition of personally identifiable information (PII) and the consumer opt-in approach create an unworkable framework, he added. “This should not suggest that the FCC doesn’t have a role here,” Garfield said. “We intend to suggest that the approach they’ve taken is inconsistent with best practices.”

Paul Ohm, Georgetown Law Center

On the other hand, Paul Ohm, professor of law at Georgetown Law Center, believed that the FCC’s privacy rulemaking was well within its regulatory authority, calling the proposed rules wise, measured and “unambiguously authorized by law.” “Most Americans do not have a choice when it comes to fixed broadband service,” Ohm stated, adding that ISPs sit at a privileged place in the Internet ecosystem and serve as a “bottleneck” through which all other services are accessed. He also notes that the FCC’s rules did not ban data collection practices because it allowed consumers to opt-in to those programs.

“In our view, [these] obligations will chill investment and innovation without consumer benefits,” argued Matthew Polka, president and CEO of the American Cable Association (ACA). Polka’s fear was that FCC’s proposed rules would impose burdensome regulations on broadband providers which already had an “excellent track record of compliance” in such issues. The FCC’s rules, he felt, should be more closely aligned to the FTC’s framework in privacy issues. The ACA represents 750 cable providers, Polka said, 80 percent of which serve less than 5,000 customers each. “Most companies cannot dedicate employees to regulatory compliance,” he said.

Presenting data related to online privacy issues was Peter Swire, a law and ethics professor at the Scheller College of Business at the Georgia Institute of Technology. His May 2016 working paper Online Privacy and ISPs took a data-driven approach to critique views regarding ISPs and privacy protection. “Before the working paper, much of the advocacy for the rule was based on factual claims that have not stood up to scrutiny,” Swire said. The working paper noted a rise in total percentage of encrypted bits transmitted on the Internet, from 13 percent in February 2014 up to an estimated 70 percent by the end of this year. He also downplayed fears over deep packet inspection (DPI), a data examination technique which is becoming less useful for data mining with higher rates of encryption and new Internet security protocols such as HTTPS. “[ISPs] can see the main domain name but not specific pages” accessed by a browser through such security techniques, Swire stated.

Despite the 94 percent of Americans that, according to Thune, prefer that all companies follow consumer data privacy rules, Ohm saw little problem with the sectoral nature of the rules. He brought up the healthcare sector where professionals and organizations are required to follow heightened privacy rules under HIPAA. Leibowitz, however, noted that the simplicity of the FTC’s approach encouraged the notion that a second draft of the FCC’s proposed privacy rules would do well to better reflect the FTC’s previous framework.

True to his word, Nelson kept banging the drum regarding consumer protections in the face of large entities, conflating government access of consumer content with corporate access of that same content. He cited the shift towards encryption noted by Swire as evidence of the fact that consumers want privacy from all angles. Swire countered by noting that the shift towards higher encryption has much to do with American companies forced to deal with flagging consumer confidence overseas. “It’s complicated as individuals to set up encryption,” he said. Ohm, on the other hand, noted that “privacy is in shambles everywhere,” and he argued that shifts towards encryption could have much to do with consumers asking those services to protect their privacy from other entities.

The idea of what constituted sensitive data was also up for debate. Leibowitz noted that the FCC’s approach targeted all data without targeting all data collectors. As Nelson countered, however, “one person’s sensitive data is not another person’s sensitive data,” arguing that consumers should have a choice in what information is shared.

The partisan pull of this debate was put on full display by Sen. Ed Markey (D-MA), who used his first round of questioning to focus on Ohm’s points and engage that sole panelist in dialogue. Markey began by stating that children and adults who are online “all day long” create a trail of information which is as sensitive as health information. “That’s the profile of who you are as a human being in the United States in 2016,” he said. Ohm’s responses to Markey took the point of view that, without the privacy regulations, there was a chilling effect on the Internet browsing of American consumers who would be afraid of where their browsing information would be seen. A wide view of what constitutes sensitive data coupled with privacy concerns likely justified a ban on data collection practices, Ohm believed.

Under questioning from Sen. Jerry Moran (R-KS), Polka noted that the proposed rulemaking on consumer data privacy is only one of a couple of areas where the FCC is looking to increase its regulatory authority over ISPs; others involve set top boxes and special-access lines for broadband business data. “Each of these could have negative effects that members would have to shift resources from deployment to compliance and regulation,” Polka argued. “It’s not that we’re not up to doing our duty, but there is a balance that must be reached.” Moran noted that small business failure is often caused by many small regulations which add to the company’s cost of doing business. “It’s death by a thousand cuts,” Moran stated.

Opponents of the FCC’s proposed rules also noted that there is no consumer harm trigger, furthering the argument that no actual existing consumer harms are addressed by the rules. Leibowitz noted that 50 data breach cases brought against private companies by the FTC all involved harm. Leibowitz also stated that the FCC’s privacy rules could run afoul of the Central Hudson test for commercial speech restrictions because it treats the same type of information differently based on who has access to that info. A few of the panelists and committee members also voiced concerns over diplomatic language used by the FTC regarding the FCC’s proposed consumer privacy rules; the FTC said of implementing the FCC’s proposed rules as written, “This outcome is not optimal.” Garfield also hypothesized on the negative effects that the FCC’s rules could have on the recently approved EU-U.S. Privacy Shield, arguing that domestic rule changes on our own country’s data privacy regime could have the “ironic” effect of calling that international agreement into question.