A new fight is brewing over internet privacy as the Federal Communications Commission moves to undo Obama-era rules.
The FCC under new Republican Chairman Ajit Pai on Wednesday moved to block a rule requiring internet service providers to take stronger steps to protect customers' data.
The data security rule is part of a more expansive package of broadband privacy rules the agency approved late last year under then-Chairman Tom Wheeler, a Democrat.
Other rules would require internet providers to obtain permission from consumers before using their data for advertising or other purposes.
Pai's move, though, is raising difficult questions for lawmakers and regulators and reviving the fight over online privacy.
At the heart of the debate are questions about how much authority the FCC should have over internet companies, and whether the government is doing enough to ensure that broadband providers are securing consumer data in an era of massive hacks.
But Democrats and consumer advocates say the FCC rules were a reasonable step to ensure internet users are safe from hackers.
"The upshot is that a rule would have gone into effect today that would have made sure consumers' personal data would be protected," said Gigi Sohn, a former counsel Wheeler. "It wasn't exactly a very burdensome requirement either, they just had to take 'reasonable' measures. But now [consumers] are completely and totally unprotected."
Pai and his counterpart at the Federal Trade Commission, acting Chairwoman Maureen Ohlhausen, promised this week to work together to create new privacy rules that apply equally to service providers like AT&T and Comcast and internet companies like Google.
"We believe that the best way to do that is through a comprehensive and consistent framework," they said in a joint statement on Wednesday.
The FCC's privacy rules passed under the Obama administration were a result of the landmark net neutrality regulations. The FCC reclassified service providers as common carriers under net neutrality, which prohibits broadband providers from treating web traffic to certain sites differently.
But that reclassification angered conservatives, including Pai, because it opened the door to further regulations, such as the privacy rules.
The FCC's moves under Obama shook up how federal agencies typically handle privacy, where the FTC was traditionally responsible for enforcement actions.
Pai, as a Republican commissioner in the minority, had voted against the FCC privacy rules when they were approved last year, arguing at the time that they departed from the FTC's privacy framework.
Complicating that landscape, in August 2016, a federal judge ruled that the FTC didn't have the authority to regulate internet providers over the FCC.
The move to suspend the data security rule on Wednesday is stirring further confusion.
Pai has said the rule will be on hold while the FCC reviews how to deal with the broader question of internet privacy.
But some observers point out that the FCC still has authority to act on privacy issues against service providers that it treats as common carriers. If Pai chooses not to use that authority and the FTC is restricted because of the court decision, they worry customers will have no one looking out for them.
The FCC did not respond to The Hill when asked whether they would police service providers in the event of a data breach.
"They can't abdicate all of their responsibility and still claim that they're still on the beat," said Matt Wood, policy director at the civil liberties advocacy group Free Press.
Some conservatives who support Pai's efforts to roll back the privacy rules say that Congress should step in and eliminate any confusion about which agency is responsible for privacy and data security.
"There is a potential gap right now in the jurisdiction of the two agencies, which Congress ought to remedy by removing the so-called common carrier exemption, and then the FTC would have authority over all of the providers in the internet ecosystem," said Randolph May, president of the Free State Foundation, which has supported Pai's moves.
Pai and Ohlhausen acknowledged concerns over an enforcement gap but say they are trying to fix the problem caused by the Obama-era FCC creating another set of privacy rules.
"Two years after the FCC stripped broadband consumers of FTC privacy protections, some now express concern that the temporary delay of a rule not yet in effect will leave consumers unprotected," they said Wednesday."We agree that it is vital to fill the consumer protection gap created by the FCC in 2015, and today's action is a step toward properly filling that gap.
"How that gap is filled matters," they added. "It does not serve consumers' interests to create two distinct frameworks — one for Internet service providers and one for all other online companies."
There's also some question as to whether Congress might get in the way of the agencies implementing a new privacy framework.
Some Republicans are pushing to the Congressional Review Act (CRA) to undo the Obama-era privacy rules entirely and prevent the FCC from acting on privacy again.
For now, both Pai and Ohlhausen say they believe the FTC should have jurisdiction over privacy.
The next step, whether it’s a legislative compromise in Congress or an FCC vote to reclassify service providers, is unclear.
"We still believe that jurisdiction over broadband providers' privacy and data security practices should be returned to the FTC, the nation's expert agency with respect to these important subjects," the two chairs insist.
"All actors in the online space should be subject to the same rules, enforced by the same agency."