Last week, the Federal Communications Commission decided to put on hold a portion of its historic privacy rule approved just a few months ago – the part dealing with data security. Congress is considering whether to use the Congressional Review Act to eliminate the FCC broadband privacy rules in their entirety – a move that would also prevent the FCC from issuing similar rules in the future.
The rationale offered for all this action is that the rule is not consistent with how the Federal Trade Commission protects consumer privacy and data security – and that Internet service providers (your cable and wireless companies) are, therefore, being subjected to different requirements than other companies and platforms on the Internet (the “edge providers”). In the words of Acting FTC Chairman Maureen Ohlhausen and FCC Chairman Ajit Pai, “The federal government shouldn’t favor one set of companies over another."
But here’s the thing: The Federal Trade Commission does not have jurisdiction over the security and privacy practices of broadband, cable and wireless carriers.
This action by the FCC – ostensibly motivated because of a gap in consumer protection law – has, in actuality, created a yawning chasm where broadband and cable companies have no discernible regulation, while “edge” providers from Apple to Zappos abide by FTC enforcement. That’s right. In order to stop treating ISPs differently the FCC is doubling down on treating one industry differently than another.
The effect of this is to shift the risk from the multibillion-dollar ISP with computer and security engineers, to American families. That’s particularly problematic when it comes to an issue like data security – where there is almost no way for the typical consumer to guard against the myriad threats in the online environment. We are beholden to the practices and policies of the service providers. The only thing we can do is take steps to mitigate harms if a breach occurs – but we can’t do that if, for instance, we don’t know about the breach because our ISP no longer has a requirement to tell us.
So what are the differences between what the FCC is requiring of broadband providers and wireless carriers and the FTC’s approach to protecting consumers privacy and data security? Why is this such a critical issue that we have to throw aside protections for consumers? What’s this “bureaucratic war” between the FTC and FCC that must be settled?
As it turns out, there’s not much difference at all. While the FCC had prescriptive rules, they were drawn from years of FTC enforcement. The FTC does not have rule making authority in data security, as the FCC has and as we’ve asked Congress to provide us.
Instead, through the cases we bring and the guidance we issue, we have sought for companies across the economy to take reasonable steps to guard their data and provide consumers with notice when there is a breach. That is what the FCC provided with their rule. When it comes to privacy, we seek to protect consumers from unfair and deceptive acts and practices. When the FCC was drafting its privacy rule we weighed in explaining where we thought their approach was different than ours – and they made changes so that now the two agencies are using fundamentally the same approach. We’ve even cooperated on cases.
Another argument appears to be that there should be just one data security cop on the beat – the FTC. While I strongly support our program, the fact is that the FTC already works with expert regulators like the FCC, the FDA, NHTSA, NIST to help make sure that as things like cars, medical devices and homes become increasingly connected the regulators have the information they need to provide data security oversight of their industries.
If Congress or the voting majority at the FCC wanted to really improve the cybersecurity and privacy of the American consumer they would let the rule stand and work together, and with the FTC, to enable both the FCC and FTC to police the practices of common carriers like ISPs, so that there is truly consistent enforcement. Congress would also pass comprehensive data breach and privacy legislation, as a bipartisan FTC has unanimously advocated for years.
As a privacy and data security enforcer, what is most troubling about this debate is that it appears to be part of a larger effort to substantially shift the risks of data security from companies to consumers and to weaken consumer privacy choices.
Terrell McSweeny is a commissioner on the Federal Trade Commission.
The views expressed by contributors are their own and are not the views of The Hill.