As new FCC Commissioner Ajit Pai telegraphed last week, the commission voted today to stay a set of privacy rules for broadband providers, adopted last year, which would have come into effect tomorrow.
We covered the rules in more detail last year, and the questionable justification for their negation here. The part of the rule being stayed is the section that creates ISP-specific recommendations and requirements for protection of users’ personal information. In the original order, ISPs are required to “adopt security practices appropriately calibrated to the nature and scope of its activities, the sensitivity of the underlying data, the size of the provider, and technical feasibility.”
The stay is ostensibly because the rules and recommendations don’t jibe well with others from the FTC that also concern data security.
A press release announcing the decision read in part:
Today’s decision will maintain a status quo that has been in place for nearly two years with respect to ISPs and nearly a decade with respect to other telecommunications carriers.
The Commission’s stay will provide time for the FCC to work with the FTC to create a comprehensive and consistent framework for protecting Americans’ online privacy.
It also mentions that the 2015 Open Internet Order essentially reassigned the responsibility for creating said framework, at least as far as it concerns ISPs, to the FCC. Since the FTC can’t, and the FCC won’t, enact the requisite consumer protections, ISPs have rather a free hand in how they choose to implement or not implement security.
A joint statement from Pai and acting FTC Chairman Maureen K. Ohlhausen (not Margaret, as I erroneously first wrote) acknowledged that this tug-of-war over authority left consumers out in the cold:
Two years after the FCC stripped broadband consumers of FTC privacy protections, some now express concern that the temporary delay of a rule not yet in effect will leave consumers unprotected. We agree that it is vital to fill the consumer protection gap created by the FCC in 2015, and today’s action is a step toward properly filling that gap. How that gap is filled matters. It does not serve consumers’ interests to create two distinct frameworks — one for Internet service providers and one for all other online companies.
This oft-repeated line about having one rule for everyone sounds great, but as we’ve noted before, that’s not really a realistic option. ISPs, edge providers and various other companies and services have distinct niches and disparate requirements when it comes to ensuring consumers are protected and informed.
Simple, broad rules may have been possible a decade ago, but the landscape is more complex and more involved now. We have multiple rule-making commissions for a reason; if circumstances call for it, and many think they do, the responsibility to monitor distinct parts of an enormous industry should be split among the most relevant authorities. The FTC, it seems, does not like its jurisdiction being pared back.
Mignon Clyburn, the Democratic commissioner who was outvoted 2-1 on this item, wrote in a dissenting statement that the decision today fails in its own justifications:
Rather than interpret a duly-adopted, flexible rule in a manner that would be consistent with the majority’s understanding of its proper scope, they have chosen to gut the rule entirely.
the Order alleges deleterious divergence from FTC standards, when in actuality there is little daylight between the approaches taken by the two agencies… This view was reiterated last week by FTC Commissioner Terrell McSweeny who stated that “[t]he rules the FCC adopted conform to long standing FTC practice and provide clear rules on how broadband companies should protect their customers’ personal information.”
the Order alleges significant harm to service providers, but cites absolutely nothing to prove it. In fact, the stay request does not even begin to estimate the costs associated with compliance.
As I wrote earlier this week, this decision appears to have little to do with the rule itself and everything to do with Pai’s drive to roll back any actions taken over the last few years to expand the FCC’s authority in any way.
The ultimate goal is, as Pai has himself said, reversing the 2015 Open Internet Order. By pruning the FCC’s mission and scope here and there with moves like today’s, Pai is turning up the heat, with net neutrality the frog in the pot.