The Federal Communications Commission announced Wednesday that it blocked a privacy rule adopted by the commission last year that would have required internet service providers to get permission before collecting sensitive information from customers.
The vote to block the implementation of Broadband Consumer Privacy Rules, which were set to go into effect on March 2, was approved by a 2-1 vote on party lines. FCC chairman Ajit Pai and fellow Republican commissioner Michael O'Reilly voted to stay the rules, while Democratic commissioner Mignon Clyburn was the lone dissenting vote.
The rules, which passed last October under the Obama administration, required ISPs to ask permission from its customers before it began collecting sensitive information from them.
Sensitive information was defined in the rules as any information regarding a user’s finances, health, information from children, precise geolocation data, web browsing history and app usage history. It also included any content from unencrypted message that may have been accessible to the service provider.
Any information that fell under the definition of sensitive information would require customers to opt-in before ISPs were allowed to collect the data. Information deemed to be non-sensitive could be collected by default, but would have required an option to opt-out.
The Broadband Consumer Privacy Rules were also set to put in place a more stringent requirement on ISPs for reporting potential data breaches that may have harmed customers or put their data at risk. ISPs would have been mandated to tell users of a data breach within 30 days of identifying it, and would have required the carriers to inform the FBI of the breach within seven days.
The rules have now been stayed temporarily, but likely indefinitely as the FCC issued its commitment to creating a more unified approach to privacy protections by working with the Federal Trade Commission.
“We still believe that jurisdiction over broadband providers’ privacy and data security practices should be returned to the FTC, the nation’s expert agency with respect to these important subjects," FCC Chairman Pai and acting FTC Chairwoman Maureen Ohlhausen said in a joint statement. "All actors in the online space should be subject to the same rules, enforced by the same agency."
Chairman Pai announced his intention to block the regulations late last month after Republican Senator Jeff Flake of Arizona suggested eliminating the rules by using the Congressional Review Act (CRA)—a tool that allows Congress to undo regulations from federal agencies with a majority vote and would essentially kill the rule for good by preventing the agency that issued the rule from ever issuing it again.
Pai has been in opposition to the Broadband Consumer Privacy Rules since they were first passed, arguing the rules unfairly single out internet service providers for their data collection practices while failing to apply the same scrutiny to edge providers like Netflix and Amazon. However, instead of expanding the rules to apply equally to all internet companies, the commission opted to block the rules from going into effect.
Commissioner Clyburn voiced her dissent in a statement issued following the vote, in which she claims the majority has failed to provide any evidence to back their reason for blocking the rules and called the decision the "antithesis" of putting consumers first.
Clyburn said there is "little daylight" between the rules adopted by the FCC in October 2016 under chairman Tom Wheeler and the FTC standards. Despite the similarities, Clyburn noted a 2016 ruling from the Ninth Circuit Court of Appeals that decided the FTC no longer had the authority to regulate service providers when it came to privacy issues because of their reclassification as common carriers under the Open Internet Rules.
That ruling means the FTC cannot actually regulate ISPs, despite the wish of FCC leadership to leave the other agency in charge of issuing privacy rules.
By removing the regulations, Clyburn argued, the FCC has also removed valuable consumer protections. "If a provider simply decides not to adequately protect a customer’s information and does not notify them when a breach inevitably occurs, there will be no recompense as a matter of course," she said.