The Federal Communications Commission plans to halt implementation of a privacy rule that requires ISPs to protect the security of its customers’ personal information.
The data security rule is part of a broader privacy rulemaking implemented under former Chairman Tom Wheeler but opposed by the FCC’s new Republican majority. The privacy order’s data security obligations are scheduled to take effect on March 2, but Chairman Ajit Pai wants to prevent that from happening.
The data security rule requires ISPs and phone companies to take “reasonable” steps to protect customers’ information—such as Social Security numbers, financial and health information, and Web browsing data—from theft and data breaches.
“Chairman Pai is seeking to act on a request to stay this rule before it takes effect on March 2,” an FCC spokesperson said in a statement to Ars.
The rule would be blocked even if a majority of commissioners supported keeping them in place, because the FCC’s Wireline Competition Bureau can make the decision on its own.
“If commissioners are willing to cast their votes by March 2, then the full commission will decide the stay request,” the FCC statement said. “If not, then the bureau will stay that one element of the privacy rules pending a full commission vote on the pending petitions for reconsideration consistent with past practice.”
That “full commission vote on the pending petitions” could wipe out the entire privacy rulemaking, not just the data security section, in response to petitions filed by trade groups representing ISPs. That vote has not yet been scheduled.
The most well-known portion of the privacy order requires ISPs to get opt-in consent from consumers before sharing Web browsing data and other private information with advertisers and other third parties. The opt-in rule is supposed to take effect December 4, 2017, unless the FCC or Congress eliminates it before then.
Pai has said that ISPs shouldn’t face stricter rules than online providers like Google and Facebook, which are regulated separately by the Federal Trade Commission. Pai wants a “technology-neutral privacy framework for the online world” based on the FTC’s standards. According to today’s FCC statement, the data security rule “is not consistent with the FTC’s privacy standards.”
“Chairman Pai believes that the best way to protect the online privacy of American consumers is through a comprehensive and uniform regulatory framework,” the FCC said. “All actors in the online space should be subject to the same rules, and the federal government shouldn’t favor one set of companies over another.”
But the FTC is barred from regulating common carriers, a distinction that the FCC applies to broadband providers. So the FTC won’t be protecting the privacy of ISP customers unless ISPs are reclassified. The FCC or Congress could change that classification, but that move could also wipe out net-neutrality rules that rely on the FCC’s authority over common carriers.
What the data security rules require
FCC privacy rules already apply to telephone service. Wheeler’s privacy order changed the privacy rules and applied them to fixed and mobile broadband service in addition to phone service for the first time.
The data security rule says that telecommunications providers “must take reasonable measures to protect customer PI [proprietary information] from unauthorized use, disclosure, or access.” That includes financial and health information, information pertaining to children, Social Security numbers, precise geo-location data, the content of communications, call detail information, Web browsing history, and application usage history.
The FCC did not mandate any specific data security practices, but it did provide some recommendations. For example, the privacy order encouraged ISPs to consider adopting industry standards such as the Cybersecurity Framework, written by the National Institute of Standards and Technology (NIST), and best practices recommended by the FCC’s Communications Security, Reliability and Interoperability Council.
But the privacy order stressed that following these standards is “voluntary” and that “providers retain the option to use whatever risk management approach best fits their needs.” If there are complaints about security, the FCC would decide whether the ISP has implemented reasonable data security practices based on a few factors. In specific cases, the FCC planned to consider the ISP’s size, the technical feasibility of security measures, “the nature and scope of [an ISP’s] activities,” and “the sensitivity of the data it collects.”
Another part of the privacy order related to data breach notifications doesn’t take effect until June 2. The breach notification rule requires providers to notify affected consumers within 30 days “after reasonable determination of the breach.” For data breaches affecting at least 5,000 customers, telcos must notify the FBI, Secret Service, and FCC within seven business days. For data breaches affecting fewer than 5,000 customers, the companies must notify the FCC at the same time they notify consumers.
When the FCC approved the privacy rules, Wheeler argued that ISPs are uniquely capable of collecting consumers’ Internet traffic because they can monitor everything that goes over the connection and because switching ISPs is difficult for customers. Consumer advocacy groups supported the privacy rules and have been urging Congress and the FCC to leave them in place.