The head of the Federal Communications Commission’s Wireline Competition Bureau offered a long-awaited peek this week inside the thinking behind the agency’s forthcoming privacy rules for broadband — an issue that has net neutrality advocates cheering and providers themselves trembling.
“I’m here today to talk about another part of the Communications Act, Section 222, and in particular, staff’s work towards developing a notice of proposed rulemaking that, if adopted, would set forth proposals and seek comment on rules to protect the privacy interests of broadband subscribers,” FCC Wireline Competition Bureau Chief Matthew DelNero said at a privacy and data security symposium Thursday.
“With broadband as the defining infrastructure of the 21st Century,” DelNero continued, “it is no surprise that we are discussing the privacy and data security of information that American consumers send over those networks every day.”
When the FCC adopted Chairman Tom Wheeler’s net neutrality plan reclassifying Internet service providers as public utilities last year, the agency decided against applying rules governing how common carriers like telephone networks use customer proprietary network information — “in layman’s terms, information a provider has about you by virtue of the customer-provider relationship,” DelNero explained.
Since the dawn of the Internet age, such information often includes everything from the websites you visit to the things you buy online, and is often shared by web services and providers with third parties for straight profit, targeted advertising, innovation and customization to improve users’ online experience.
At the time, the agency said the rules, rooted in Section 222 of the Communications Act, were too telephone-centric, and that it needed to develop new rules for ISPs, whose data privacy practices fell under Federal Trade Commission jurisdiction before reclassification.
Providers have spent the months since petitioning the FCC to take a light touch, FTC-style case-by-case approach to privacy regulation instead of adopting hardline net neutrality-style rules, which they worry could limit how they monetize customer data for network expansion and innovation.
DelNero said the FCC, Congress and the FTC have set important precedents since the dawn of the telephone era in the 1930s ensuring telephone, medical, educational, financial and technology firms protect and respect the privacy of customer data — precedents that give the FCC the authority and guidance it needs in drafting new rules for broadband.
“In enacting that provision as part of the Telecommunications Act of 1996, Congress found that information collected by communications networks requires particular protections and expert agency oversight,” DelNero explained. “So just as the Department of Health and Human Services regulates the privacy practices of ‘covered entities’ under HIPAA – such as doctors, hospitals, and health insurance plans – the FCC has applied section 222 to protect data that carriers collect by virtue of providing telecommunications services to their customers.”
The bureau chief repeated the rules will only apply to ISPs — edge providers like Google, Amazon, and Facebook will stay within the realm of the FTC — and that after launching a workshop and speaking with stakeholders including consumers, privacy advocates and providers themselves, the FCC settled on three major guiding principles for the rules.
“First is transparency – the notion that customers of broadband access services should receive clear, conspicuous, and understandable information about providers’ privacy practices,” DelNero said, adding provider disclosures to customers about how they use their data is already a “bedrock principle” for the telephone, cable, Internet and advertising sectors, and in regulations applied by the FTC and National Telecommunications and Information Administration.
“Second is choice,” DelNero went on, suggesting consumers should be able to “approve” how companies handle their personal information “for purposes other than the provision of the telecommunications service.”
“Here, the goal is to ensure that consumers have the tools they need to make choices about the use and sharing of that information,” he continued, “with a recognition that what those tools should be are dependent in part on context.”
“Third is data security,” the bureau chief said, pointing out “privacy and security are inexorably linked,” and that subscribers should be able to “expect that their broadband providers will protect their data with reasonable measures” against unauthorized internal or external access and use.
“And when that information is breached, customers have a right to know,” DelNero said.
A panel of telecom law, privacy and technology experts met in Washington earlier this week to argue ISPs already face ever-shrinking access to customer data because of the growing adoption of technologies like encryption and virtual private networks.
The same panel argued pro-net neutrality groups like Public Knowledge were the real face behind the push for new privacy rules, that the legal precedent cited by the FCC only applies to voice services and any new rules should be developed in conjunction with the FTC to give users a single set of easily understandable protections.
During an FCC oversight hearing earlier this week Wheeler told a Senate committee he hopes the privacy rules are coming soon, possibly before the end of March.