The multi-year net neutrality battle may be complicating efforts to regulate internet data privacy while hurting consumers.
The U.S. Government Accountability Office (GAO) released a report last week highlighting how the FCC’s constant reclassification of internet service providers (ISPs) complicates the privacy debate by ping-ponging internet privacy responsibilities between the Federal Trade Commission (FTC) and the Federal Communications Commission (FCC).
The report calls for a federal privacy law, citing tech companies like Facebook and its misuse of consumer data, and recommends Congress establish civil penalties for bad behavior. It defines “internet data privacy” as data affected by “the collection and use of consumers’ personal information such as their Internet browsing histories, purchases, locations, and travel routes.”
When the Obama administration’s FCC enacted net neutrality rules in 2015, classifying ISPs as telecommunications services instead of information services, the FCC assumed responsibility for all privacy concerns regarding ISPs, including companies like AT&T, Comcast, Frontier, Verizon and others. When the Trump administration’s FCC reversed its net neutrality policy in 2017, the FTC assumed responsibility for privacy concerns regarding ISPs.
The problem is — as the GAO report notes — the FCC and FTC address privacy concerns differently, which results in more industry confusion about how to handle consumer data.
Because there is no comprehensive data privacy law, the two agencies rely on complaints to enforce general standards. For example, the FTC’s role is to stop “unfair or deceptive acts or practices in or affecting commerce,” under section 5 of the 1914 FTC Act (amended in 1938). The leaves it up to other agencies, Congress, consumers or industry players to submit complaints about how a tech company deceptively handles or misuses consumer data.
The FCC, on the other hand, can only address violations of the 1934 Communications Act, and there are different standards for information services and telecommunications services.
The GAO report notes that when the Obama administration’s FCC enacted net neutrality rules in 2015, the agency released its own privacy regulations for ISPs, which were then repealed by Congress under the Congressional Review Act. The Trump administration’s FCC then repealed net neutrality in 2017, so ISPs never complied with the FCC’s privacy rules.
Multiple think tanks and tech companies sued the FCC over its net neutrality reversal, and if they win those lawsuits, privacy regulation and enforcement may be split between the FCC and FTC again.
Multiple congressional hearings, input from experts and industry players, as well as the GAO report supported the conclusion that privacy regulation shouldn’t be divided between agencies, and that the U.S. needs a federal privacy standard enforced by the FTC and applied to all companies.
That could hinge on the net neutrality fight, which puts the onus on Congress to legislate the issues and end the debate over net neutrality and privacy.
“Recent developments regarding internet privacy suggest that this is an appropriate time for Congress to consider comprehensive internet privacy legislation,” the GAO concluded. “Although the FTC has been addressing internet privacy through its unfair and deceptive practices authority, among other statutes, and other agencies have been addressing this issue using industry-specific statutes, there is no comprehensive federal privacy statute with specific standards.”
Whatever the final law looks like, the GAO stressed the importance of balancing consumer and industry interests so as not to stifle innovation or the ability of tech companies to provide services.
“Debate over [a federal] statute could provide a vehicle for consideration of the Fair Information Practice Principles, which are intended to balance privacy concerns with the need for using consumers’ data,” the GAO said. “Such a law could also empower a specific agency or agencies to provide oversight through means such as APA section 553 rulemaking, civil penalties for first time violations of a statute, and other enforcement tools.”