Return to what works to protect online security

Raymond Keating
Raymond Keating

There are rare moments when government establishes a regulatory framework that works pretty well. That had been the case with the Federal Trade Commission (FTC) as the regulator of online privacy for the past two decades.

As U.S. Sen. Jeff Flake, a Republican from Arizona, explained in an op ed in the Wall Street Journal: “Under the FTC’s watch, our Internet and data economy has been the envy of the world. The agency’s evidence-based approach calibrates privacy and data security requirements to the sensitivity of information collected, used or shared online and applies protections in a consistent and evenhanded way across business sectors. Consumer behavior demonstrates the success of the FTC’s regulatory approach: Each day people spend more time engaging in online activities.”

This framework certainly has worked well for small businesses that have moved confidently to expand, invest, innovate, reach new markets, pursue opportunity and earn profits online.

Unfortunately, the Federal Communications Commission (FCC) under its previous chairman, Tom Wheeler, was having none of that. The Wheeler FCC went beyond its statutory authority in 2015 by imposing common carrier regulation on broadband service providers under Title II of the Communications Act of 1934. That is, the FCC decided to unilaterally regulate broadband service providers as if they were a 1930s telephone monopoly.  Subsequently, the FCC cut out the FTC from its role as the regulator of online privacy for Internet service providers (ISPs) — again, a step never intended by Congress. As a result, the FCC in October set out its own privacy rules, which, naturally, differed from what’s worked and been applied by the FTC. The FCC decided to impose differing requirements on ISPs, which would increase both uncertainty and costs. In effect, consistency and confidence would be replaced by confusion.

Thankfully, the FCC voted to place a temporary stay on the questionable data security aspect of the October 2016 privacy order.

As FCC Commissioner Michael O’Rielly stated: “To be clear, I think the law and commission precedent are quite straightforward: the FCC lacks authority to adopt data security rules for any type of provider. Data security is not mentioned anywhere in the Communications Act, and other statutes and legislative efforts that have addressed the topic do not afford the FCC any role. I consistently objected to the prior commission’s unlawful attempts to freelance in this area long before the Net Neutrality Order and Privacy Order were adopted. I also pointed out that the commission’s attempts to saddle the communications sector with experimental regulations could conflict with well-established FTC precedents that have served as a predictable road map for businesses and consumers alike.”

For good measure, as Sen. Flake reported: “To protect consumers from these harmful new regulations, I will soon introduce a resolution under the Congressional Review Act to repeal the FCC’s flawed privacy rules. While the resolution would eliminate those rules, it would not change the current statutory classification of broadband service or bring ISPs back under FTC jurisdiction. Instead, the resolution would scrap the FCC’s newly imposed privacy rules in the hope that it would follow the FTC’s successful sensitivity based framework. This CRA resolution does nothing to change the privacy protections consumers currently enjoy.”

In a joint statement, FCC Chairman Ajit Pai and Acting FTC Chairman Maureen K. Ohlhausen exhibited wisdom in pursuit of regulatory common sense. They said: “The Federal Communications Commission and the Federal Trade Commission are committed to protecting the online privacy of American consumers. We believe that the best way to do that is through a comprehensive and consistent framework. After all, Americans care about the overall privacy of their information when they use the Internet, and they shouldn’t have to be lawyers or engineers to figure out if their information is protected differently depending on which part of the Internet holds it. That’s why we disagreed with the FCC’s unilateral decision in 2015 to strip the FTC of its authority over broadband providers’ privacy and data security practices, removing an effective cop from the beat …. We still believe that jurisdiction over broadband providers’ privacy and data security practices should be returned to the FTC, the nation’s expert agency with respect to these important subjects. All actors in the online space should be subject to the same rules, enforced by the same agency. Until that happens, however, we will work together on harmonizing the FCC’s privacy rules for broadband providers with the FTC’s standards for other companies in the digital economy.”

As the old saying goes, business loves certainty. For good measure, small businesses love common sense when it comes to regulation. Unfortunately, under the Wheeler FCC, certainty and common sense were in short supply. That’s changing at the FCC under the chairmanship of Ajit Pai.