FCC NPRM Doesn't Take Economic Approach to Privacy, Panelists Say
The FCC proposal to impose stricter privacy rules on ISPs would create an uneven playing field, favoring edge providers like Google and Amazon, doesn't use an economic approach and needlessly would impose heavy security requirements to protect customer information that is essentially public, panelists at a Technology Policy Institute discussion said Monday. But Lisa Hone, FCC associate Wireline Bureau chief, said the FCC NPRM is still just a proposal. The commission expects "vigorous comment," she said. "From a staff perspective, we’re interested in hearing what works and what doesn’t work for customers and ISPs."
Sign up for a free preview to unlock the rest of this article
Communications Daily is required reading for senior executives at top telecom corporations, law firms, lobbying organizations, associations and government agencies (including the FCC). Join them today!
The FCC NPRM, released March 31, includes more than 500 questions that will help the commission decide how to impose its privacy jurisdiction, which it gained when net neutrality rules that reclassified broadband as a Communications Act Title II service were adopted last year (see 1603310049). Republican Commissioners Mike O’Rielly and Ajit Pai voted against the NPRM. Like other critics, they said tightly regulating ISPs would favor edge providers and harm competition (see 1603230041, 1603300024 and 1603100041).
Jon Nuechterlein, Sidley Austin attorney and former FTC general counsel, raised a common argument that the NPRM creates more restrictions for ISPs than what edge providers would be subject to in the Internet ecosystem. He said the FCC has acknowledged this issue, but the commission said there are several ways the regulatory disparity would be reduced, which he countered. For instance, the FCC said the edge providers are still subject to FTC oversight. But Nuechterlein said FCC authority is confined to deception and unfairness violations of Section 5 of the Federal Trade Commission Act. Plus, he said that the FTC is more flexible and less prescriptive in its enforcement and requires a cost-benefit analysis, which is absent in the NPRM.
The "lack of an economic approach" within the FCC NPRM is the "core problem," said former FTC Commissioner Josh Wright, who left the commission in August and is now a George Mason University law professor and also at Wilson Sonsini. There's "certainly not an economic method behind the madness of determining when or whether ... we should do any of this," he said. Alternatively, he said that the FTC has a collection of 50 professional economists who help the commission determine what's harm and how big it might be.
Nuechterlein also countered FCC reasoning that more ISP oversight is needed since broadband providers have more direct access to all customer information. But he said edge providers routinely have access to "enormous volumes" of customer information, some of which may be subject to sector-specific regulation. He also cited research by Peter Swire that said ISPs have less access than companies like Google to customer information on the Internet due to increased usage of encrypted traffic (see 1602290047).
Within the NPRM, the choice or consent aspect is the "most controversial," said FCC's Hone, who spent a decade working at the FTC. She said the NPRM generally says customer information is their own and they should be able to control its use by broadband providers. ISPs or their affiliates would be allowed to use some customer information but the NPRM would allow customers to opt out of those uses, specifically for marketing communications-related services such as wireless or voice, Hone said.
In the NPRM, the FCC proposed a category of information called customer proprietary information (PI) that would be composed of customer proprietary network information (CPNI), historically regulated by the FCC, and personally identifiable information collected by ISPs. The commission wants ISPs to get customer "opt-in" approval to use PI for any purpose other than the marketing of other communications-related services (see 1604040032). However, DLA Piper privacy lawyer Jim Halpert said the NPRM would propose that existing CPNI requirements apply to a much broader range of information. He said it appropriately includes sensitive information such as Social Security and driver's license numbers, but it also includes nonsensitive customer data, which doesn't make much sense from an information security perspective.
"Do we want them spending millions of dollars and focusing heavy duty security requirements on information that’s freely available essentially in the public, that’s actually offered for sale by data brokers all over the Internet and other parts of the economy?" Halpert asked. "I really don’t think so and I think that’s again the problem of this trying to shoehorn the broadband provider data in the general security framework of the original CPNI order."
Halpert also criticized the data breach notification requirements proposed by the FCC as going far beyond state laws. For instance, the proposal would require notification in all cases to the FCC within seven days and to individuals within 10 days. But Florida, which has the shortest data breach notification period among states, has a 30-day requirement with an automatic 15-day extension and that's because complex breaches require more than a month to figure out who should be notified, he said. "Finding malware and discovering the extent of an incident can be very challenging."
Halpert also took issue with several other elements within the NPRM, saying the obligations for ISPs to protect data that "creates no risk whatsoever is really a distraction from much more important security responsibilities. It gets to the level of being really bad cybersecurity policy because we want these operators to be protecting their networks rather than worry[ing] about every piece of information that might be linkable to an individual customer.”