Back to News & Commentary

Who Should be in Charge of Privacy in the 21st Century?

Chris Calabrese,
Legislative Counsel, 老澳门开奖结果 Washington Legislative Office
Joe Silver,
Washington Legislative Office,
老澳门开奖结果
Share This Page
December 5, 2013

An effort is underway to significantly set back even the limited amount of government privacy oversight that currently takes place over commercial privacy in the United States. Tuesday the House Energy and Commerce Subcommittee on Commerce, Manufacturing and Trade held a hearing titled Federal Trade Commission Review and Outlook. At the hearing, FTC Commissioner Maureen Ohlhausen argued for the repeal of the communications common carrier exemption which would transfer regulatory power of telecommunications networks from the Federal Communications Commission (FCC) to the FTC. While this might sound innocuous enough, the rework could have serious implications for consumer privacy protections.

This proposal is not new; the transfer of regulatory authority is being pushed by a new lobbying group called 鈥淭he 21st Century Privacy Coalition.鈥 This group has been spearheaded by major telecommunications providers and headed by Washington insiders, including former chairman of the FTC Jon Leibowitz and former US Representative Mary Bono. Members include AT&T, Verizon, DirecTV, Comcast, Time Warner Cable, and CIT-The Wireless Association. The Coalition that internet privacy rules need to be simplified, and thus that a single regulatory agency should be responsible for all telecommunications oversight. The FTC would assume a role the FCC has traditionally held, namely providing oversight of telecommunications network intermediaries such as the phone, internet and cable providers the Coalition represents.

Sensitive information like call information and viewing habits already have strong protection from misuse by commercial providers (not to be confused with misuse by the NSA). Those protections should be modernized and extended to new areas like search term results, websites visited and other type of internet records. The danger is that instead the existing protections will be weakened under a sole FTC jurisdiction. A brief overview of the FCC鈥檚 and the FTC鈥檚 existing authority helps explain why.

Currently, under of the Telecommunications Act of 1996, telecommunications carriers, including phone and internet service providers, have a duty to protect consumers鈥 sensitive personal information (such as who customers call) to which they have access as a result of their position as network operators. This 鈥渃ustomer proprietary network information鈥 (鈥淐PNI鈥) can only be disclosed with a customer鈥檚 express consent (opt-in). Prior to this law鈥檚 passage, telecommunications companies were able to sell this data to third party companies for marketing purposes. This law also enabled the FCC to impose security requirements on carriers鈥 disclosure of CPNI to customers over the telephone and online, whereby both law enforcement and the customers themselves must be notified of any security breaches involving CPNI.

Similarly, the subscriber privacy provisions of The Cable Communications Policy Act of 1984 (鈥淭he Cable Act鈥) established a highly protective notice and consent scheme, permitting cable television subscribers to know what a cable operator鈥檚 practices are and providing them an opportunity to limit the data collections and disclosures that the operator may make. Providers must again obtain opt-in consent and must also grant subscribers the right to inspect and correct errors in such data. Police must obtain a court order to access data and the law authorizes damages for companies that violate these provisions.

In contrast, , its privacy-related authority in the area of telecommunications is somewhat limited. It primarily involves monitoring internet companies鈥 privacy policies to make sure the companies keep any promises they make to users regarding when and where personal information and data will be shared, sold or otherwise exploited.

The FTC鈥檚 privacy policy paradigm (which is set forth in ) is familiar to all of us: internet companies post statements detailing their privacy practices and , and then, by visiting and using the site, the user either implicitly or explicitly agrees to the terms of the site. These privacy policies are often written in ways that allow the company to make broad use of the data, most recently demonstrated by Facebook鈥檚 newest round of , which make clear that a condition of using the service is that users must grant the company wide permission to use their personal information in advertising. As long as a company doesn't make any promises that it doesn't keep, the FTC has no way to safeguard consumer data on the web. That is why the FTC has urged Congress to 鈥渃onsider enacting ,鈥 as 鈥渟elf-regulation has not gone far enough鈥 to protect consumer data privacy from abusive data use practices online.

In short, if we transfer regulatory authority and telecommunications oversight from the FCC to the FTC, we will likely see an effort to treat the telecommunications companies in the same way as technology companies like Google and Facebook. The result would be the loss of a number of substantive protections in the process.

If changes are to be considered, they should be part of a discussion of a comprehensive overhaul of the data collection system. For example, we endorse network data protective legislation modeled on the Obama administration鈥檚 which was released in February 2013. The tenets of this report would provide a good foundation for improving consumers鈥 privacy safeguards online by making sure that the important goals of transparency, security, focused collection, and accountability are extended, not eliminated.

Learn More 老澳门开奖结果 the Issues on This Page