Comments in Support of FCC’s Temporary Stay of the Data Security Aspect of October 2016 Privacy Order
By SBE Council at 15 March, 2017, 9:23 am
BY ELECTRONIC FILING
Ms. Marlene H. Dortch
Federal Communications Commission
445 12th St, S.W.
Washington, D.C. 20554
Re: WC Docket No. 16-106: Protecting the Privacy of Consumers of Broadband and Other Telecommunications Services
Dear Ms. Dortch,
On behalf of the Small Business & Entrepreneurship Council (SBE Council), I am writing in support of the Federal Communication Commission (FCC) vote on March 1, 2017, to place a temporary stay on the data security aspect of the October 2016 privacy order. SBE Council supports vacating the order.
SBE Council is a nonpartisan, nonprofit advocacy, research and education organization dedicated to protecting small business and promoting entrepreneurship. With nearly 100,000 members nationwide, SBE Council works to advance initiatives and policy proposals to enhance competitiveness and improve the environment for business start-up and growth. SBE Council has closely followed telecommunications and technology policy since our founding in 1994 and has weighed in on relevant issues since the passage of the 1996 Telecommunications Act. We have consistently supported policies to keep intrusive government actions at bay to allow for innovation and technology in the marketplace. A humble approach by government regulators, up until recent times, has fostered an extraordinary level of investment, innovation and entrepreneurship benefitting consumers and businesses alike. Technological innovation in the telecommunications sector has especially helped small businesses navigate a very difficult economy over the past ten years.
As small business owners perhaps understand best, it is a welcome situation when a regulatory framework works pretty well. That had been the case with the Federal Trade Commission (FTC) as the regulator of online privacy for the past two decades.
Unfortunately, the FCC went beyond its statutory authority in 2015 by imposing common carrier regulation on broadband service providers under Title II of the Communications Act of 1934. By doing so, the FCC cut out the FTC from its role as the regulator of online privacy for Internet service providers (ISPs) – again, a step never intended by Congress. As a result, the FCC in October 2016 set out its own privacy rules, which differed from what has worked and been applied by the FTC.
The FCC would impose rules on broadband providers requiring providers to get the explicit consent of a consumer before using their web browsing or app usage history. Most of America’s Internet and broadband providers are small providers. Consider, for example, that according to the latest data (2014) from the U.S. Census Bureau, 92.3 percent of wired telecommunications carriers have less than 100 workers, and among wireless telecommunications carriers, 87.2 percent have fewer than 100 employees. These small companies are quite concerned about the impact – that is, the cost and complexity of this new FCC order and being able to comply with it. While the final rules allowed small providers more time to comply with the order (two years compared to the one year given to large providers), there was no serious effort put forth by the FCC to analyze impact and cost on small providers. This is another example of a federal government agency ignoring its duties when developing new rules and why serious reform needs to take place not only at the FCC, but also across all federal agencies.
In a recent letter to Congress co-signed by SBE Council, key problems of shifting away from the FTC and its emphasis to the FCC’s privacy order were highlighted:
• The FCC’s approach is inconsistent with that of the Federal Trade Commission for nearly two decades, and will likely render harm unto consumers.
• The FTC focuses on what data are held, the level of data sensitivity, and how consumers are affected if the data are misused. This outcomes-based approach takes consumers’ preferences into account while preventing actions that harm consumers.
• The FTC’s approach rests on well-established standards of Unfairness (preventing substantial consumer injury) and Deception (enforcing material promises). Consumers generally agree on what constitutes financial and physical injury. Consumers deem data that could lead to these types of injuries more sensitive, and expect higher security for these data.
• The sensitivity of other “private” information is, as the FTC rightly recognizes, often subjective, depending on its use. Some people might choose to post everything about themselves online — details that others might find invasive or embarrassing if made public — while others chose not to join social networks. Some might find value in an application using data about their geolocation in a particular way, while others decline participation because they consider the benefit of the service outweighed by its privacy cost. None of these approaches to privacy is incorrect. Each is a personal decision about tradeoffs. Taking varying consumer preferences into account, the FTC’s standards functioned reasonably well, requiring opt-out in most instances and opt-in only for particularly sensitive kinds of data.
• The FCC approach focuses on who holds the data, rather than what — and how sensitive — the data are. This hinders services that consumers want while failing to protect sensitive data across contexts.
• The FCC’s questionable ability to regulate privacy standards, and its narrow view on what constitutes privacy protection, make its rules counterproductive to actual consumer privacy protections. In contrast, the FTC’s approach to privacy does a better job of balancing protection of consumers’ privacy online with economic incentives to innovate in consumer products and services.
Indeed, the success of the FTC’s guidance in this area is clear from what has actually occurred in the marketplace, that is, by the verdict of consumers, entrepreneurs and businesses. As U.S. Senator Jeff Flake (R-Z) explained in an oped in the March 1, 2017, Wall Street Journal: “Under the FTC’s watch, our internet and data economy has been the envy of the world. The agency’s evidence-based approach calibrates privacy and data-security requirements to the sensitivity of information collected, used or shared online, and applies protections in a consistent and evenhanded way across business sectors. Consumer behavior demonstrates the success of the FTC’s regulatory approach: Each day people spend more time engaging in online activities.”
In the end, the FCC deciding to impose differing requirements on ISPs would increase both uncertainty and costs. In effect, consistency and confidence would be replaced by confusion.
SBE Council agrees with the following points expressed in a March 1, 2017, joint statement issued on FCC Chairman Ajit Pai and Acting FTC Chairman Maureen K. Ohlhausen:
“The Federal Communications Commission and the Federal Trade Commission are committed to protecting the online privacy of American consumers. We believe that the best way to do that is through a comprehensive and consistent framework. After all, Americans care about the overall privacy of their information when they use the Internet, and they shouldn’t have to be lawyers or engineers to figure out if their information is protected differently depending on which part of the Internet holds it. That’s why we disagreed with the FCC’s unilateral decision in 2015 to strip the FTC of its authority over broadband providers’ privacy and data security practices, removing an effective cop from the beat… We still believe that jurisdiction over broadband providers’ privacy and data security practices should be returned to the FTC, the nation’s expert agency with respect to these important subjects. All actors in the online space should be subject to the same rules, enforced by the same agency. Until that happens, however, we will work together on harmonizing the FCC’s privacy rules for broadband providers with the FTC’s standards for other companies in the digital economy.”
When it comes to regulation, small business, investment and innovation not only need certainty, but common sense as well. Unfortunately, under the previous FCC led by then-Chairman Tom Wheeler, certainty and common sense were in short supply.
Thankfully, that is changing at the FCC under the chairmanship of Ajit Pai. The temporary stay on the questionable data security aspect of the October 2016 privacy order was a sound step, and we support sticking with the FTC’s longtime policies in the area of privacy. That can be achieved by vacating the October 2016 privacy order, having the FCC and FTC work together, and eventually lifting common carrier regulation on broadband service providers.
Karen Kerrigan, President & CEO