The FCC has issued a temporary stay of an online privacy rule for Internet service providers that the commission enacted last year under then-Chairman Tom Wheeler. The rule would have gone into effect today, March 2, and the stay will remain in place until the commission can act on pending petitions for reconsideration.
FCC Chairman Ajit Pai, a commissioner when the rule was adopted, opposed it at the time. At the root of the disagreement is consistency, or rather lack thereof. Pai and Commissioner Michael O'Reilley argued that the proposed rule unfairly treats ISPs differently than other large online entities such as Google and Amazon.
In a joint statement with Federal Trade Commission Chairman Maureen K. Ohlhausen, Pai said in part: "All actors in the online space should be subject to the same rules, enforced by the same agency. Until that happens, however, we will work together on harmonizing the FCC's privacy rules for broadband providers with the FTC's standards for other companies in the digital economy."
The stay is intended to provide time for the FCC to work with the FTC to create a consistent online privacy framework. The FTC formerly had authority over digital privacy and data security practices, but that authority was removed when the FCC adopted its Title II Open Internet Order in 2015. The stay is also intended to ensure that ISPs do not incur unnecessary compliance costs while the commission considers modifications to the rule.
In a statement, ACA President and CEO Matthew M. Polka said, in part: "Given the likelihood that the current FCC will revisit the agency's broadband privacy and data security rules and harmonize them with the Federal Trade Commission's related standards, ACA applauds the FCC's decision to stay its data security rules. Forcing small operators to implement rules now that are likely to be rescinded and replaced with different rules would be a significant and unjustified burden."
While the ISP industry has reacted positively to the stay, consumer advocacy groups generally have not.
In a statement, Chris Lewis, vice president at Public Knowledge, said in part: "After finally gaining basic privacy protections for broadband providers last year, it's outrageous that Chairman Pai will now remove the simple rule that Internet service providers must take reasonable data security measures to protect their customers' information. This is not a controversial requirement. This elimination of basic data security rules gives ISPs a free ride while online services and other edge providers are still required to take reasonable measures to protect their customers' information under the FTC's framework. That is not a level playing field."
The FCC says that ISPs have been - and will continue to be - obligated to comply with Section 222 of the Communications Act and other applicable federal and state privacy, data security, and breach notification laws. In addition, broadband providers have released a voluntary set of "ISP Privacy Principles" that are consistent with the FTC's privacy framework. For other telecommunications carriers, the FCC's preexisting rules governing data security will remain in place. The stay does not address those rules that became effective earlier this year or those that are scheduled to become effective later this year.