The FCC’s 2016 Broadband Privacy Rules are no longer effective. As we previously reported, the FCC issued its Broadband Privacy Order in November 2016, which adopted new privacy rules intended to significantly increase the data privacy and security obligations of Internet Service Providers (ISPs). The new rules purported to supplant the FTC’s long-standing practice of encouraging ISPs to conform their practices to accepted industry norms, and to engage in enforcement actions resulting from unfair or deceptive practices or data breaches. In the FCC’s Order, it imposed new disclosure requirements, adopted a “sensitivity-based” customer choice framework, and heightened its data security and data breach notification requirements.
On March 28, 2017, however, in a stark blow to the rulemaking power of the FCC regarding matters of Internet privacy, Congress voted to overturn the Broadband Privacy Order. And on April 3, 2017, President Trump dealt the final blow to the FCC’s order when he signed the Congressional Joint Resolution into law, which rolled back the Broadband Privacy Order.
The decision to repeal the FCC’s action was made possible by the Congressional Review Act (CRA), which empowers Congress to review, by expedited means, any new administrative regulation and to overturn that regulation within 60 in-session days of the regulation's final promulgation. The CRA also prohibits the agency that issued the rule from reissuing the rule in substantially the same form as the version that Congress struck down “unless the reissued or new rule is specifically authorized by a law enacted after [disapproval of] the original rule.” Through Congress's use of the CRA, then, new obstacles have been added to the FCC’s future enactment of privacy regulations.
The Congressional action used to kill the Broadband Privacy Order is particularly unique because of how rare it is that Congress has the opportunity to use the CRA to kill a major initiative achieved by a prior presidential administration. Indeed, prior to this year, the CRA has only been successfully used by Congress to overturn a single rule adopted by an executive branch agency. The last such use of the CRA was all the way back in 2001. Congress's most recent use of the law, however, makes clear that the CRA still has teeth. Here, it struck down an FCC regulation that took the Obama-era FCC years to craft.
Since most of the repealed privacy rules had not yet gone into effect, the immediate practical effects on ISPs will not be substantial. However, this action has received much attention and garnered strong criticism from consumer groups because of the potential longer-term impacts on consumers, including concerns that ISPs will sell Internet browser history to third parties.
President Trump’s administration is clearly in favor of the Congressional decision to eliminate the restrictions that had been put in place under President Obama. FCC’s Chairman Ajit Pai and FTC's acting Chairman Maureen Ohlhausen have supported this roll-back action, while signaling an interest in continuing to protect consumers. They declared through a joint public statement that “Congress’s decision didn’t remove existing privacy protections, it simply cleared the way for us to work together to reinstate a rational and effective system for protecting consumer privacy.” They concluded that, “The American people deserve a comprehensive framework that will protect their privacy throughout the Internet. And that’s why we’ll be working together to restore the FTC’s authority to police ISPs’ privacy practices. We need to put the nations’ most experienced and expert privacy cop back on the beat, and we need to end the uncertainty and confusion that was created in 2015 when the FCC intruded in this space.”
We will continue to follow developments related to ISP privacy obligations. We anticipate that the FTC will move to reassert its authority over ISP data privacy breaches when they occur and that consumer groups will continue to push for greater and more effective protections for personal information, particularly including Internet browser histories.