Federal privacy bill would strip FCC’s role as telecom industry’s privacy cop
Sweeping federal privacy legislation now under debate in Congress is expected to move oversight of the telecom industry’s privacy practices from the Federal Communications Commission (FCC) to the Federal Trade Commission (FTC), a shift that has long been a priority for telecom companies, which bristle at a well-resourced FCC’s technical expertise and highly focused oversight.
The House Energy and Commerce Committee is now negotiating a bill similar to a version that had strong bipartisan support last year but did not make it to the House floor. Once again the legislation is widely believed to include language to displace the FCC’s oversight of the privacy of telephone, cable TV, and satellite TV services.
There is a clash among privacy advocates over whether such a move would weaken regulation of an industry with access to a vast amount of consumer data — and whether sacrificing FCC oversight is worth the Republican support needed to enact the bill.
Some experts say the FCC has not been a consistent regulator of the telecom industry’s privacy practices. They are willing to see oversight move to the historically under-resourced and more broadly focused FTC if that’s what it takes to win support for the bill, known as ADPPA, from congressional Republicans.
"As long as you give the FTC — which has the experience and has been the real privacy cop on the beat for decades — the ability to fine malefactors, which this bill would do, then we should give up FCC jurisdiction in a heartbeat if it really can get a bill enacted," former FTC Chair Jon Leibowitz said in an interview.
He added that unprecedented federal privacy legislation will require all sides to “take a haircut,” and since the telecom industry has long lobbied for shifting enforcement to the FTC, the bill’s FCC carve-out is a “lever for getting the bill across the goal line.”
Leibowitz, who previously represented the broadband industry and now sits on the board of the National Consumers League, noted he was speaking in a personal capacity. He added that the FCC has had an “on again, off again relationship with consumer privacy” and while it has “done good things, it hasn't been particularly active."
Despite the FCC’s historically hands-off approach, industry leaders know the agency’s posture could change in the future, said David Brody, a privacy advocate who advised on creation of the bill.
Brody, who leads the Digital Justice Initiative at the nonprofit Lawyers’ Committee for Civil Rights Under the Law, said the FCC has not taken advantage of its budget and expertise in recent years, citing the fact that “cell phone location data is being bought and sold in apparent violation of the Communications Act and there has not been adequate enforcement or regulation."
Last June news reports revealed that T-Mobile had begun selling marketers data showing customers’ app usage. Last year the FTC rebuked the country’s six largest internet service providers (ISPs) for gathering massive amounts of customer personal data without adequately disclosing the practice.
“The FCC is the digital Rip Van Winkle,” said Jeff Chester, the executive director of the Center for Digital Democracy. “It has been sleeping for the last 20 years.”
Deep visibility into consumers' lives
The telecom industry has incredibly detailed knowledge of individual behaviors, experts and advocates said, noting that internet companies like Google can only see the traffic that traverses their services, whereas companies like AT&T and Comcast can potentially see all of that traffic and whatever else traverses their networks. They assert that this visibility into consumers’ lives – as well as the industry’s historic flouting of rules — requires more regulation.
“They're our ISP and they have access to everything,” said Harold Feld, senior vice president of Public Knowledge, a nonprofit focused on the digital marketplace.
He added that since ISP infrastructure supports mobile phones, among other things, the telecom companies “know where you are right now and what you're doing right now in a way that companies like Google and Facebook can only dream about knowing.”
Last month FCC Chair Jessica Rosenworcel announced a new privacy and data protection task force, saying the agency needs to do more about the telecom industry’s rampant abuses of individual privacy. She cited a 2018 New York Times story showing that the country's largest wireless carriers were selling real-time location information.
FCC Commissioner Jessica Rosenworcel. Image: Internet Education Foundation via Wikimedia Commons (CC BY 2.0)“Just about anyone could pay $300 to a bounty hunter and get information about when and where you were using your mobile phone,” Rosenworcel said in a speech unveiling the task force. “That's the kind of sacrifice of privacy no one should expect when they sign up for wireless service.”
The Telecommunications Industry Association, which represents the industry, declined to comment.
Rosenworcel noted that the task force will study information amassed after she asked the country’s 15 largest mobile carriers to report their geolocation data retention and privacy practices last year, a first for the agency.
When asked for comment on this story, the FCC referred Recorded Future News to Rosenworcel’s speech last month, during which she also said the agency recently doubled its privacy and data security investigations staff. Among other things, the task force will craft new rules to crack down on SIM swapping fraud, creating standards for how companies authenticate customers before transferring a number to a new device or a new carrier.
The new task force also will modernize FCC data breach rules, now more than 15 years old, to “concentrate our efforts at the agency and give them new focus,” Rosenworcel said.
An agency turf war
Feld said he believes Rosenworcel’s creation of the task force is at least partially motivated by ADPPA and “concern from the FCC that they've now seen that there is a substantial movement to preempt their privacy authority.”
The FCC should retain its privacy enforcement power over the telecom industry, Feld said, arguing that the FTC is a general practitioner whose mandate is “wide and shallow” while the FCC is a “specialist” agency. He said telecom companies want the FTC to oversee them because they understand that they'll be “lost in the crowd.”
“No industry has ever lobbied to move from one regulator to another because they thought that new regulator was going to be harder on them,” Feld said.
However, under its current chair, Lina Khan, the FTC has been markedly more aggressive than it has in the past. Last August the FTC announced it had begun a rulemaking process to address the privacy practices of the commercial surveillance industry.
“Technologies essential to everyday life also enable near constant surveillance of people’s private lives,” the announcement for the initiative said. “The FTC is concerned that companies have strong incentives to develop products and services that track and surveil consumers’ online activities as much as possible.”
The FTC declined to comment for this story, saying it does not discuss pending legislation.
The FCC issued aggressive new privacy rules in 2016, according to Ernesto Falcon, senior legislative counsel at the Electronic Frontier Foundation (EFF), a nonprofit focused on digital civil liberties. But during the Trump administration the industry lobbied Congress, which repealed the rules before they went into effect.
It’s a history that explains the intensity of ADPPA lobbying, Falcon said, and why more typically business-friendly Republicans are using preemption of the FCC as a bargaining chip.
“AT&T and Comcast lobbied very hard to get themselves deregulated on privacy, spending an awful lot of resources on doing internal lobbying and campaign contributions,” Falcon said. “And they were successful.”
_Correction: A previous version of this story mistakenly stated that the telecommunications industry was subject to aggressive privacy rules in 2016. Congress repealed the rules before they took effect. _
Suzanne Smalley
is a reporter covering privacy, disinformation and cybersecurity policy for The Record. She was previously a cybersecurity reporter at CyberScoop and Reuters. Earlier in her career Suzanne covered the Boston Police Department for the Boston Globe and two presidential campaign cycles for Newsweek. She lives in Washington with her husband and three children.