Sweeping federal privacy legislation meant to crack down on big tech could inadvertently give telecoms a free pass to mishandle consumer data, privacy advocates warn.
Under the American Data Privacy Protection Act, the Federal Communications Commission would no longer have the authority to enforce its privacy regulations for common carriers such as AT&T and Verizon that handle the vast majority of Americans’ phone calls and text conversations.
Stripping these authorities from an agency with years of experience overseeing the massive telecom industry, which has a long history of privacy lapses, could pose an immediate threat to consumer data protection, experts warn.
“We’re concerned this piece [of the legislation] isn’t intended to and won’t improve Americans’ privacy in any sort of way,” said Lee Tien, legislative director at the nonprofit privacy group Electronic Frontier Foundation. EFF has pointed out other concerns with the bill, including the preemption of state privacy frameworks.
For decades, the FCC has overseen what personal information telecoms can collect and share with third parties. That includes what information common carriers can share with law enforcement without a warrant. The ADDPA does not offer consumers any protections from voluntary information sharing with law enforcement, a problem that has become ubiquitous in the tech industry.
The commission also enforces data breach notification rules, making telecommunications one of the few industries besides financial services with strict regulations requiring companies to notify customers of cybersecurity incidents exposing their data.
Under the ADPPA, privacy enforcement for common carriers would go to the Federal Trade Commission. However, critics argue that the bill does little to set up the FTC to even match the FCC’s enforcement powers and agency expertise.
For instance, the FTC would not be able to hold carriers responsible for third-party activities or issue injunctive relief without going to court, two authorities the FCC has. It’s also unclear if the FTC, which has for years expressed concerns to Congress about inadequate funding, will have the capacity for the additional oversight as it also takes on the sprawling tech industry.
“The problem with the Federal Trade Commission is it has fewer tools that it can use to enforce the rule and it has a lot more ground to cover,” said Harold Feld, senior vice president at Public Knowledge, a nonprofit public interest group that broadly supports ADPPA. “It’s basically the difference between going to your regular family doctor versus a cancer specialist. Your regular family doctor may be the best family doctor, but he can’t treat your cancer. For that you need to go to a specialist.”
Other agencies with privacy statutes, such as Health and Human Services, are not preempted by ADPPA. State data breach laws are also not overridden.
The ADPPA does outline protections for key common carrier data, including precise geolocation information and call and text history information. The pending legislation also gives the FTC some authority to expand the definition of what “sensitive data” covered in the law means.
“It’s unfortunate that this is table stakes for industry to be supportive of the bill, but we are getting a lot of the same protections and much stronger protections than are in Section 222 [of the Communications Act],” Eric Null, director of the privacy and data project at the Center for Democracy and Technology, said of the changes. He pointed to the ADPPA’s requirement that companies minimize the data they collect and the bill’s civil rights protections.
If the law is passed, ongoing FCC regulatory actions against industry privacy practices would no longer have legal standing. That includes an investigation launched last month into what data the top 15 mobile providers in the U.S. collect and how they use it after. Companies under investigation include AT&T, T-Mobile, Verizon and Google. The FCC requested a response by Aug 3. The agency in 2020 proposed $208 million in fines against several major telecommunications companies for selling customer location information, including to bounty hunters. The fines are still pending.
This isn’t the first significant reduction of the FCC’s power to regulate privacy. In 2016, the agency implemented the same privacy requirements for ISPs and common carriers, including requiring opt-in consent from customers to share sensitive data and providing consumers with breach notifications, to broadband internet service providers.
But in 2017, alongside the Trump administration’s push to reverse Obama-era net neutrality rules, Congress voted to nullify the order. The act prevented the agency from adopting any sort of regulatory rules that applied to broadband access internet access services and instead kicked oversight to the FTC, which had no specific privacy laws for the industry. The FTC has found since that found that internet service providers largely mislead consumers over how much personal data they collected and how they use it.
Both current FCC chair Jessica Rosenworcel, a Democrat, and long-stalled Democratic FCC nominee Gigi Sohn have expressed interest in bringing ISPs back under the FCC’s enforcement under a Democratic majority.
ADPPA isn’t the only legislation currently circulating Congress that could affect the FCC’s privacy enforcement. Introduced last week, the Net Neutrality and Broadband Justice Act would restore the FCC’s authority to regulate broadband, including with respect to privacy.
The FCC declined to comment for this story.
Proponents of the changes under the ADPPA disagree that the FCC’s historic standing should take precedence.
“It does not benefit consumers to impose different requirements that depend upon an entity’s legacy regulatory history,” Maureen Ohlhausen, co-chair at the 21st Century Privacy Coalition, testified about the bill in June. The 21st Century Privacy Coalition is a telecom funded group.
There is still time for the House to make changes to the legislation. It has yet to see a House vote and Senate Commerce Chair Maria Cantwell, D-Wash., has refused to bring the bill for a markup until concerns are addressed. The committee has instead focused on passing children’s privacy legislation.
“In a lot of ways, the ADPPA is a real step up for privacy for Americans in a lot of different ways,” said Feld from Public Knowledge. “It’s just that the business of Facebook is very different from your phone calls and treating your phone calls as if they were similar to your Facebook ‘Likes’ is not a good way to protect privacy.”