FCC privacy proposal would not alter law-enforcement practices, official says
FCC Chairman Tom Wheeler today circulated to other commissioners proposed rules that are designed to protect consumers’ privacy rights in association with their Internet service providers (ISPs), but the proposal would not impact law-enforcement surveillance or investigation efforts, according to a senior FCC official.
“Nothing in our rules would disturb the current paradigm for law-enforcement inquiries,” an FCC senior official said today.
The proposed privacy rules do not address issues regarding encryption or government surveillance. In addition, the FCC proposal would not apply to the privacy practices of web sites or software applications, which fall under the jurisdiction of the Federal Trade Commission (FTC). The proposed rules cover only the practices of broadband providers in association with “sensitive” personal information—for example, information regarding personal health, geo-location, finances, web-browsing history and application-usage history—that would require a consumer’s “opt-in” consent an ISP could share with other commercial entities.
In some cases, a single company can have separate rules apply to it, based on the company’s role in a given circumstance.
“There are lots of companies that are ISPs and provide other services,” a senior FCC official said. “What we’re saying is that, when you’re providing someone access to the Internet … in that case, web browsing is sensitive.
“People like to use Google a lot [as an example]. So, if you are Google providing Google Search, you obviously are not under our rules—we’re not saying whether web browsing is sensitive there; that’s not under our jurisdiction. But Google Fiber—when they provide Internet access service, and they can see all day all of the sites that someone is looking at, whether or not they’re using Google online services, that’s sensitive.”
Other aspects of the proposed rules include requirements that ISP notify consumers about the collection, use and sharing of their information, as well as significant policy changes in this area. ISPs could still share “de-identified” information—data that can be used to generate reports on general trends of a class of users without specifically identifying an individual or device—without getting permission from a customer.
The proposed rules would require ISPs to let customer know when a data breach occurs as soon as possible and definitely within 30 days. The FCC, FBI and the U.S. Secret Service would have to be notified within 7 days of any data breach affecting more than 5,000 customers, according to the proposal.