More personal data than ever before is due to be on sale as the US House of Representatives voted to repeal Obama-era regulations. The House voted by 215-205 to repeal last year's Federal Communications Commission privacy rules that restricted the kind of data that internet service providers (ISPs) could share with other parties and sell to advertisers.
The repealed regulation, entitled "Protecting the Privacy of Customers of Broadband and Other Telecommunications Services", was passed in late 2016 and required an expressed opt-in by consumers to allow ISPs to share certain kinds of critical personal data with third parties. That data includes web browsing history, social security numbers, financial information, health information, browsing history and the actual content of communication.
The US Senate voted to repeal the rules on 24 March, before it passed to the House of Representatives, whose consent is also required before any bill passes into law. The White House has also expressed its strong support for this move.
The American Association of National Advertisers bemoaned the decision to install the 2016 regulation, calling it “unprecedented, misguided and extremely harmful” – although it should be noted that they were already allowed to sell their customers' email and IP addresses.
[hm-iframe frameborder="0" width="512" height="330" scrollable="no" src="https://www.c-span.org/video/standalone/?c4663947"]Privacy advocates and security professionals are, perhaps unsurprisingly, not happy about the decision.
“This is an appalling move by the government that erodes the peoples' privacy even further,” David Venable, vice president of cybersecurity at Masergy, told SC Media UK. “This will be used to develop extraordinarily in-depth profiles of individuals, which will then be sold to the highest bidder.”
Those that are less worried about the sale of private data than government spying should not be too relieved, added Venable: “Unfortunately it doesn't stop at advertising. It will only be a matter of time before governments will gain access to these profiles –-- either through subpoenas locally, or via state-sponsored hacks from other countries.”
Privacy International's executive director, Dr Gus Hosein, told SC: “The fact that both Congress and the White House are abandoning the essential safeguard against having your browsing history sold to marketing agencies foreshadows increasing conflict between legal regimes across the world. How can consumers globally have confidence in the security of their data being kept in the US when the government is so keen to strip away rights of everyone with such ease?”
There is a great wealth of European data held and transmitted through the US so what this could possible mean for European privacy is not clear. Privacy Shield, the European Union's data protection regime, was set up to protect European data from the US state's surveillance practices.
Previous moves under this administration have certainly worried European officials. An executive order earlier this year that would have relieved foreigners and non-native residents of US privacy act protections, threw the future of Privacy Shield into doubt.
Vera Jourova, the European Union's Commissioner for justice, consumers and gender equality, has said in the past that she would suspect Privacy Shield if she felt it was threatened under the current administration. She told Bloomberg, “I will not hesitate to do it. There's too much at stake.”
The repeal “shouldn't be a direct concern”, said Mark Watts, IT specialist and partner at Bristows law firm. “It's probably best thought of as a piece of domestic US legislation”.
But, added Watts, perceptions do matter. The cumulative weight of the Trump administration's posture on privacy and data protection, while not hurting EU citizens directly, “adds to a perception of the US going in the wrong direction in relation to privacy”.
Privacy Shield is up for review this summer by the Article 29 working party, many of whom have been critical of the framework and called for its suspension. Moves like this will merely contribute to that anti-Shield narrative.
European officials are being asked to put a lot of faith in this new administration, said Watts: “They're being asked to accept that Privacy Shield will be properly enforced against companies by the FTC. That the Department of Commerce will take complaints seriously. That the ombudsman that's supposed to look at national security access to data will do a proper job.
“All of these things are being put in place but if they don't actually happen in practice, then they're a bit pointless”.
Yesterday's vote did not just broaden the scope of data which ISPs are allowed to collect and share but also repealed rules that would “prohibit broadband service offerings that are contingent on surrendering privacy rights” and also took back certain data security and breach notification requirements put forth within the FCC 2016 privacy rules.
This repeal comes as part of general rollback of Obama-era data protection safeguards in the first few months of the current administration. On 1 March, the FCC repealed a privacy order which demanded that ISPs take “reasonable measures to protect customer (data) from unauthorised use, disclosure and access”.
The chair of the FCC and Trump appointee, Ajit Pai, has long declared his interest in easing FCC governed regulation for the private sector.