Broadband industry lobby groups are celebrating a Federal Communications Commission decision to prevent enforcement of a rule intended to protect customers' private data from security breaches.

The data security rule that was scheduled to take effect today would have required ISPs and phone companies to take "reasonable" steps to protect customers' information—such as Social Security numbers, financial and health information, and Web browsing data—from theft and data breaches. The FCC issued a stay of the rule yesterday, and Chairman Ajit Pai said he wants to shift authority over data security and privacy entirely to the Federal Trade Commission.

“Today’s FCC action to issue a temporary stay of the data security regulation is a welcome recognition that consumers benefit most when privacy protections are consistently applied throughout the Internet ecosystem," read a statement from NCTA—The Internet & Television Association, the cable industry's biggest lobby group. The group insisted that its members are committed to protecting the security of personal information, rule or no rule.

The American Cable Association (ACA), which represents smaller providers, agreed. Since the FCC is likely to change its overall privacy and security rules anyway, the ACA said that "forcing small operators to implement rules now that are likely to be rescinded and replaced with different rules would be a significant and unjustified burden."

USTelecom, which represents AT&T, Verizon, and other telcos, argued the new rule "would fragment privacy protections." The group said it looks forward to the government developing "a uniform, consumer-focused approach to privacy."

ISPs and the FCC's Republican members have consistently argued that broadband providers should not face stricter rules than website operators like Google and Facebook, which are regulated separately by the FTC. Pai and acting FTC Chairwoman Maureen Ohlhausen issued a joint statement yesterday that said the FCC and FTC are committed to creating "a comprehensive and consistent framework" that applies both to ISPs and websites.

Rule would just confuse Internet users, Pai says

Internet users would be confused by having two different sets of rules for ISPs and website providers, they argued.

"Americans care about the overall privacy of their information when they use the Internet, and they shouldn’t have to be lawyers or engineers to figure out if their information is protected differently depending on which part of the Internet holds it," Pai and Ohlhausen wrote.

The data security rule that was prevented from taking effect today said that telecommunications providers "must take reasonable measures to protect customer PI [proprietary information] from unauthorized use, disclosure, or access." Instead of requiring specific data security practices, the FCC rule would have let each ISP choose how to protect customer data.

The data security rule was part of a broader privacy rulemaking implemented under former FCC Chairman Tom Wheeler. The most well-known portion of the privacy order requires ISPs to get opt-in consent from consumers before sharing Web browsing data and other private information with advertisers and other third parties. The opt-in rule is supposed to take effect December 4, 2017, but doesn't seem likely to survive long enough to be implemented. There are also new requirements related to data breach notifications that are supposed to take effect on June 2.

ISPs technically still have to comply with less specific privacy requirements in Title II, Section 222 of the Communications Act, which governs common carriers, but only until Pai achieves his goal of eliminating the Title II classification of ISPs. (Section 222 makes no mention of protecting Web browsing data, which is one reason the FCC developed more specific privacy rules for broadband.) The FCC yesterday also said that ISPs still have to comply with "other applicable federal and state privacy, data security, and breach notification laws."

Democrats and consumer advocates protest

The FCC's decision took heat from Democrats and consumer advocates.

"The order alleges significant harm to service providers, but cites absolutely nothing to prove it," Democratic FCC Commissioner Mignon Clyburn wrote in her dissent.

The FCC majority justified its decision in part by pointing to broadband providers releasing a voluntary set of "ISP Privacy Principles" and said that ISPs would "incur substantial and unnecessary compliance costs" if the rule was implemented.

"[T]he commission’s action today means that a voluntary industry code is the only comprehensive federal protection for broadband data security," Clyburn wrote. "If a provider simply decides not to adequately protect a customer’s information and does not notify them when a breach inevitably occurs, there will be no recompense as a matter of course. The only recourse for customers will be individual forced arbitration before an entity of their service provider’s choosing. Rather than the Commission being able to spearhead an investigation and remuneration for consumers, each individual will have to discover the breach and prosecute it on their own."

Consumer advocacy group Public Knowledge concurred, saying, “This elimination of basic data security rules gives ISPs a free ride, while online services and other edge providers are still required to take reasonable measures to protect their customers’ information under the FTC’s framework. That is not a level playing field."

US Sen. Edward Markey (D-Mass.) also criticized the FCC's decision and said he "will fight any attempts by this anti-consumer FCC to harm or undermine the broadband privacy rules." He said that "Chairman Pai and Republicans in Congress want to roll back critical privacy protections and leave consumers with no defense against abusive invasions of their privacy by their broadband provider." Republicans have a majority in Congress and are preparing a legislative move to overturn the privacy and security rules, just in case the FCC doesn't act on its own.

Court ruling makes FTC enforcement complicated

While Pai and Ohlhausen say they want the FTC to have jurisdiction over ISPs, achieving that may not be simple. The FTC is barred by statute from regulating common carriers, so it lost its authority over ISPs when the FCC reclassified broadband as a common carrier service in February 2015 in order to implement net neutrality rules. Wheeler's FCC closed that gap in oversight by implementing its own privacy and security rules for ISPs.

The FCC's new Republican leadership wants to overturn the decision to classify ISPs as common carriers. But doing so may not fully restore the FTC's authority over ISPs.

That's because of a federal appeals court ruling last year that said AT&T is exempt from FTC oversight even when it's offering non-common carrier services. It's typical for telcos to offer both common carrier and non-common carrier services, and the FTC argued it could punish telcos for transgressions related to their non-common carrier businesses. The US Court of Appeals for the Ninth Circuit disagreed and ruled against the FTC.

Even if broadband loses its common carrier designation, AT&T would still be a common carrier because of its landline telephone and mobile voice services. Verizon, CenturyLink, Frontier, T-Mobile USA, and Sprint would all still be common carriers as well. Cable companies would not automatically be common carriers because their VoIP telephone services are regulated differently.

In short, the FTC might not be able to regulate all ISPs unless that court ruling is overturned or Congress changes the law to let the FTC regulate common carriers. Clyburn noted that "the Ninth Circuit decision... seriously called into question the ability of the FTC to regulate any business that has a common carrier component."

The joint statement from Pai and Ohlhausen criticized the FCC for "stripp[ing] broadband consumers of FTC privacy protections," but didn't mention the complication introduced by the court decision involving AT&T. While they said jurisdiction should be returned to the FTC, they suggested that the FCC might implement some set of rules in the meantime.

“Until [jurisdiction is returned to the FTC], we will work together on harmonizing the FCC’s privacy rules for broadband providers with the FTC’s standards for other companies in the digital economy," they wrote.

Though they wrote that yesterday's order on the data security rule was merely a temporary stay that "will remain in place only until the FCC is able to rule on a petition for reconsideration of its privacy rules," they also said the data security "rule is not consistent with the FTC’s privacy framework." Since they intend to model FCC rules after FTC ones, the FCC's original version of the data security rule isn't likely to survive.

Whatever comes out of the FCC/FTC collaboration will probably be weaker than the rules passed under Wheeler. On data security, the FTC offers a guide for businesses based on more than 50 settlements the FTC has reached with various companies. But the guide notes that "the specifics of the cases apply just to those companies" that settled with the FTC already.

The Wheeler-era FCC rules that Pai opposed define Web browsing history and application usage history as sensitive customer personal information that must be protected, along with financial information, health information, Social Security numbers, precise geo-location information, information pertaining to children, and content of communications. Under the Wheeler rules, ISPs can't sell or share sensitive information with advertisers and other third parties unless customers opt in.

Ohlhausen argued against the rule in a May 2016 filing with the FCC, saying that "The burdens imposed by a broad opt-in requirement may also have negative effects on innovation and growth." The FTC instead recommends opt-in consent for "unexpected collection or use of consumers’ sensitive data such as Social Security numbers, financial information, and information about children," and an opt-out system for other data, she wrote.

Pai and Ohlhausen concluded their statement by pledging to create technology-neutral privacy policies. "The federal government shouldn’t favor one set of companies over another—and certainly not when it comes to a marketplace as dynamic as the Internet," they wrote. "So going forward, we will work together to establish a technology-neutral privacy framework for the online world."