Setting the Record Straight: What the Congressional Review Act Means for Your Privacy

Image credit: PeteLinforth. CC0/Public Domain.

One significant threat to the public interest under the new administration that is receiving increased attention is broadband privacy for consumers. Last week, Senator Jeff Flake and 21 cosponsors introduced a resolution under the Congressional Review Act to repeal the Federal Communications Commission’s broadband privacy rules. In late October, after over six months of deliberation, the FCC passed rules governing how Internet Service Providers use the personal information that they collect on their customers. Put simply, ISPs would be required to obtain opt-in consent before using anything sensitive like web browsing history, your location, financial information, and information relating to children.

For two years prior to the FCC’s rules, ISPs lived under a regime where there were no rules regulating their privacy practices. Senator Flake, with support from the new FCC Chairman Ajit Pai, wants to eliminate these protections in the name of leveling the playing field. In actuality, if Senator Flake’s resolution is passed, consumers will once again be left without any protection from their ISP’s data practices. Proponents of the CRA have been misleading the public, so it’s time to set the record straight.

What is the Congressional Review Act?

The Congressional Review Act (“CRA” for you Washington types), is a little known bill passed in 1996 that allows Congress to completely get rid of rules passed by an federal agency within 60 days of being published in the Federal Register or submitted to Congress, whichever is later. Once Congress uses the CRA on a rule, it is like the rule never existed. In legal speak, the rule has no force or effect.

But wait, there’s more!

The agency that made the rule is prohibited in perpetuity from issuing another rule that is substantially similar. You read that right. Congress can wipe a rule off the books and make sure no rule like it is ever passed again. The CRA is a blunt instrument designed to prevent agencies from regulating in certain areas where Congress didn’t intend them to regulate.

So at this point, I’m sure you’re wondering why you’ve never heard of the CRA. Well, that’s because before Republicans took control of Congress and the White House in the most recent election, the CRA had only been successfully used once. In 2001, George Bush signed into law a CRA that eliminated a regulation passed by the Occupational Safety and Health Administration (OSHA) that required employers to take measures to curb ergonomic injuries in the workplace. Needless to say, OSHA hasn’t touched the topic of ergonomics since. No one knows exactly what would happen if OSHA did try to make another rule about ergonomics. Agency compliance with the CRA has never been tested in court. We’re in uncharted territory.

Back to Broadband Privacy

What does this mean for broadband privacy? Let’s start with a quick lesson on FCC rulemaking procedures. The FCC began the road to broadband privacy rules in April of last year by issuing a “Notice of Proposed Rulemaking.” The public was then able to comment on the proposal, meet with Commission staff, and otherwise give their thoughts on what the broadband privacy rules should look like. Then there was another round of comments where people could respond to the comments submitted in the first round. Only then, after six months of hearing from the public, did the Commission propose final rules. The Commission voted on those rules in late October and passed them in a three-to-two vote.

The final rules adopted the Federal Trade Commission’s sensitivity based privacy framework, with a few minor changes. While the FTC only considers financial, health, geolocation, social security number, and information relating to children as sensitive, the FCC added web browsing history and app usage history. As I’ve written about in the past, given the ability to deduce things like sexual orientation and political views using comprehensive web browsing history, it only makes sense to consider that information as sensitive as well. Things like call history and video viewing history have also long been considered sensitive because of the types of information they can reveal. In fact, Congress originally acted quickly to protect video viewing history after publication of a Supreme Court nominee’s viewing habits made the newspaper. Web browsing history is call and video viewing history in the digital age, all wrapped in one package.

But that’s not all. The FCC allows people the submit “Petitions for Reconsideration” to ask the Commission to change its mind when they feel the Commission didn’t have all of the facts or made a material error. Of course, ISPs and advertising agencies filed about 10 of them, asking the Commission get rid of the rules completely, or at least classify web browsing history and app usage history as non-sensitive. These petitions are currently before the Commission.

Why use the CRA?

Senator Flake, who introduced the CRA in the Senate, doesn’t want to get rid of the rules and stop the FCC from ever making rules like this again. He wants the FCC to change the rules to mimic the FTC’s approach exactly (i.e. classify web browsing history and app usage history as non-sensitive), arguing that doing so would place ISPs on a level playing field with edge providers in the advertising market. In a recent op-ed, Senator Flake claimed that the CRA “would scrap the FCC’s newly imposed rules in the hope that is would follow the FTC’s sensitivity-based framework.”

Unfortunately for Senator Flake, it’s unlikely that is possible under a CRA repeal. The CRA wipes away a rule completely and prevents the agency from making a rule similar to the one that was just dumped by Congress. Proponents of abolishing the rule suggest that the CRA would not prevent the Commission from changing its rules to look more like the FTC’s framework because the rules would not be “substantially similar.” As I pointed out above, the only major difference between the FCC’s rules and the FTC’s framework is that web browsing history and app usage history are considered sensitive. All other aspects of the privacy framework are largely the same. It would not be surprising to see cable and telecom ISPs challenge a new set of FCC rules following a CRA based on the “substantially similar” prohibition in the CRA statute. Additionally, even if Senator Flake does get what he wants, some members of Congress have actively sought to weaken the FTC’s enforcement power. In the end we have exactly what the ISPs want: no rules at all.

What is considered “substantially similar” has never been tested in court, so there truly is no way to know whether new rules that classify web browsing and app usage history as non-sensitive would comply with the CRA. It’s not even clear who is the ultimate authority on determining what is substantially similar. Some say that it would be Chairman Pai’s decision, which would not be reviewable in court, giving him the ability to change the rules even with use of the CRA. But this interpretation of the law would mean that agencies could always reissue a regulation as long as the agency head deems the rule to not be substantially similar. If that were true, the CRA would not have the effect it intended.

Some argue that even if the Commission is prevented from making rules, consumers will still be protected by the underlying statute, Section 222. Here’s what that argument fails to consider. There is another statute on the books without rules that the FCC is charged with enforcing. It’s called the Cable Privacy Act. Can you guess how many enforcement actions have been brought by the FCC to enforce that statute? That’s right, zero, despite active complaints. Fortunately, the Cable Privacy Act has a private right of action, where consumers can sue cable providers in court when they feel their rights have been violated under that law. In addition, the FTC has some ability to enforce that statute as well. Section 222, however, does not have a private right of action, nor can the FTC enforce the statute when the FCC does not.

More importantly, the current Commission majority opposes applying Title II regulations, which includes Section 222, to ISPs. We cannot expect Chairman Pai to be a staunch defender of consumer privacy under this statute. So the practical truth is, if the CRA is passed, consumers will be left with no one to enforce their privacy rights. Congress should be in the business of protecting consumers, not eliminating protections, especially given the recent news showing the technological advances in monitoring Americans and the importance of data security rules to strong cybersecurity protections.

It’s time for Congressional leaders to reassure Americans that their sensitive, personal information will be properly protected. The FCC broadband privacy rules were a strong step in that direction. They should not be repealed, and if they are, at a minimum Congressional leaders should be clear about how they will be legally replaced without weakening protections.

Visit publicknowledge.org/PrivacyAtRisk to contact your representatives in Congress and tell them to oppose using the CRA to eliminate the broadband privacy rules.

Creative Commons License
Except where otherwise noted, the content on this site is licensed under a Creative Commons Attribution 4.0 International License.