Congress’ decision to allow internet service providers to sell customer data without prior consent rolls back another Obama-era law. Scholars say it undermines US privacy rights and hope for a pushback from Europe.
The vote by the US House of Representatives on Tuesday coupled with an earlier vote in the Senate to undo a regulation passed by the Obama administration last year clears the path to allow US Internet Service Providers (ISPs) to aggregate and sell their customer's personal data without having to get their approval to do so first. The motion was supported by Republicans and opposed by Democrats.
To go into effect, the move needs White House backing, but that is considered a formality since President Donald Trump has already made clear he supports the resolution and would sign it.
Republican and industry supporters of the effort argue that allowing ISPs to sell customer data without prior consent levels the playing field with internet companies such as Google or Facebook, who, because they are governed by the Federal Trade Commission (FTC), were not subject to those same rules as the ISPs, who are governed by tougher Federal Communication Commission (FCC) regulations. Major ISPs are often telecom or cable companies who also sell internet access usually bundled with phone and television offerings.
Frank Pasquale, an information law scholar at the University of Maryland, acknowledges the legal discrepancies between internet companies and providers, but he believes lowering the bar for internet companies is the wrong approach to remedy this bias.
"It is very troubling what the internet companies have collected and can do with the data due to a lack of regulation in the US," he told DW. "But I think the answer is to bring everybody up to a common standard of responsibility, not to create a Wild West. And that is the direction that we are moving in now."
While the resolution accelerates what Pasquale calls a move towards "surveillance capitalism,” i.e. business models that are based on data collection and analysis, it weakens the privacy protections for US citizens.
"I think that is troubling because there is a lot of sensitive data that people are transmitting, and even worse than that there is a lot of very sensitive inferences that can be made about you based on large aggregation of data the types your internet service provider could get," Pasquale said.
What makes the move to allow ISPs to market their customer's personal data without permission potentially even more consequential than allowing Google and Co. to do so is the fact that it is much harder to avoid an ISP than it is to avoid an internet company.
"One way or another, everyone that accesses the internet or uses an app or just communicates is using an internet access provider," said David Levine who specializes in information policy and law at Elon University.
"Because of that reality your choices become near zero to the extent that ISPs now have the ability to sell and aggregate your data without notice," he added. "You are not compelled to use Google search or social media - as useful as those tools are - the way you are the ISPs."
It is important to note that the Obama-era rule to force ISPs to get customer consent before selling their data was not all encompassing to begin with. While it stipulated that ISPs get a customer's permission before marketing his or her personal data, for instance a person's browsing information, it allowed them to market a person's email addresses without prior permission.
Still, argue the scholars, the Obama policy may have been partly flawed, but it was certainly better than the alternative chosen by Congress and supported by President Trump: namely, simply gutting that rule.
"I don't think this move was informed by any deep reflection or analysis of the side effects on citizens or on international relationships," said Pasquale. "There is just a deregulatory frenzy going on right now that is unmoored from any consideration of its effects."
Ultimately that decision is not only not in the best interest of US citizens since it takes away important privacy protections and undermines their confidence in ISPs, but it also hurts the US' international standing in the important field of internet governance, said Levine.
"The United States has often taken the lead in areas like the protection of and how we view technological change and communications and the role of privacy in it," he said.
This move, according to Levine, sends a very strong signal to the world that the United States does not take these kinds of consumer protections as serious as for instance Europe. "From a US leadership perspective and a robustness of technological regulation it is very troublesome."
While the new rule directly only applies to the US, people outside the country could also be affected indirectly.
"Once that data is moving through a US-based ISP for example, your data could become vulnerable," said Levine. "That's definitely a risk."
European response expected
That's why, noted Levine and Pasquale, the move could trigger a pushback from Europe, since it could have repercussions for the so called Privacy Shield, a US-EU framework that governs the commercial exchange of personal data between both partners.
"I have no doubt that Europe and particularly countries like Germany and France will push back in whatever fora exist to engage," said Levine.
"Probably the only source of a potential check on the current US government is for international pressures from governing bodies like the European Commission and others who actually have a commitment to privacy," said Pasquale.
Also on Tuesday, German Chancellor Angela Merkel said she would like to discuss international rules for internet data sharing at the upcoming G20 summit in Hamburg.