The U.S. government’s action this week overturning the FCC’s recently passed privacy regulations and stripping the FCC’s authority to implement similar privacy regulations in the future, whether one agrees or disagrees with it, raises more questions than answers, and its long term implications are potentially far reaching and not very well understood. Indeed, by shining a light on the issue, the government’s action will undoubtedly unleash a torrent of efforts by politicians, legislators, regulators, judges, technologists and others to find ways to improve the Internet privacy protection of U.S. citizens.
At the very least, the government’s decision may well mark the death knell for the Fourth Amendment’s much-criticized third party doctrine, judicial support for which has been slowly eroding with the advance of technology and the Internet. See, e.g., the concurring opinions of Justices Sotomayor and Alito in U.S. v. Jones, 132 S. Ct. 945 (2012).
The government’s decision creates an enormous void in Internet privacy regulation which is bound to be filled by new state laws, increased activity by other regulators, and expansion by the courts of the privacy rights of individuals under the U.S. and state constitutions. As reported this week by IAPP, we are already beginning to see some stirrings.
While privacy advocates argue that the government’s decision could result in the greatest legislative expansion of the FBI’s surveillance power since the 2001 Patriot Act, Internet Service Providers (ISPs) argue that it simply creates a level playing field for ISPs, by allowing them to sell to the highest bidder for online advertising purposes the personal information they collect about the Internet activity of their subscribers, in the same way websites such as Google and Facebook do today.
Regardless of one’s political views, however, make no mistake about it. There is no fair comparison between ISPs and websites such as Google and Facebook, especially when it comes to the sheer magnitude of the personal information being collected, used and disclosed by them. ISPs are the conduit for ALL Internet activity of their subscribers, and they also collect and maintain other offline personal and billing information about their subscribers. Websites such as Google and Facebook not only lack such offline information, they also see only the Internet activity of users when they are visiting their sites.
So, given the government’s action, one must ask:
Are there any legal limitations on what ISPs can collect, use and disclose about the Internet activities of their subscribers? If so, what are they?
Does the Electronic Communications Privacy Act (ECPA), specifically, the Wiretap Act, prohibit the interception, use and disclosure by an ISP of information about its subscribers’ Internet activities, including the contents of their electronic communications, without their consent? What exceptions, if any, apply to ISPs?
How will courts respond to claims of violation of an individual’s constitutional rights when an ISP divulges to the FBI, without obtaining a search warrant, information about the individual’s Internet activity in response to a court order issued pursuant to the Stored Communications Act (SCA)? Will courts require a search warrant?
Are states now free to regulate ISPs with respect to Internet privacy? If so, what are the limits of state jurisdiction in this area?
Can an ISP be considered a “conduit” like the postal service, and, therefore, not a business associate that must comply with the HIPAA Rules?
Will the government’s action impact cross border data transfer mechanisms currently in place between the U.S. and other countries, such as the US/EU Privacy Shield?
I plan to explore answers to each of these questions (and others) in subsequent blog posts over the next few weeks. Stay tuned.