Privacy advocates and internet rights groups are voicing concern over the latest draft of the American Data Privacy and Protection Act (ADDPA).
The bill, which passed out of the House Energy and Commerce Committee yesterday, is the most sweeping data privacy bill in decades. But concessions made to get Republicans on board with it have privacy advocates worried.
One of the concessions involves stripping the Federal Communications Commission (FCC) of its regulatory authority over telecoms and data privacy and switching that authority to the Federal Trade Commission (FTC). Advocates say this could be disastrous for user data privacy.
“Cutting the FCC out of policing phone privacy—with its implication for everything from law enforcement abuse to competition to public safety—isn’t some little snip,” said Harold Feld, a senior vice president at internet advocacy group Public Knowledge. “It is a fundamental change that is happening on the fly on a statute designed for tech companies.”
Feld said that while a lot of other portions of the ADPPA are a “step up” from “virtually unregulated to some real protections,” the privacy aspect has him worried.
“The ADPPA protects less of your telephone info as sensitive,” he said. “It does it less well. It moves from a specialized enforcer that has generally done a good job on phone privacy to an overworked, general enforcer with fewer tools and weaker powers.”
Barbara van Schewick, a net neutrality expert and law professor at Stanford Law School, said the new regulations would hurt the FCC in crucial ways.
“The FCC’s investigation into mobile carriers’ geolocation data policies is a powerful reminder that the FCC already has the authority to protect the privacy of mobile phone customers under §222,” Schewick said. “The federal privacy bill #ADDPA negotiated in Congress would eliminate this authority.”
“Using our phones unavoidably generates tons of sensitive information about ourselves and others. Where we are & who we talk to says so much about us,” van Schewick added in a statement to the Daily Dot. “Replacing powerful, targeted protections enforced by an expert agency with weaker standards enforced by an already overworked agency is a blow to Americans’ privacy rights, not an improvement.”
Section 222 of the Telecommunications Act of 1996 allows the FCC to investigate and regulate mobile carriers. After the Supreme Court overturned Roe v. Wade, Democrats strongly urged the FCC to investigate the use of geolocation data by mobile carriers. On Tuesday, FCC Chairwoman Jessica Rosenworcel sent letters to the top 15 mobile carriers requesting information on the collection, storage, and use of customer location data.
If the ADPPA were to pass as written, that authority would be stripped from the FCC and given to the FTC, which has a significantly broader mandate than the FCC.
This has been a huge lobbying goal for the telecommunication lobby, experts say. The FTC’s broad range of authority and rampant understaffing means that the telecommunications industry, under the ADPPA, would be regulated by a less specialized and less focused regulatory body.
This isn’t the first time the FTC has been asked to regulate something beyond its ability. In 2017, as a part of the FCC repealing net neutrality under then-Chairman Ajit Pai, the agency recategorized telecommunications and internet service provider (ISP) privacy practices to the FTC. Three years later, the FTC released a unanimous report that found ISPs data harvesting and exploitation was often worse than those of Google and Facebook. In the report, the FTC claims that this is partly the case because of the lack of FCC enforcement.
Chair Lina Khan said in a letter with the report that the “Federal Communications Commission has the clearest legal authority and expertise to fully oversee internet service providers” and that she would “support efforts to reassert that authority and once again put in place the nondiscrimination rules, privacy protections, and other basic requirements needed to create a healthier market.”
Feld, speaking with the Daily Dot, called the stripping of FCC authority “absurd.”
“Despite nearly a century of effective enforcement of telephone privacy by the FCC, Republicans claim to have ‘doubts’ about the FCC’s ability to enforce phone privacy,” he said. “If the FCC were as bad at enforcing privacy as Republicans pretend, would [telecoms lobbyists] have spent nearly a decade and millions of dollars lobbying to preempt the FCC’s privacy protection authority? Of course not. If there were really ‘doubts’ about the FCC’s ability to enforce privacy, the [telecoms lobyists] would be as happy at the FCC as pigs in mud.”
Feld said the implications of the bill are “positively scary.”
“Congress is making a radical change to our critical information infrastructure, without considering any of the implications, simply to please Republicans in thrall to telecom lobbyists,” he said. “There is no transition period, no implementation plan, and the agency actually in charge of making sure the phone network operates smoothly is being preempted out of figuring out how to apply this radical new regulatory world.”
The ADPPA would also trump state privacy laws, strengthening some state laws but loosening others, like California. Two California Democrats were the only two “No” votes on the bill out of committee.
In a letter to congressional leaders on Tuesday, 10 state attorneys general urged Congress to “set a federal privacy-protection floor, rather than a ceiling” and to “allow the states to innovate to regulate data privacy and protect our residents.”
While the attorneys general welcome federal regulation on data privacy, they remain concerned about the possibility that their own, stricter laws would be made null and void by the looser federal law, as was the compromise reached on the bill.
“Any federal privacy framework must leave room for states to legislate responsively to changes in technology and data collection practices,” the letter said. “This is because states are better equipped to quickly adjust to the challenges presented by technological innovation that may elude federal oversight.”
The Electronic Frontier Foundation was also critical of the bill, pointing out several problems with the current legislation in a Twitter thread. EFF pointed out one crucial part of the bill that is full of exceptions that it views as harmful: the private right of action. Essentially, the ADPPA would allow private users to sue companies that violate it in any way. This applies to companies that might harvest data without consent from the user, or use it in a way that the user did not agree to. The ADPPA would allow users to sue those companies for violating the law, but EFF said the rules don’t go far enough.
“The bill’s private right of action, which allows people to sue companies that violate their privacy, is riddled with exceptions and limits,” EFF said. “Yet a strong [private right of action] is necessary to ensure effective enforcement of privacy laws.”
While the ADPPA is lauded by many to be the strongest data privacy bill in decades, the compromises made to get it just out of committee have already begun to neuter it.
This post has been updated with additional comment from van Schewick.