It looks like the gulf between the US and EU approaches to data privacy are widening! What does this mean for the future of Privacy Shield?’
April 6, 2017
In aftermath of FCC privacy rules repeal, uncertainty, ironies abound.
Rollback of FCC privacy rules on selling personal data is seen as a boon for ISPs and a blow to privacy rights. But the issue is complicated. What are the implications for CIOs?
This week, the U.S. House of Representatives voted along party lines to repeal FCC privacy rules that required broadband carriers, such as AT&T, Verizon and Comcast, to get permission from customers before selling their web-browsing and app history to third parties.
Reaction to the legislative decision, which President Donald Trump is expected to sign, was in many ways as polarized as the vote. Opponents generally viewed the decision as a crushing blow for data privacy rights, making an already unfair bargain between consumers and the companies that leverage their personal data even worse. Advocates saw it as a much-needed correction of government overreach: They argued the decision put the FCC-regulated broadband carriers on the same footing as internet giants like Google and Facebook, which, regulated by the Federal Trade Commission (FTC), have made billions of dollars in targeted advertising revenue by mining their users' online habits.
But the issue of how companies track and make money from an individual's digital reality is far from black and white, said data privacy experts we interviewed, beginning with the fact that this week's decision to ease the Federal Communications Commission (FCC) privacy rules for internet service providers (ISPs) did not technically change the status quo. The Barack Obama-era regulations, adopted in October, were not slated to go into effect until the end of the year.
"From the perspective of the broadband carriers, it continues to be potentially business as usual for them," said Heidi Shey, a data security and privacy analyst at Forrester Research. (For two in-depth analyses of the vote, see Brian Fung's piece in The Washington Post and a report by Jeff Dunn of Business Insider.)
Sorting out the short- and long-term implications of the ruling, however, is another matter, Shey and others said. While the ruling appears to give broadband carriers a clear green light on monetizing consumer data, it creates a tremendous amount of uncertainty for businesses: How consumer attitudes on data privacy will change in the wake of this week's headlines, or how the European Union and other nations with stricter data privacy laws will respond -- or even how the FCC and FTC will carve out their roles in protecting data privacy rights -- all are up in the air, they said.
'Extraordinarily fluid environment'
"Going forward, perception matters," Shey said, adding she believes companies should expect this week's news to raise consumer awareness about the value of their data. "We can't unsee what we've seen about the data practices and amount of data being collected. I don't think consumers will tolerate what they perceive as shady or negligent data practices."
Shey said she believes the rollback has "pretty big implications" for companies. "They're not the broadband provider, they're not the ISP, but they sell to these same consumers. So, concepts around protecting data, data security, good data practices -- these are all practices that are going to become much more critical now, because there is much greater awareness of what could go wrong," she said.
Rather than see the heightened awareness as a threat, however, companies should be "thinking through what it is they're doing with data collection, protection, and use and see how that can be a business differentiator for them at a time when this is an issue that is getting blown up pretty big," she said.
Matt Stamper, an analyst who covers security and privacy compliance for Gartner, said he doesn't know how the regulation and monetization of consumer data will ultimately play out.
"I think we're in an extraordinarily fluid environment. If I'm an IT leader today, a CIO or CISO, or business leader, it is a very noisy world out there right now," he said. He's not as convinced as Shey that consumers have much leverage in negotiating data privacy rights -- or even want to lobby for them, especially if that results in carriers reintroducing pay-for-privacy fee structures.
Like Shey, he said he does see some perhaps unforeseen consequences of the rollback of the FCC privacy rules. While viewed as a business-friendly action, he said the ruling may paradoxically hinder U.S. companies from doing business in countries where data privacy is considered a right and companies are required to give notice of what they're collecting and for what purpose. "We may be facing a scenario where you have proverbial islands of data -- a kind of protectionism related to privacy data."
In the meantime, Stamper recommended CIOs and CISOs work closely with their privacy experts and general counsel in developing what he described as an "intimate knowledge" of their data practices. "The upshot is about going back to the basics: knowing the type of data the organization collects, how it is used internally and to the extent that there is sharing of that information -- in privacy, what is known as 'onward transfer' -- knowing that data is appropriately protected," he said.
Good profiteering -- and bad
Those are just the short-term implications. In the long term, actions like the rollback of FCC privacy rules raise bigger questions about the values of a data economy, contended Steve Wilson, principal analyst at Constellation Research: Namely, how do we determine the fair value for what is after all the fuel of the current Industrial Revolution -- information?
"We see this as the black gold rush of 150 years ago, when oil companies were barging onto people's land and taking this resource until people said this is not fair," said Wilson, who focuses on digital identity and privacy issues pertaining to CIOs and CISOs.
"We think data is so much more valuable than crude oil -- so much more valuable than most any other resource -- that it is inevitable society is going to ask for a different sort of balance," he said.
That is not to say the broadband carriers and information companies don't have every right to make money from the valuable services they provide, Wilson said, or in any way to denigrate the tremendous advances to our health, welfare and quality of life that come from aggregating, mining and refining personal data. Those benefits will only increase with the data collected from the growing legion of connected devices on the horizon, like self-driving cars, he said. "But the contract has to be fair and negotiable. You can't just rip people off."