Baby Steps: Congress’ First Action to Scale Back Obama-Era Privacy Controls

By Steve Keegan

Some have decried it as a death knell for internet privacy as we know it, while others say we are back on course for a strong and innovative economy. But what really is S.J.Res 34, a “CRA,” and, more importantly, what does this mean to the average consumer dawdling away in cyberspace?

Before we can dive into what just happened, we first have to look back to what happened about four months before what just happened.  In October 2016, the FCC adopted rules to give broadband consumers increased “choice, transparency and security” for their personal data. This rule required Broadband Internet Service Providers (ISPs) give consumers information on their ability to opt-in or -out of having their browser history, among other information, collected and sold to third parties. This was one of the earliest rules rolled out in the wake of ISPs being declared a “common carrier” and, consequently, being subjected to Title II of the Telecommunications Act of 1934.  This change is important because it is the basis for the FCC to regulate ISPs, a job that was previously under the jurisdiction of the FTC.

This administrative action was carried out under the banner of “Net Neutrality,” based around the idea that the Federal Government needs to monitor ISPs to ensure fair trade practice. Briefly, proponents of the legislation feared that ISP’s would begin charging unfair rates for high-data services (see, your Netflix’s and Amazon’s) in a way that would price innovation out of the market. Opponents of the legislation (mainly ISPs) said that the federal government was picking winners in the market of Internet Service Providers and that the legislation would signal an unprecedented power grab by the FCC.

That brings us to the Senate Joint Resolution 34 which called for a Congressional Review Act (CRA) to reexamine the effectiveness of the FCC’s rule, spearheaded by Sen. Jeff Flake (R-AZ). A CRA allows Congress to officially censure an administrative agency’s actions; a successful Review Act not only revokes the rule in question but also prevents the agency from promulgating a new rule that is “substantially similar.”

In an op-ed piece written for the New York Times, Senator Flake eloquently outlined the ideology behind the CRA.  Pointing out many of the common talking points; such as that this is ultimately a trade issue, not communications and stating that the FTC had already reviewed rules similar to those passed by the FCC and determined that treating ISPs differently than other internet entities as “not optimal.” By singling out ISPs, companies focusing on directed advertisement, like Facebook and Google, may feel more emboldened to sell personal information, knowing the spotlight is off their back. Furthermore, the new rule only applied to, what some might call, benign information such as browser history. As Senator Flake said the revoked rule treated “information generated from looking up the latest Cardinals score . . . the same as personal health and financial data.”

This would all be well and good, maybe even expected with a transfer of power like this, but things get sticky when we look at that Ninth Circuit case discussed above, FTC v. AT&T Mobility LLC. The Court held that, since ISPs are now a common carrier, they are outside of the jurisdiction of the FTC, which mounts a serious problem for the vision behind the CRA. For the goal of the Act to be achieved, either the FCC has to reclassify ISPs as not common carriers, divesting them of police power over one of, if not the, most crucial technologies commonly used; or, they need to adopt more hands off rules, similar to those originally promulgated by the FTC.

Moving forward, the average consumer will likely not see a drastic change. The FCC rule only existed for four months total, and was meant to assuage fears that may have been primarily speculative.  ISPs are still unable to give away potentially identifying, or sensitive, information, like medical records, without the owner’s consent. Most likely, you will notice more of those spooky banner ads that try to sell you whatever you last looked at on Amazon. While the conversation about digital privacy is far from over, only time will tell how detrimental the lack of rules will be.

Note: The views expressed above are solely those of the author(s) and not reflect any official position taken by the Information Security and Privacy Law Student Group, the Washington College of Law, or American University at large

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Blog at

Up ↑

%d bloggers like this: