By Peter Guffin, Visiting Professor of Practice
Under the FCC’s new privacy rules announced on October 27th, broadband providers (ISPs) will be required to get consumer opt-in consent to use and share sensitive information. This includes geo-location, web browsing history, app usage and the content of communications. According to the FCC chairman Tom Wheeler, the new rules will put broadband subscribers “in the driver’s seat” and “in control” when it comes to decisions about the use of their information.
The expansive definition of sensitive information in the new rules breaks new ground in U.S. privacy law and goes far beyond the FTC’s sensitivity–based privacy framework. The consumer opt-in requirement under the new rules likewise breaks new ground and marks a signal departure from the opt-out approach typically found in other U.S. privacy law regimes such as the Gramm-Leach-Bliley Act (GLBA) and Health Insurance Portability and Accountability Act (HIPAA).
In the U.S., the new rules come closest to the Video Privacy Protection Act of 1988, which requires subscriber opt-in consent for the use and sharing of video content, which has long been considered sensitive information. This is not surprising, given how much can be revealed about an individual by looking at his/her web browsing history and app usage.
Outside the U.S., the new rules seem to move the U.S. closer to the privacy law regime of the European Union (EU), which generally prohibits secondary use of personal data unless the data subject has given explicit consent. Under the EU’s new General Data Protection Regulation (GDPR), personal data is broadly defined and captures just about anything which identifies or can be linked to a living individual, including information which is publicly available.
Although a small step, the FCC’s movement to closer alignment with the privacy laws of the European Union is a positive development in my view. It reflects the realities of today’s global economy, which calls for attempts to harmonize international privacy laws, if there is to be the free-flow of personal data across nations’ borders. Indeed, most U.S. companies that sell goods and services in member states of the EU, which represents one of the largest economic markets in the world, presently are working to adapt their privacy practices to conform to the requirements under the GDPR, which goes into effect in May 2018.
I think there is much we in the U.S. can learn about individual privacy rights and freedoms from the European Union. Europe of course has had a much longer history than the U.S. As any student of European history knows well, Europe has experienced and survived centuries of rule by monarchs, tyrants and despots, as well as religious and ethnic wars, persecutions and revolutions. The EU and its privacy laws, both formed and developed in the crucible of World War II and its aftermath, represent a noble experiment in the advance of western civilization. Hopefully, if we pay close attention, we may learn something about the individual and societal values of privacy from the EU.