From next year, your broadband provider will have to stop spying on you online

Are you comfortable knowing that your every online move is under 24/7 scrutiny from broadband providers or 4G mobile networks?

Currently, companies like AT&T and Comcast can track user data, unless consumers explicitly opt out by telling companies to stop. But last month, the US Federal Communications Commission (FCC) announced new privacy rules that prevent broadband providers from collecting and giving out data on consumers’ web browsing, app use, location and financial information.

When the new rules come into force in 12 months, broadband providers will be required to obtain explicit permission to be able to gather and share consumer information.

In spite of a number of ongoing controversies, these new regulations will be a turning point when it comes to the protection of internet users in the US. They may also have significant implications for privacy regulations in other countries, as well as for the fast-evolving global governance on data.

First, these regulations rebalance the relationship between a business’ commercial interest and consumers’ individual rights in the online privacy world. Many experts believe that existing data protection rules in the US are pro-business and fragmented, in comparison to the pro-individual, holistic approach in Europe.

This pivot in favour of consumers shows the inclusive process has the power. In over six months of public consultation for this regulation, the FCC received more than 250,000 filings, the vast majority of which show support for the adoption of strong privacy rules. In his approval statement, FCC Commissioner Mignon L. Clyburn pointed out that 91% of Americans believe that consumers have lost control of how their personal information is collected and used by companies.

Secondly, these new regulations highlight the importance of drawing clear lines between “declared data”, “observed data” and “inferred data” according to the origin of data, which provides a basis for further development of effective and balanced data governance at national or international levels. The World Economic Forum has done some great initial research on this new taxonomy of data.

Existing rules in the US allow internet service providers (ISPs), such as broadband companies, to acquire tons of observed data – data that has been captured without the user’s explicit permission.

The newly inked FCC decision prevents ISPs from gathering observed data. But, importantly, it allows ISPs to collect “declared data” as long as they obtain consumers’ opt-in permission. Declared data are personal or specific information that an individual willingly shares by filling out a form, completing an online sale or taking other purposeful actions.

The FCC new rules do not include any restrictions around “inferred data”, which is inferred and synthesized from various data types including declared data and observed data, and is anonymous and generally used for predictive purpose. This type of data is believed to have the highest potential for innovation, public health, traffic management and economic growth.

Traditionally, data is categorized based on the subject, for example political views, sexual life, financial information, health or educational data, and different level of protection are applied to different types of data in line with specific laws or regulations, regardless of the collection methods and level of individuals’ awareness, consent and ownership. This kind of vertical, silo structure makes it increasingly harder for regulators, business and consumers to form a transparent, effective and predictable governance structure, one that is needed in this fast-evolving world of data, with sources including social media, the sharing economy, the internet of things, cloud computing and 3D printing.

The new rules clearly prevent broadband companies from collecting observed data. But many of those criticizing the rules ignore the fact that they also open up the opportunity for companies to use declared data and inferred data, which could be a step in the right direction in defining a proper common ground for business to properly use data for commercial and economic interest, while not compromising a user’s privacy.

The decision has faced much criticism, including from two of the five FCC members. Commissioner Michael O’Reilly believes that the FCC has no legal authority to oversee broadband privacy, and the new order places substantial, unjustified costs on businesses and consumers. Commissioner Ajit Pai is also concerned about the FCC usurping the Federal Trade Commission’s jurisdiction, and, says that the new rules neither acknowledge nor tackle the reality that those edge providers such as Google, Facebook, Apple, Twitter and Skype are arguably much worse in this area than broadband providers.

Disputes about jurisdiction and criticisms about the unfairness towards ISPs, at least compared to web and social media companies, are legitimate concerns. They may also reflect the fact that existing regulatory frameworks, including how regulators are organized, lag behind the technology and market. And the fact that the first step is not able to solve all the problems does not necessarily mean it is not a good one. This decision won’t satisfy everyone, but it is going in the right direction. And for the first time, it allows the public to “have the ability to decide whether and how much of their information can be gathered”, as stated by privacy groups such as the Centre for Digital Democracy.

Last week’s decision can be also seen as a new means for corporations, international organizations and individuals to rethink online privacy.

For web companies as well as every data-driven conventional business, the days of freely monitoring and using observed data (or undeclared data) will soon be gone. They need to be prepared and make privacy a core part of their business strategy. Multinational corporations should also pay special caution to cross-jurisdiction data transfer, addressing different privacy standards between the host country and the home country, including both legal requirements and industry’s code of conduct.

Some companies have already stayed ahead of the curve. For example, after the FCC announced the new rules, Verizon said their longstanding privacy practices are consistent with these new standards and they have already sought permission from their broadband customers for certain data, like browsing and location history.

For international policymakers, online privacy has emerged as a hot topic, for instance at the World Trade Organization and the UN Conference on Trade and Development, because the risks of breaching consumers’ privacy are viewed as a key barrier to the development of e-commerce and other data-based economic activities. These new regulations may give a fresh breathe into global policy discussions by contributing a new taxonomy of data, step-wise approach, and more inclusive process with consumer participation.

But as far as these new regulations go, it is still not enough. Regulators also need to help consumers regain ownership of their data. Thus, it is also essential to step up public education on how to protect one’s privacy – for example, by using encrypted technology as much as possible, refraining from over-sharing private data online, carefully reading any privacy statement before signing or clicking “agree”, and consulting privacy experts when it is necessary.

The FCC’s new rules are not the finishing line in the marathon that is online data protection. But they are definitely one of the first-aid stations that provide badly needed liquid and energy to sustain the long journey towards an effective, balanced and value-based data governance system.