For ISPs, the Notice of Proposed Rulemaking (NPRM) is deja vu. The NPRM largely tracks the net neutrality rules the FCC adopted in 2015, based on reclassifying broadband internet access (BIAS) as a telecommunications service under Title II of the Communications Act. As in 2015, the NRPM proposes prohibiting blocking and throttling lawful traffic (subject to a reasonable network management practice exception) and paid prioritization by third parties (i.e., paying ISPs to prioritize traffic routing). It also proposes to adopt a general conduct standard that would mimic the 2015 rules by prohibiting any unreasonable interference with an end user’s ability to use BIAS to access services or content or to use devices.

The Federal Communications Commission (FCC) has formally proposed for public comments new net neutrality rules that—if adopted—will impact both internet service providers (ISPs) and the entities that provide content, applications, services and devices accessed over the internet (i.e., “edge providers”). The move comes only weeks after Chairwoman Jessica Rosenworcel obtained a Democratic majority with the swearing-in of Commissioner Anna Gomez on September 25, 2023.

Impact on ISPs

But the FCC’s proposal in the NPRM differs from the 2015 net neutrality rules in several ways—and concerns with national security, cybersecurity and data privacy are at the heart of the debate this time around.

First, the FCC proposes allowing Section 214 of the Communications Act to apply to ISPs after BIAS is reclassified. That means that ISPs would be subject to the same discontinuance of service rules as common carriers. It also means ISPs would be subject to the same foreign ownership restrictions that apply to common carriers. As to the latter, the NPRM makes clear that it is motivated by national security concerns with foreign entities operating as carriers in the United States and domestic entities using foreign equipment in broadband networks.

Second, the FCC relies on cybersecurity concerns to justify reclassifying BIAS as a telecommunications service under Title II of the Communications Act. Specifically, the NPRM notes that the “current classification of BIAS limits the regulatory and operational actions that the [FCC] can take to address cyber incidents impacting the communications sector, as well as other critical infrastructure sectors.” The message from the NPRM is clear: if adopted, ISPs should expect new cybersecurity requirements from the FCC.

Third, the FCC relies on privacy and data protection concerns to justify reclassifying BIAS as a telecommunications service under Title II of the Communications Act. The NPRM notes the need to protect consumer privacy “regardless of whether they communicate via broadband or telephone services” and expresses concerns with “a patchwork of state privacy and data security requirements, instead of a uniform, nationwide framework.” The regulatory path for adopting ISP data privacy rules is murky, however, because the FCC adopted ISP data privacy rules in 2016, only for Congress to vacate them under the Congressional Review Act in 2017. That means the FCC may not adopt substantially the same rules as those previously vacated. At a minimum, ISPs should expect a more aggressive FCC leveraging its authority over universal service and other programs to push its privacy and data protection agenda related to ISPs.

Impact on Edge Providers

The NRPM also threatens to impact edge providers directly. The initial approach is uneven. Because internet traffic arrangements between edge providers and ISPs would fall within the definition of BIAS, edge providers would be prohibited from paying ISPs to give preferential treatment to their traffic. But the NPRM proposes to extend this prohibition only to preferential treatment within the ISP’s network, thus excluding internet traffic arrangements such as CDNs from these prohibitions. That is the same approach as the net neutrality rules that were in effect in 2015: edge providers can enter into arrangements to bring their traffic closer to the ISP networks but cannot enter into arrangements with those same ISPs to manage their traffic within the ISP network.

Still, the FCC’s concerns with national security, cybersecurity and data privacy in the internet ecosystem also touch edge providers in the NPRM:

• The FCC is asking for comments on whether its proposed Title II authority could be used to prohibit traffic exchange arrangements between ISPs and certain edge providers.
• The FCC is asking for comments on how much public safety officials rely on over-the-top (OTT) services to communicate important and timely information to the public.
• The FCC is asking for comments on how reclassifying BIAS would extend to ISPs obligations to protect the confidentiality of proprietary information of entities that interact with ISPs.
• The FCC is asking for comments on how reclassifying BIAS would give it oversight over messages and calls delivered via broadband networks, including potentially requiring ISPs to block certain traffic.
• The FCC is asking for comments on how the proposed net neutrality rules could ensure that OTT services are not impeded in their ability to compete with other data services.
• The FCC proposes adopting a “general conduct standard” that, depending on the circumstances, could prohibit certain zero rating or sponsored data practices that benefit edge providers.

The FCC has not published the final text of the adopted NPRM. Once it does, we will report on any significant changes to the published draft.