August 23, 2017

August 23, 2017

Subscribe to Latest Legal News and Analysis

August 22, 2017

Subscribe to Latest Legal News and Analysis

August 21, 2017

Subscribe to Latest Legal News and Analysis

FCC Stays Portion of Broadband Privacy Rules

Key Takeaways

  • FCC stays enforcement of new data security requirements for broadband providers.

  • Republican FCC and FTC regulators issue a joint statement contending that the move would allow the two agencies to develop a comprehensive and consistent privacy framework.

  • Democratic commissioners from both agencies issue a joint statement expressing concern that broadband providers would lack sufficient federal data security regulation while the stay remains in place.

  • Broadband internet access service providers should still consider what compliance might require of them in case the rules as reformed retain elements of the stayed rules.

In a much anticipated announcement on Wednesday, March 1, 2017, FCC Chairman Ajit Pai stayed a portion1 of the broadband privacy rules released on November 2, 2016, that would have required broadband service providers to adhere to an FCC-defined standard of “reasonable” data security practices2. The March 1 action drew criticism from privacy activists, who contended that the FCC’s stricter rules were justified by a broadband market that is relatively more consolidated than the edge provider competitors. Conversely, many broadband internet access providers praised the decision as a step toward a “common sense” even-handed approach to privacy regulation. The move also suggests that Chairman Pai will take a proactive approach toward addressing privacy regulations, perhaps lessening the likelihood that Congress will exercise its Congressional Review Act authorities to veto the controversial privacy rules – a course of action that could dramatically limit the FCC’s ability to regulate broadband privacy in the future.

The November 2016 rules were initially adopted to address the data privacy regulatory gap created when the FCC assumed regulatory authority over broadband providers by classifying them as telecommunications service providers subject to many of the rules that the FCC has promulgated under Title II of the Communications Act of 1934. This approach represented a dramatic departure from the historical status of broadband internet access service as an “information service,” subject mainly to the Federal Trade Commission’s (FTC) Section 5 enforcement authority.

Section 5 of the FTC Act prohibits unfair or deceptive acts or practices in interstate commerce. The FTC’s privacy and data security agenda has focused on misrepresentations of privacy and data security practices as well as unfair acts or practices that cause consumer harm. Although the FTC does not have authority to regulate telecommunications service providers3, it has brought enforcement actions against telecommunications service providers for what it viewed as non-carrier or service provider activities. When the FCC reclassified broadband internet access service, that reclassification effectively removed such entities from the FTC’s jurisdiction and created a privacy regulatory gap. Following the FCC’s assertion of regulatory authority over broadband providers, the Section 5 regime continues to apply to edge providers, but broadband providers were no longer subject to the FTC’s Section 5 authority.

Under the leadership of Chairman Wheeler, there was disagreement between the FCC’s Democratic and Republican commissioners about the way to address consumer privacy and broadband services. The November 2016 rules that the FCC ultimately adopted include detailed data privacy obligations, a breach notification procedure, a notice-and-choice framework governing the collection of personal information, and a prohibition on conditioning broadband service on the waiver of any FCC-mandated privacy rights, in addition to the stayed data security requirements. There was concern raised by the Republican commissioners, policy analysts, and many broadband providers that the privacy regulations would subject broadband internet access service providers to a higher degree of regulatory scrutiny than that faced by edge providers and other competitors in the consumer data market. Instead, Republican commissioners argued that the FCC should conform its broadband privacy rules to those applicable to edge providers under Section 5 of the FTC Act. These concerns were echoed by FTC staff, which noted in comments filed to the FCC docket that any approach that treated broadband providers differently than their edge provider competitors would be “not optimal.”

The FCC’s order adopting the rules was published in the Federal Register on December 12, 2016, kicking off a set of staggered effective dates for various components of the broader rules. Specifically, the timeline had been set to unfold as follows:

  • January 3, 2017 – Prohibition on Conditioning Service on Consumer’s Waiver of Privacy Rights becomes effective.

  • March 2, 2017 – Data Security rules become effective.

  • June 2, 2017 – Breach Notification procedures become effective (unless OMB fails to approve the breach notification rules prior to this date, in which case the Wireline Competition Bureau will issue a public notice upon OMB approval setting the compliance date at eight weeks after the date of the public notice).

  • December 2, 2017 – Notice and Choice rules become effective (unless OMB fails to approve the notice and choice rules prior to this date, in which case the Wireline Competition Bureau will issue a public notice upon OMB approval setting the compliance date at eight weeks after the date of the public notice).

At the time Commissioner Ajit Pai was appointed Chairman by President Trump, the initial prohibition on conditioning broadband internet access service on the waiver of FCC-created privacy rights had already become effective, but the other components of the data privacy rules were not yet in force. On March 1, 2017, Chairman Pai held a vote to stay the applicability of the data security portion of the broadband privacy rules. In an unusual joint statement by Chairman Pai and FTC Acting Chairman Maureen Ohlhausen, these regulators explained that the reprieve would enable both agencies to coordinate on a comprehensive privacy regulatory framework to ensure regulatory parity between broadband internet access providers and edge providers. FCC Democratic Commissioner Mignon Clyburn issued a joint statement with FTC Democratic Commissioner Terrell McSweeny criticizing the stay of the rules as harmful to consumer privacy and ultimately dissented from the stay order, contending that the data security rules were not as onerous as the majority suggested.

The FCC’s vote to suspend enforcement of the rules had a number of immediate effects, including most prominently the fact that broadband internet access providers will not immediately be subject to liability for failure to meet the data security standards created by the November 2016 rules.

In the coming months, it is possible that additional deadlines will be reexamined or stayed, or the rules scrapped altogether as the FTC/FCC joint framework comes to fruition. Nevertheless, broadband internet access service providers may continue preparations to comply with the rules in case the stay is lifted or, as seems more likely, the reformed regime retains certain elements of the rules as they stand today.

It is noteworthy that the same day that the privacy rules were stayed, three bills were introduced in the House Energy and Commerce Committee by Democrats calling for FCC-led cybersecurity initiatives and regulations. One of the bills, the Interagency Cybersecurity Cooperation Act, calls on the FCC to create an interagency panel to investigate and review cyber incidents. Under the proposed Cybersecurity Responsibility Act, the FCC would set cybersecurity regulations for communications networks as a form of critical infrastructure protection. In addition, the Securing the Internet of Things Act requires that web-connected devices comply with design security principles established by NIST and the FCC.


1 See 47 C.F.R 64.2005 (as amended).

2 Protecting the Privacy of Customers of Broadband and Other Telecommunications Services, Report and Order, 31 FCC Rcd 13911, 14009 (2016).

3 See AT&T vs. FTC, 15-16585 (Aug. 29, 2016), https://cdn.ca9.uscourts.gov/datastore/opinions/2016/08/29/15-16585.pdf.

©2017 Drinker Biddle & Reath LLP. All Rights Reserved

TRENDING LEGAL ANALYSIS


About this Author

Kenneth Dort Intellectual Property Law Lawyer at Drinker Biddle law firm
Partner

Kenneth K. Dort is a partner in the firm’s Intellectual Property Practice Group and the chairman of the firm's Technology Committee. His practice is focused on information technology and intellectual property law issues, including software development and licensing, systems development and integration, data encryption and security, trade secret protection, and patent/copyright/trademark/ licensing and protection.

Ken has...

312-569-1458
Katherine Armstrong, Data Privacy Lawyer, Drinker Biddle Law firm
Counsel

Katherine E. Armstrong is counsel in the firm’s Government & Regulatory Affairs Practice Group where she focuses her practice on data privacy issues, including law enforcement investigations, and research and analysis of big data information practices including data broker issues.

Katherine has more than 30 years of consumer protection experience at the Federal Trade Commission (FTC), where she served in a variety of roles, including most recently as a Senior Attorney in the Division of Privacy and Identity Protection.  In the Division of Privacy and Identity Protection, Katherine lead Fair Credit Reporting Act (FCRA) initiatives, including law enforcement investigations, consent negotiations, rulemakings, and other interpretive policy initiatives.  During Katherine’s tenure at the Commission, she served as an Attorney Advisor to Chairman Janet Steiger and Commissioner Sheila Anthony and was responsible for counseling on matters of consumer protection policy and enforcement.

202-230-5674
Lee G. Petro, Telecommunications, Mass Media lawyer, drinker biddle law firm
Of Counsel

Lee G. Petro represents broadcasters, telephone companies and wireless service providers before the Federal Communications Commission. He has represented broadcasters and fixed wireless broadband service providers in the issues faced by their transition to digital and to two-way broadband service. Lee also works with clients who need counseling on matters of construction benchmarks, build out, rights of way, tower leasing and siting and implementation of services more generally. He lends his experience to clients seeking to lease their spectrum excess capacity and to...

202-230-5857
Anthony D. Glosson, Drinker Biddle, Data Privacy lawyer, Federal Communications Attorney
Associate

Anthony D. Glosson is an associate in the firm’s Government & Regulatory Affairs Practice Group.

In General. Anthony earned his law degree, with high honors, from The George Washington University Law School, where he was Editor-in-Chief of the Federal Communications Law Journal, and was recognized as a George Washington Scholar. While in law school, Anthony served as a law clerk for the Institute for Justice, Commissioner Ajit Pai of the Federal Communications Commission, and TechFreedom....

(202) 230-5131