Data protection, internet security flat illustration concepts

Tomorrow, October 27, the Federal Communications Commission (FCC) is scheduled to vote on new privacy rules for internet service providers (ISP) that will have a lasting impact on U.S. privacy regulation. In this special Series, DWT starts with some background on what led us to this point and what we expect from the new rules.  Once adopted, the Series will continue with an examination of the FCC’s new rules, compliance requirements, and practical considerations for implementation.

The FCC as Privacy Regulator

The FCC is the primary federal regulator of communications services in the United States. It derives its authority to regulate certain types of communications networks and services, like telephone, cable, and satellite, from the Communications Act of 1934 and updates to that Act.  The last major updates to the Communications Act were enacted in the Telecommunications Act of 1996 (1996 Act) – in a largely pre-commercial, pre-smartphone, pre-cloud computing internet era.  As technology has advanced, the FCC has responded by interpreting and re-interpreting the Act to keep up, as have so many other agencies and courts.

As a regulator of communications networks and services, one might expect that this includes internet communications, but this has not been the case, historically.  This is because the Communications Act was drafted by Congress to apply to separate and distinct services, which at the time were provided by separate companies, such as cable, telephone, and satellite providers.  At issue here are the regulatory classifications of two types of services defined in the Act: information services, governed by Title I of the Act; and telecommunications services, governed by Title II.   The internet has historically been considered an unregulated Title I “information service” and Internet Service Providers were for the most part unregulated.

Reclassification: The 2015 Open Internet Order

For almost as long as the Internet became a commercially viable mechanism for consumers and businesses, public interest groups have beseeched the FCC and courts to protect “network neutrality” and the “open internet,” which is the concept that end users should have unrestricted access to internet content of their choosing.  As a result (and without debate), the FCC has long sought to create policies that would protect and promote this concept.

In 2015, at the conclusion of a long series of FCC orders and court battles, in what is known as the “Open Internet Order,” the FCC reclassified broadband internet access service—the mobile and wireline service that ISPs provide to their customers to enable customer access to the internet—from a Title I information service to a heavily regulated Title II telecommunications service, which includes Section 222—the basis for the privacy regulations we will examine.  The reclassification also resulted in ISPs being classified as “common carriers,” a classification that will have significance for consumer privacy and data security regulatory oversight in the U.S.  The reclassification was challenged at the DC Circuit and upheld.  The challengers have sought rehearing which is pending and parties could seek certiorari in the Supreme Court after the rehearing petitions are resolved.

Privacy of Telecommunications Networks: “Customer Proprietary Network Information”

As part of the 1996 Act, Congress created Section 222, which restricted telecommunications providers’ use of customer proprietary network information (CPNI). CPNI is defined as information about the type of service a customer receives and related billing information, but not “subscriber list information” like names and addresses, which we sometimes think of as personal information. The CPNI rules were initially published by the Commission in 1998 (less than 2 decades ago), and have been updated from time-to-time since.

As a reminder, the 1996 Act was designed to promote competition.  Congress’ purpose in enacting Section 222 was to prevent telephone providers from using service and billing information collected in the course of providing service to further their own commercial advantage at the expense of competitors, and to protect customer privacy. To accomplish this, the law promotes equal access to customer information by requiring the disclosure of certain customer information to competitors, such as phone directory listing information, while prohibiting carriers from using CPNI – information only they as carriers have access to – for their own competitive advantage.

As part of Title II, Section 222 and its implementing regulations applied only to telecommunications services, which did not include broadband internet access service, until recently.

Toward a New Privacy Regime

Once reclassified, the statutory language of Section 222 immediately applied to broadband internet service providers, but the FCC recognized that its existing rules were created in the context of the traditional telephone network, and thus would not readily apply in the broadband context. Therefore, the agency stated that it would forbear from applying its existing rules, but advised providers to “to take “reasonable, good-faith steps to comply with Section 222, rather than focusing on technical details,” and to “employ effective privacy protections in line with their privacy policies and core tenets of basic privacy protections” until the Commission could adopt new rules.

In the year between the publication of the Open Internet Order in March 2015 and the Notice of Proposed Rulemaking (NPRM) in March 2016, the FCC signaled its intent to become a de facto privacy regulator. In particular, the FCC settled enforcement actions—using Section 222 and a host of other statutory provisions—against three companies alleging lax data security practices for a collective total of just under $30 million.

Then, in March 2016, the FCC adopted an NPRM that proposed new privacy rules for ISPs. The NPRM solicited public opinion on many questions, but at its core, it also contained a vision of a regulatory regime whose requirements went far beyond the old CPNI regime and beyond those of other privacy regulators, including, notably, the Federal Trade Commission. FCC Chairman Wheeler framed the proposed new rules as being “built on three core principles: choice, transparency and security” and justified the deviation from other privacy frameworks on the unfounded belief that ISPs, as “on ramps” to the Internet, have unique access to vast amounts of consumer information that sets them apart from edge providers.

The proposed rules would apply to all ISPs in their provision of broadband Internet access service, but not to “edge providers” (services that do not provide broadband connectivity such as Netflix, Twitter, Facebook, Apple and Google) who provide their content over the ISPs’ broadband networks and whose practices are subject to the jurisdiction of the Federal Trade Commission. Diverging from the earlier definition of CPNI, the NPRM proposed to re-interpret Section 222(a) as empowering the FCC to require ISPs to protect a new category of information, “customer proprietary information” or “CPI,” and asserted that Sections 201(b), 202(a) and 706 of the Communications Act gave it authority to both limit ISPs’ use of CPI and to require expansive notice provisions and increased security for a broad array of consumer data.

Raising the Stakes: The 9th Circuit’s AT&T v. FTC Decision

An additional effect of reclassification was that ISPs, who had traditionally been subject to the Federal Trade Commission’s jurisdiction, were now common carriers and specifically exempted by Congress from the FTC’s Section 5 authority (the FTC has used its Section 5 authority to enforce generally against companies’ “unfair” and “deceptive” privacy and data security practices). The FTC has interpreted this exemption to apply only when a common carrier is engaged in common carrier activities.

As the NPRM was pending, the stakes of the FCC’s rulemaking were raised when the U.S. Court of Appeals for the Ninth Circuit reversed a lower court and ruled that the FTC had no regulatory authority over common carriers, including ISPs, at all even for non-common carrier services.  Indeed, the court found that if any portion of a company included the provision of common carrier service, the entire company was outside the scope of the FTC’s jurisdiction.  The FCC used this ruling to bolster the case that it should enact privacy rules specific to ISPs because, without the FCC’s rules, consumers essentially be left without any privacy or data security protections.

Drawing to a Conclusion: Chairman Wheeler’s October 2016 Fact Sheet

On October 6, Chairman Wheeler published a fact sheet and blog post outlining a revised proposal for the FCC’s ISP privacy regime and announcing that the final rules would be voted on at the agency’s October 27 open meeting. Chairman Wheeler’s statement included revised proposals for rules governing consumer notification, consent, and data breach warnings, as well as the de-identification, disclosure, and security rules that ISPs must follow.

The fact sheet reflected that the Commission’s thinking had evolved since issuing the NPRM in March. Notably, the FCC appears to have shifted its proposal from a use-based regulatory framework to a sensitivity-based framework, seemingly aligning itself with the FTC’s guidance and enforcement decisions as well as the White House’s Consumer Privacy Bill of Rights. However, as we have previously noted, the details of the FCC’s proposed framework still differ substantially from the FTC’s guidance in practice.

In our next post, we will highlight the key parts of the forthcoming rules and suggest steps that you may need to take to comply.