Apr 42017

A Farewell to the FCC Broadband Privacy Rules

Edward R. McNicholas and Christopher Eiswerth
, , , , ,

On April 3, 2017, President Trump signed the bill repealing the Federal Communications Commission’s much-debated broadband privacy rules. The House of Representatives voted 215–205 to disapprove the rules, after a party-line Senate vote of 50–48. The result is that the FCC’s key rules governing internet service providers’ collection and use of consumer data, as well as data security, will not go into effect as scheduled. Moreover, the FCC will be precluded from promulgating any regulation in “substantially the same” form until a future Congress allows such action.

Congress Has Overridden Potentially Far-Reaching Broadband Rules

Certainly a complex undertaking, the FCC rules were originally promulgated in 2016 following the FCC’s reclassification of internet service providers as common carriers under Title II of the Communications Act. The rules would have required internet service providers to obtain opt-in consent from consumers to collect and use various types of data, including all web-browsing history. They also gave consumers the option to opt out of internet service providers’ use of information deemed non-sensitive, and the rule imposed various data-security requirements.

Significant debate focused on the actual effects of the rules, particularly given the widespread use of encrypted data transmissions, such as https protocols and VPN; perceptions about ISP access to consumer data; and the protections built into internet service providers’ privacy policies and practices. The FCC broadband rules also did not cover the privacy practices of so-called “edge providers,” such as Google, leading to what critics described as an uneven regulatory environment for the Internet. For example, opponents argued that the FCC’s rule created a broader definition of “sensitive” information subject to opt-in requirements than the approach applied by the Federal Trade Commission to the rest of the digital ecosystem. The House and Senate disapproval votes under the Congressional Review Act, however, will significantly narrow the FCC’s future rulemaking power in this area.

Open Questions for the Future of Broadband Privacy

Going forward, this congressional action leaves at least three open questions.

First, while the FCC cannot enforce these rules or “reissue [one] in substantially the same form,” 5 U.S.C. § 801(b)(2), an unsettled question exists as to whether the FCC will attempt to enforce the substance of these rules indirectly under its broad enforcement powers under Sections 201 and 222 of the Communications Act (with the potential for considerable fines). For example, the Commission has brought enforcement actions under these statutory provisions in the past against internet service providers that allegedly did not take reasonable steps to protect consumer data. See In the Matter of TerraCom, Inc., FCC 14-173 (Oct. 24, 2014). In doing so, it relied on its broad power to ensure common carriers act in a “just and reasonable” manner. 47 U.S.C. § 201(b). Commissioners Pai—the current Chairman—and O’Rielly dissented in that case, perhaps indicating that such actions are unlikely in the near future.

Second, if the FCC were not inclined to use its Communications Act powers to police data-security practices, the FTC may have jurisdiction to do so in some circumstances. Since the inception of the Internet, the FTC has asserted authority to oversee the data practices of internet service providers using its Section 5 authority to prohibit unfair and deceptive practices. The FTC, however, does not have authority to regulate common carriers, and the Ninth Circuit recently found that the FTC lacks authority to regulate even non-common-carrier services provided by common carriers. See FTC v. AT&T Mobility LLC, 835 F.3d 993, 1003 (9th Cir. 2016) (petition for reh’g en banc pending). Depending on the circumstances, therefore, the FTC may lack jurisdiction to bring an unfairness or deception challenge to an ISP’s data practices, but that jurisdictional question is subject to a number of variables, including (1) the FCC’s reported plans to rescind common carrier treatment of ISPs, (2) the future course of the Ninth Circuit litigation, and (3) legislative proposals to rationalize the respective jurisdictions of the FCC and the FTC.

Third, what will the significance of this unique situation be for potential state regulation? Much speculation has centered on the issue of whether state regulation of privacy will become more prominent under the Trump Administration, but it remains to be seen whether the states will increase enforcement actions in this area.

Edward R. McNicholas

emcnicholas@sidley.com

Christopher Eiswerth

ceiswerth@sidley.com

You might also like
UK GDPR Reform Is Back! Department of Science, Innovation and Technology Introduces New Data Protection and Digital Information Bill

On 8 March 2023, the newly created Department of Science, Innovation and Technology (“DSIT”) introduced the Data Protection and Digital Information (No. 2) Bill. The “Bill” is in substance a re-introduction of the previous Data Protection and Digital Information Bill which was withdrawn from Parliament on the same day as the new Bill was published. The Bill, which has been hailed by the UK Government as one that will “save billions” and “cut down pointless paperwork” is the UK’s latest attempt to create a more streamlined piece of data protection legislation for the UK whilst still “ensur[ing] data adequacy.” The Information Commissioner’s Office (“ICO”) also welcomed the re-introduction of the Bill, with the Commissioner stating that he would “support [the Bill’s] ambition.” While much of the Bill remains the same as its previous iteration, we set out the key provisions and notable amendments below.

Biden Administration Announces National Cybersecurity Strategy

On March 1, 2023, the Biden administration announced its long-awaited National Cybersecurity Strategy. The strategy is part of the administration’s efforts to bolster and modernize public and private responses to cybersecurity threats.

UK’s New Pro-innovation Approach to Regulating Digital Technologies

On 15 March 2023, the UK Government published, alongside its Spring Budget, a report on the Pro-innovation Regulation of Technologies Review (the “Report”). The Report was led by the government’s Chief Scientific Advisor and National Technology Officer, Sir Patrick Vallance, who was tasked with “bringing together the best minds to advise how the UK can better regulate emerging technologies, enabling their rapid and safe introduction.” In response, the UK Government has accepted all of the Report’s recommendations, and set out some next steps for their implementation.