Apr 42017

A Farewell to the FCC Broadband Privacy Rules

Edward R. McNicholas and Christopher Eiswerth
, , , , ,

On April 3, 2017, President Trump signed the bill repealing the Federal Communications Commission’s much-debated broadband privacy rules. The House of Representatives voted 215–205 to disapprove the rules, after a party-line Senate vote of 50–48. The result is that the FCC’s key rules governing internet service providers’ collection and use of consumer data, as well as data security, will not go into effect as scheduled. Moreover, the FCC will be precluded from promulgating any regulation in “substantially the same” form until a future Congress allows such action.

Congress Has Overridden Potentially Far-Reaching Broadband Rules

Certainly a complex undertaking, the FCC rules were originally promulgated in 2016 following the FCC’s reclassification of internet service providers as common carriers under Title II of the Communications Act. The rules would have required internet service providers to obtain opt-in consent from consumers to collect and use various types of data, including all web-browsing history. They also gave consumers the option to opt out of internet service providers’ use of information deemed non-sensitive, and the rule imposed various data-security requirements.

Significant debate focused on the actual effects of the rules, particularly given the widespread use of encrypted data transmissions, such as https protocols and VPN; perceptions about ISP access to consumer data; and the protections built into internet service providers’ privacy policies and practices. The FCC broadband rules also did not cover the privacy practices of so-called “edge providers,” such as Google, leading to what critics described as an uneven regulatory environment for the Internet. For example, opponents argued that the FCC’s rule created a broader definition of “sensitive” information subject to opt-in requirements than the approach applied by the Federal Trade Commission to the rest of the digital ecosystem. The House and Senate disapproval votes under the Congressional Review Act, however, will significantly narrow the FCC’s future rulemaking power in this area.

Open Questions for the Future of Broadband Privacy

Going forward, this congressional action leaves at least three open questions.

First, while the FCC cannot enforce these rules or “reissue [one] in substantially the same form,” 5 U.S.C. § 801(b)(2), an unsettled question exists as to whether the FCC will attempt to enforce the substance of these rules indirectly under its broad enforcement powers under Sections 201 and 222 of the Communications Act (with the potential for considerable fines). For example, the Commission has brought enforcement actions under these statutory provisions in the past against internet service providers that allegedly did not take reasonable steps to protect consumer data. See In the Matter of TerraCom, Inc., FCC 14-173 (Oct. 24, 2014). In doing so, it relied on its broad power to ensure common carriers act in a “just and reasonable” manner. 47 U.S.C. § 201(b). Commissioners Pai—the current Chairman—and O’Rielly dissented in that case, perhaps indicating that such actions are unlikely in the near future.

Second, if the FCC were not inclined to use its Communications Act powers to police data-security practices, the FTC may have jurisdiction to do so in some circumstances. Since the inception of the Internet, the FTC has asserted authority to oversee the data practices of internet service providers using its Section 5 authority to prohibit unfair and deceptive practices. The FTC, however, does not have authority to regulate common carriers, and the Ninth Circuit recently found that the FTC lacks authority to regulate even non-common-carrier services provided by common carriers. See FTC v. AT&T Mobility LLC, 835 F.3d 993, 1003 (9th Cir. 2016) (petition for reh’g en banc pending). Depending on the circumstances, therefore, the FTC may lack jurisdiction to bring an unfairness or deception challenge to an ISP’s data practices, but that jurisdictional question is subject to a number of variables, including (1) the FCC’s reported plans to rescind common carrier treatment of ISPs, (2) the future course of the Ninth Circuit litigation, and (3) legislative proposals to rationalize the respective jurisdictions of the FCC and the FTC.

Third, what will the significance of this unique situation be for potential state regulation? Much speculation has centered on the issue of whether state regulation of privacy will become more prominent under the Trump Administration, but it remains to be seen whether the states will increase enforcement actions in this area.

Edward R. McNicholas

emcnicholas@sidley.com

Christopher Eiswerth

ceiswerth@sidley.com

You might also like
UK Sets Out It’s “Pro-Innovation” Approach To AI Regulation

On 29 March 2023, the UK’s Department for Science Innovation and Technology (“DSIT”) published its long awaited White Paper on its “pro-innovation approach to AI regulation” (the “White Paper”), along with a corresponding impact assessment. The White Paper builds on the “proportionate, light touch and forward-looking” approach to AI regulation set out in the policy paper published in July 2022. Importantly, the UK has decided to take a different approach to regulating AI compared to the EU, opting for a decentralised sector-specific approach, with no new legislation expected at this time. Instead, the UK will regulate AI primarily through sector-specific, principles based guidance and existing laws, with an emphasis on an agile and innovation-friendly approach. This is in significant contrast to the EU’s proposed AI Act which is a standalone piece of horizontal legislation regulating all AI systems, irrespective of industry.

EU Moving Closer to an AI Act – Key Areas of Impact for Life Sciences/MedTech Companies

The European Union is moving closer to adopting the first major legislation to horizontally regulate artificial intelligence. Today, the European Parliament (Parliament) reached a provisional agreement on its internal position on the draft Artificial Intelligence Regulation (AI Act). The text will be adopted by Parliament committees in the coming weeks and by the Parliament plenary in June. The plenary adoption will trigger the next legislative step of trilogue negotiations with the European Council to agree on a final text. Once adopted, according to the text, the AI Act will become applicable 24 months after its entry into force (or 36 months according to the Council’s position), which is currently expected in the second half of 2025, at the earliest.

New EU Cyber Law for the Financial Services Industry with Significant Impact on ICT Service Providers

The new EU Regulation on Digital Operational Resilience for the Financial Sector (DORA) recently entered into force. DORA establishes cybersecurity requirements for information and communication technology (ICT) systems supporting the business processes of financial entities and represents a paradigm shift for the ICT sector.  Critical ICT third-party service providers, who are providing services to regulated financial entities, will also be directly regulated under DORA and subject to regulatory supervision by a regulator to be established under DORA (a so-called ‘Lead Overseer’).