On February 26, 2015, the Federal Communications Commission (FCC) passed the Open Internet Order to reclassify “broadband Internet access service” as a telecommunication service under Title II of the Communications Act of 1934. In doing so, the FCC found that applying section 222 of the Communications Act to broadband Internet access services is in the public interest and necessary for the protection of customers. Section 222 imposes a duty on telecommunications carriers to protect the confidentiality of proprietary information obtained from their customers or other carriers, and imposes special rules for use and disclosure of information related to customers’ phone service and usage, known as customer proprietary network information (“CPNI”).
However, the Order forbears the application of the FCC’s rules implementing section 222 because those rules are specifically targeted at voice-related services.
“We are not persuaded that the Commission’s current rules implementing section 222 necessarily would be well suited to broadband Internet access service. The Commission fundamentally modified these rules in various ways subsequent to decisions classifying broadband Internet access service as an information service, and certain of those rules appear more focused on concerns that have been associated with voice service…. the existing CPNI rules do not address many of the types of sensitive information to which a provider of broadband Internet access service is likely to have access, such as (to cite just one example) customers’ web browsing history. Insofar as rules focused on addressing problems in the voice service context are among the central underpinnings of our CPNI rules, we find the better course to be forbearance from applying all of our CPNI rules at this time.”
The FCC indicated that it plans to hold future workshops and rulemaking proceedings to explore the specifics of how reclassification will affect consumer privacy. Until that time, there is considerable uncertainty regarding the scope of, and limits on, broadband Internet access service providers’ obligations regarding proprietary information. However, the Order emphasizes that the FCC takes its privacy mandate seriously and will not hesitate to pursue case-by-case enforcement actions. In particular, the FCC is likely to pursue enforcement actions against broadband providers for the unlawful collection and use of proprietary information under its broad authority to ensure “just and reasonable” practices under 47 U.S.C. § 201(b). And the FCC is likely to regulate the collection and use of proprietary information (including CPNI) under section 222. The enforcement of such provisions will not depend upon any subsequent rulemaking by the Commission and will be effective 60 days after the Rule is published in the Federal Register. However, given the controversy surrounding this long anticipated decision, it is likely that the enforcement of the Order will be delayed due to litigation challenges.
The Order is also significant because, despite the FTC’s expansive view of the reach of its jurisdiction, the FCC’s Order potentially divests the FTC of jurisdiction to regulate broadband Internet access services under Section 5 of the Federal Trade Commission Act and to enforce the Children’s Online Privacy and Protection Act (“COPPA”) against broadband providers. Thus, should this Order stand, the FCC may become the primary federal regulator of privacy and information security for broadband providers.
FCC to hold workshop on broadband consumer privacy. The FCC has announced that it will hold a workshop on April 28 to explore how the agency should regulate consumer privacy following its reclassification of broadband internet services as “telecommunications services.” The workshop will allow stakeholders to discuss how best to apply the Communications Act’s framework for protecting CPNI to broadband internet service providers. Participants will also have the opportunity to discuss whether and to what extent the FCC can apply a harmonized privacy framework across all of the services that it regulates. The workshop will take place at FCC headquarters and will be streamed online, and is open to the public.
FCC issues cybersecurity guidance for communications sector. On March 18, 2015, the FCC Communications Security, Reliability, and Interoperability Council (CSRIC) unanimously adopted a 415-page report with guidance and recommendations for voluntary cybersecurity protections for the communications sector. The guidance, titled “Cybersecurity Risk Management and Best Practices Working Group 4: Final Report,” was drafted by a multidisciplinary working group tasked by the CSRIC to study other agencies’ guidance and practices to help inform cybersecurity risk management mechanisms tailored to the communications sector. The group considered challenges specific to broadcast, cable, satellite, wireless and wireline services, and crafted “macro-level” guidance that can be tailored by individual companies to suit their unique needs and circumstances.
The guidance recommends three new “voluntary mechanisms” for cybersecurity risk management: cybersecurity and threat information sharing with the FCC, publication of a Communications Sector Annual Report (SAR) to describe efforts to manage cybersecurity risks, and active participation in the Department of Homeland Security’s (“DHS”) Critical Infrastructure Cyber Community C3 Voluntary Program. It also includes implementation guidance, recommending that companies follow the NIST Cybersecurity Framework’s approach of integrating cybersecurity as part of an overall risk management program via an organization-wide cybersecurity risk governance process. Finally, the guidance provides use cases to suggest how cybersecurity risk management protocols and practices can be implemented for each type of communications service.