Out of the Frying Pan & into the Fire: The FCC Takes over Privacy Regulation
22 Pages Posted: 2 Apr 2015 Last revised: 21 Aug 2015
Date Written: August 15, 2015
In late 2014, the FCC imposed an unprecedented $10 million fine against Terracom — not for violating the FCC’s CPNI rules issued under Section 222(b) and (e), but for failing to provide “reasonable” data security, a duty the Commission found, for the first time, to flow from the general language of Section 222(a) and the “just and reasonable” standard of Section 201(b). In March, the FCC reclassified all broadband providers under Title II — and chose not to forbear from applying either of these sections to broadband. The FCC has promised to clarify what its approach will be in the future.
This paper will explore this evolving issue in depth, including several key legal questions: What does the Open Internet order’s discussion of IP addresses as the equivalent of phone numbers (in order to justify reinterpretation of “public switched network” and thus reclassification of wireless) mean for privacy regulation? How will CPNI regulation, traditionally focused on the adequacy of opt-in consent, evolve? How might the FCC use its sweeping “general conduct” standard or its claimed Section 706 authority over data practices? (The FCC’s 2014 706(b) NOI specifically asked how privacy and security concerns affect broadband deployment.) How might the FCC’s case-by-case enforcement approach work without clear limiting principles? Is the FCC essentially creating a murkier version of the FTC’s unfairness standard? What lessons can be learned from the experience of the FTC with unfairness and, more recently, with data security and privacy regulation?
How far might the FCC’s regulation extend? Might the FCC reclassify other services beyond broadband? Might it indirectly regulate non-common carriers by maintaining that telecom carriers have a duty not to “permit access” (Section 222(c)(1)) to CPNI by, say, mobile operating system or apps operators except subject to a flow-through of CPNI obligations? Will broadband providers, especially mobile operators, become the new intermediaries responsible for policing the data practices of other players in the ecosystem?
This paper will describe where the FCC may head, the pitfalls of various approaches, and offer normative suggestions for how the FCC, FTC and Congress should handle the privacy and data security practices of broadband providers (and other related services).
Keywords: privacy, FCC, Title II, data security, FTC, regulation, law, common carrier
Suggested Citation: Suggested Citation