In addition to a bothersome “breach” definition, the Federal Communications Commission (“FCC”), in its April 1, 2016 Notice of Proposed Rulemaking (“NPRM”) concerning ISP privacy regulation, proposes a sweeping definition of personally identifiable information (“PII”). The definition is broad enough to cover virtually every piece of information about an individual. Despite the FCC’s legally necessary finding that ISPs are “common carriers” required to transmit information without undue discrimination, the FCC seems not to have carefully considered an ISP’s unique and limited role in facilitating the exchange of information between and among consenting communicators.
The FCC has defined PII as “any information that is linked or linkable to an individual.” Such “linked or linkable” information is PII “if it can be used on its own, in context, or in combination to identify an individual or to logically associate with other information about a specific individual.” The FCC appears to have purposefully proposed the broadest possible definition to ensure that nothing that could conceivably be considered “personal”, even if already in the public domain, would escape being regulated PII.
This approach would require ISPs to identify every packet of data that contained any possible element of PII and to provide notice to an affected customer of an incorrect delivery, even when such a packet contained only publicly available PII, was initially delivered to only one unintended recipient, and the incorrect delivery was promptly corrected. Although the FCC has defined ISPs as common carriers to provide the legal predicate for its proposed privacy rules, its NPRM is devoid of any mention of PII requirements imposed on other common carriers that are comparable to what it has proposed for ISPs. The NPRM also lacks any serious weighing of the costs to ISPs against the expected benefits to consumers of the FCC’s approach to PII.
Consumers can benefit from FCC privacy rules applicable to ISPs to the extent that such rules deter the harmful release of customer information, and properly require notice of harmful releases of such information if they occur. But neither consumers nor ISPs will benefit from rules that sweep too broadly and thereby impose needless costs on ISPs that ultimately must be borne by consumers in the prices they pay for ISP services.