In a decision that could significantly impact the scope of the Federal Trade Commission’s consumer protection authority under Section 5 of the FTC Act, the U.S. Court of Appeals for the Ninth Circuit ruled on August 29, 2016, that common carriers are entirely exempt from the FTC’s jurisdiction, even when engaged in “non-common carrier” activities. The court’s decision in FTC v. AT&T Mobility LLC reflects a major rebuke of the FTC’s prior interpretation of its authority under Section 5, under which the agency regulated the non-common carrier activities and services of companies otherwise classified as common carriers. Unless reversed or modified, the decision will result in a dismissal of the FTC’s current action alleging that AT&T’s inadequate notice to its customers regarding data “throttling” practices was an unfair practice under Section 5. The decision also raises a host of new questions regarding who falls within (or outside of) the FTC’s jurisdiction.

Specifically, the decision curtails the authority of the FTC – currently the leading federal privacy and data security enforcement agency – over any entity that offers common carrier services, even if that common carrier service is not part of its “core” business. At the same time, the decision will likely be cited by the Federal Communications Commission (FCC) to justify its attempts to impose broad new privacy and data security regulations on Internet service providers (ISPs), following that agency’s 2015 Open Internet Order, which reclassified broadband Internet access service as a common carrier service. The Ninth Circuit decision also leaves an important jurisdictional issue unresolved: if the FTC has no jurisdiction over any activities of a common carrier, is there any federal agency with jurisdiction to prevent unfair and deceptive practices for non-common carrier services and activities of common carriers that are now fully exempt from Section 5?

Ninth Circuit’s Ruling Expands Scope of Common Carrier Exemption under Section 5

The FTC’s authority under Section 5 extends to preventing “persons, partnerships, or corporations . . . except … common carriers subject to the Acts to regulate commerce…from using…unfair or deceptive acts or practices in or affecting commerce.” The FTC has long interpreted this language to permit the agency to regulate the “non-common carrier activities” of entities that were otherwise classified or operating as common carriers. In other words, the FTC interpreted the statute as an “activities-based” exemption as opposed to a “status-based” exemption.

The FTC brought a Section 5 complaint against AT&T alleging that AT&T’s program of “throttling” the Internet data speeds of consumers with “unlimited” mobile data plans, without adequate notice to those customers, was an unfair practice. The district court denied AT&T’s motion to dismiss and agreed with the FTC’s interpretation of Section 5 that the exemption did not apply to a common carrier’s “non-common” carrier services. In reaching its conclusion, the district court relied in part on a 1959 Fourth Circuit decision that addressed a similar meat packer exemption under Section 5. In Crosse & Blackwell Co. v. FTC, the Fourth Circuit held that the FTC Act’s exemption for meat packers did not apply to an entity that was also engaged in canning soups and similar products, because meat packing was an inconsequential part of the company’s business. The Fourth Circuit reasoned that “it was never intended that relatively inconsequential activity which might be classified as meat packing should insulate all of the other activities of a corporation from the reach of the Federal Trade Commission.”

The Ninth Circuit reversed the district court’s ruling, finding that the FTC lacked authority under Section 5 because the common carrier exemption is “status-based” (i.e., an entity that is a common carrier for any service provided is exempt from the FTC’s regulatory authority under Section 5 for all of its services). The appellate court declined to defer to the agency’s “activity-based” interpretation of the statute and also rejected the district court’s reliance on Crosse. Instead, the appellate court found that the statute completely exempts common carriers based on their legal status.

In rejecting the district court’s reliance on Crosse, it first noted that “AT&T’s status as a common carrier is not based on its acquisition of some minor division unrelated to the company’s core activities that generates a tiny fraction of its revenue.” It then criticized the Fourth Circuit’s holding in Crosse, noting that “the decision seems to be based on little more than the court’s own view of the most effective regulatory regime in explicit disregard of the words of the statute. But the text of a statute cannot be disregarded in that manner.” The court went on to remind the readers that only Congress can rewrite the statute.

An additional wrinkle to this case exists because the status of AT&T’s wireless mobile data service changed in 2015. Although AT&T’s wireline business was a common carrier service at the time that the FTC brought its action in 2014, AT&T’s wireless mobile data service was not. In a hotly contested ruling in 2015, the FCC reclassified wireless mobile data service as common carriage under its Open Internet Order. (Note: the D.C. Circuit affirmed the FCC Order earlier this year, although that affirmance is subject to pending petitions for rehearing, and rehearing en banc, with responses due September 12 in that court). Under the district court’s previous ruling that Section 5’s common carrier exception is “activity-based,” the FTC was only barred from regulating AT&T’s specific common carrier services but remained free to regulate any common carrier’s non-common carrier activities. The Ninth Circuit’s holding now has the effect of removing all of AT&T’s activities – whether they were classified as common carrier activities or not – from the Section 5 jurisdiction of the FTC.

Implications of the Ruling: Ninth Circuit Decision Puts All Common Carriers Beyond the FTC’s Reach

If the Ninth Circuit decision stands (it is almost certain that the FTC will ask for a rehearing), and a “status-based” interpretation is applied uniformly, then all common carriers – including recently reclassified Internet service providers and mobile data service providers – may find themselves free from FTC oversight.

However, if such a gap has indeed been created, we are likely to see it quickly filled – at least partially. The Ninth Circuit’s decision will likely reinforce the FCC’s view that it must intervene to impose new data security and privacy regulations on common carriers as proposed in its recent NPRM, which would create expansive rules to govern the activities of entities like ISPs that are no longer subject to the FTC’s authority. The FCC, through recent data security and breach enforcement activities, has clearly revealed its intent to become a dominant player in this area. Indeed, AT&T is currently challenging a proposed $100 million fine by the FCC for the same data throttling and notice issues that were the subject of the now dismissed FTC action.

Even so, this could still leave a significant gap. The FCC stated in its NPRM that “Section 222 is a sector-specific statute that includes detailed requirements that Congress requires be applied to the provision of telecommunications services, but not to the provision of other services by broadband providers nor to information providers at the edge of the network.” Taken to its extreme, this decision could mean that the FTC could not bring an enforcement action against Google for any of its services because it is now a common carrier in its provision of its “Google Fiber” broadband Internet access service. Google previously entered into settlements with the FTC regarding consumer privacy issues but now appears to be entirely exempt from Section 5. Additionally, the statutory limitations of Section 222 of the Communications Act would prevent the FCC from bringing an enforcement action against Google for privacy or data security violations associated with Google’s non-carrier services.

If this is the outcome, is there any federal agency (as opposed to the 50 states) with jurisdiction to enforce consumer protection issues? Could the FCC rely on other sections of the Communications Act to bring enforcement actions against Google? Stay tuned to the Privacy and Security Law Blog for answers to these questions as we provide updates on this decision, the FTC’s response, and the pending FCC proceeding....