Last week, a unanimous Ninth Circuit panel issued a significant decision that holds that common carriers are categorically exempt from Section 5 of the FTC Act—even for activities unrelated to common carriage. See AT&T Mobility LLC. v. Fed. Trade Comm’n, No. 15-16585, 2016 WL 4501685 (9th Cir. Aug. 29, 2016). This opinion has potentially far-reaching implications for the telecommunications industry and the appropriate oversight roles of the FCC and FTC—including on data privacy and security issues.

By way of background, Section 5 generally empowers the FTC to prevent unfair or deceptive acts or practices, but exempts, among other things, “common carriers subject to the Acts to regulate commerce.” Two competing views have emerged about the meaning of the common carrier exemption. Under a status-based interpretation, if an entity is even partially regulated as a common carrier, all of its activities are exempt from Section 5. The FTC has argued in favor of a narrower, activities-based interpretation, which immunizes only those activities related to common carriage.

These dueling theories came to a head when the FTC sued AT&T in 2014. The FTC attacked AT&T’s disclosures about the speed of its mobile wireless data. At that time, AT&T’s mobile broadband offerings were not regulated as common carrier services, but its telephony offerings were. AT&T moved to dismiss in January 2015, arguing it was immune under a status-based interpretation of Section 5. A month later, in its Open Internet Order, the FCC reclassified mobile wireless broadband as common carrier services under Title II of the Communication Act.

The Ninth Circuit adopted a status-based interpretation of Section 5, holding that AT&T was exempt from the FTC’s suit because its separate telephony business was subject to common carrier regulation when the FTC filed suit. The decision’s reasoning relied almost exclusively on the plain text and history of Section 5.

Perhaps more interesting, however, is what the Ninth Circuit’s opinion did not say. The Ninth Circuit did not find it necessary to grapple with the implications of the Open Internet Order, given its categorical approach, as the FTC had filed suit before the FCC reclassified mobile broadband as a common carrier service. Nor did the Ninth Circuit delve into the complex regulatory spheres at issue here. For example, in addition to the FTC’s suit, the FCC sought a $100 million fine against AT&T in 2015 regarding the same speed disclosures pursuant to its Transparency Rule. The Ninth Circuit did not consider it necessary to entertain AT&T’s policy-based argument that a broad reading of the common carrier exemption was necessary to foreclose duplicative or inconsistent regulation.

In this regard, the Ninth Circuit’s decision may also reverberate with respect to privacy and data security. Historically, the FTC has been a leader among federal agencies in this area, relying (successfully, to date) on Section 5 for its jurisdictional authority. The FCC has also become very active in this space within the last two years. In March 2016, for example, the FCC released a wide-ranging Notice of Proposed Rulemaking that seeks to regulate broadband privacy practices using a framework that in some respects is more restrictive than that of the FTC. In light of the Ninth Circuit’s decision, the FCC may be furthered emboldened to continue its efforts in this space.