As described in our recent Stay Current, yesterday the Federal Communications Commission (FCC) released a Fact Sheet outlining many aspects of FCC Chairman Tom Wheeler’s draft order to  reclassify broadband internet services as a “telecommunications service” thereby enhancing the FCC’s ability to regulate different aspects of broadband internet service.

While the primary purpose of Chairman Wheeler’s proposed regulatory reclassification is to create a legal hook to implement network neutrality rules, two bullet points buried in the Fact Sheet suggest that the FCC may also be able to use the move to increase its authority as a privacy and data security regulator.   

  • The Fact Sheet indicates that the Chairman’s draft order will subject providers of broadband internet service to Section 222 of the Communications Act, which imposes specific obligations to protect consumer information. 
  • The Fact Sheet also states that the draft order will also subject providers of broadband internet service to certain “core” obligations in Section 201 of the Communications Act – including an obligation to refrain from engaging in “unjust and unreasonable practices.”   

While the second point may seem unrelated to privacy and data security issues, its inclusion in the draft order may gain greater significance in light of a recent enforcement action by the FCC.  As we discussed in a prior post, last October the FCC announced – for the first time – that it would treat a failure by a telecommunications carrier either to (a) implement reasonable security measures to protect consumer privacy or (b) provide breach notices to consumers as a violation of the Communications Act’s general prohibition against engaging in “unjust and unreasonable practices.”  

While it is worth keeping an eye on the FCC as a privacy and data security regulator, it is important to remember that many issues surrounding the scope of its jurisdiction remain murky.  In its October 2014 enforcement action, the FCC didn’t actually fine the carriers for “unjust and unreasonable practices” of failing to implement reasonable security measure and failing to notify consumers of the breach.  Instead, the FCC merely put telecommunications carriers on notice of its new interpretation, and the manner in which the FCC will exercise its new-found authority to police privacy and data security as an “unjust and unreasonable practice” will be developed in future enforcement actions.  And, before the FCC can think about invoking its new interpretation under Section 201 (or its more traditional powers under Section 222 of the Communications Act) against broadband internet providers, a majority of the five FCC Commissioners must vote to reclassify broadband internet service as a telecommunications service.   

With a Commission vote on Chairman Wheeler’s reclassification order scheduled for February 26, stay tuned to Caveat Vendor for updates.