On April 3, 2017, President Trump signed the bill repealing the Federal Communications Commission’s much-debated broadband privacy rules. The House of Representatives voted 215–205 to disapprove the rules, after a party-line Senate vote of 50–48. The result is that the FCC’s key rules governing internet service providers’ collection and use of consumer data, as well as data security, will not go into effect as scheduled. Moreover, the FCC will be precluded from promulgating any regulation in “substantially the same” form until a future Congress allows such action.

Congress Has Overridden Potentially Far-Reaching Broadband Rules

Certainly a complex undertaking, the FCC rules were originally promulgated in 2016 following the FCC’s reclassification of internet service providers as common carriers under Title II of the Communications Act. The rules would have required internet service providers to obtain opt-in consent from consumers to collect and use various types of data, including all web-browsing history. They also gave consumers the option to opt out of internet service providers’ use of information deemed non-sensitive, and the rule imposed various data-security requirements.

Significant debate focused on the actual effects of the rules, particularly given the widespread use of encrypted data transmissions, such as https protocols and VPN; perceptions about ISP access to consumer data; and the protections built into internet service providers’ privacy policies and practices. The FCC broadband rules also did not cover the privacy practices of so-called “edge providers,” such as Google, leading to what critics described as an uneven regulatory environment for the Internet. For example, opponents argued that the FCC’s rule created a broader definition of “sensitive” information subject to opt-in requirements than the approach applied by the Federal Trade Commission to the rest of the digital ecosystem. The House and Senate disapproval votes under the Congressional Review Act, however, will significantly narrow the FCC’s future rulemaking power in this area.

Open Questions for the Future of Broadband Privacy

Going forward, this congressional action leaves at least three open questions.

First, while the FCC cannot enforce these rules or “reissue [one] in substantially the same form,” 5 U.S.C. § 801(b)(2), an unsettled question exists as to whether the FCC will attempt to enforce the substance of these rules indirectly under its broad enforcement powers under Sections 201 and 222 of the Communications Act (with the potential for considerable fines). For example, the Commission has brought enforcement actions under these statutory provisions in the past against internet service providers that allegedly did not take reasonable steps to protect consumer data. See In the Matter of TerraCom, Inc., FCC 14-173 (Oct. 24, 2014). In doing so, it relied on its broad power to ensure common carriers act in a “just and reasonable” manner. 47 U.S.C. § 201(b). Commissioners Pai—the current Chairman—and O’Rielly dissented in that case, perhaps indicating that such actions are unlikely in the near future.

Second, if the FCC were not inclined to use its Communications Act powers to police data-security practices, the FTC may have jurisdiction to do so in some circumstances. Since the inception of the Internet, the FTC has asserted authority to oversee the data practices of internet service providers using its Section 5 authority to prohibit unfair and deceptive practices. The FTC, however, does not have authority to regulate common carriers, and the Ninth Circuit recently found that the FTC lacks authority to regulate even non-common-carrier services provided by common carriers. See FTC v. AT&T Mobility LLC, 835 F.3d 993, 1003 (9th Cir. 2016) (petition for reh’g en banc pending). Depending on the circumstances, therefore, the FTC may lack jurisdiction to bring an unfairness or deception challenge to an ISP’s data practices, but that jurisdictional question is subject to a number of variables, including (1) the FCC’s reported plans to rescind common carrier treatment of ISPs, (2) the future course of the Ninth Circuit litigation, and (3) legislative proposals to rationalize the respective jurisdictions of the FCC and the FTC.

Third, what will the significance of this unique situation be for potential state regulation? Much speculation has centered on the issue of whether state regulation of privacy will become more prominent under the Trump Administration, but it remains to be seen whether the states will increase enforcement actions in this area.