In a widely publicized decision, the Federal Communication Commission (FCC) voted on Dec. 14, 2017, to repeal the tenets of the Protecting and Promoting the Open Internet Order, or the Open Internet Order, of 2015. See Protecting and Promoting the Open Internet, Report and Order on Remand, 30 FCC Rcd. 5601 (2015). While many have heard of the political debate surrounding the anticipated overturn of the Open Internet Order, commonly referred to as net neutrality rules, many businesses and data privacy experts should pay attention to the privacy regulatory implications this move creates. Most important, this order establishes Federal Trade Commission (FTC) jurisdiction over data privacy and security regulation for broadband internet access service (BIAS) providers, restoring parity between the treatment of BIAS providers and so-called edge networks (e.g. search engines and social media networks) that existed under FTC jurisdiction.
In 2015, at the urging of the Barack Obama administration, the FCC promulgated the Open Internet Order. The order, for the first time, recategorized BIAS entities as “common-carrier services,” which qualified them as “Title II service providers” instead of “Title I information services” under the Communications Act of 1934. The distinction was important because, prior to this enactment, the FTC had been the sole agency with jurisdiction to regulate the privacy and data security issues of BIAS providers. Through this seminal reclassification, the FTC lost almost all jurisdiction to regulate BIAS services.
BIAS providers should not be confused with “edge providers,” which are entities that provide content and applications over the internet. Edge providers include online services like search engines and social media networks that provide online content to users of BIAS internet service providers (ISPs). Edge providers were never categorized as a common-carrier service, and therefore they are regulated by the FTC. As a result, the FCC’s previously proposed privacy rules for BIAS providers would have created differing standards where, for instance, BIAS providers needed express consent to use consumer data to send users interest-based advertising, but edge networks did not.
Following the Open Internet Order of 2015, the FCC, with a Democratic majority, enacted the Protecting the Privacy of Customers of Broadband and Other Telecommunications Services Order, or the 2016 Privacy Order, on Oct. 27, 2016. See Protecting the Privacy of Customers of Broadband and Other Telecommunications Services, 81 Fed. Reg. 87,274 (Oct. 27, 2016). This order would have required BIAS services to provide specific notifications in the event of a data breach and other data privacy protections for consumers, employing standards differing than those under FTC deception and unfairness standards. However, after the 2016 presidential election, Congress voted to disapprove the 2016 Privacy Order, and newly elected President Donald Trump signed a resolution in March 2017 nullifying the 2016 Privacy Order before any of its tenets went into effect.
After the reversal of the 2016 Privacy Order, on Nov. 22, 2017, the FCC proposed the draft rule Restoring Internet Freedom. See Restoring Internet Freedom, Declaratory Ruling, Report and Order, and Order- WC Docket No. 17-108. The rule essentially indicates BIAS entities will once again be categorized as Title I providers and the FTC will regain the jurisdiction it lost over BIAS providers to enforce data privacy. Further, this would effectively place BIAS and edge providers on equal footing and allow them to be both regulated by the FTC.
We have previously written about the effect that FCC privacy regulations could have had on the cyber sector:
On Dec. 14, 2017, the FCC and FTC announced a Memorandum of Understanding (MOU) detailing how future coordination between the two agencies would be conducted after the Dec. 14 vote. See Restoring Internet Freedom FCC-FTC Memorandum of Understanding. Importantly, the MOU states that the FTC will again utilize its congressionally delegated powers and continue to enforce the prevention of unfair or deceptive acts or practices affecting commerce for BIAS providers. The MOU states that the FCC will monitor the broadband market, identify informal market entry barriers, and investigate and take action for failures by internet providers under the Restoring Internet Freedom order. Further, the FCC will continue to utilize a broadband consumer protection titled the Transparency Rule of 2010. See FCC Transparency Rule, 47 CFR § 8.3. Alternatively, the MOU states the FTC will have jurisdiction to investigate and enforce the Restoring Internet Freedom order requirements against ISPs for unfair, deceptive or otherwise unlawful acts or practices.
FTC Regulation and Implications
With the return of BIAS privacy and data security regulation jurisdiction to the FTC, BIAS providers will once again be regulated by the tenets of Section 5 of the Federal Trade Commission Act (FTC Act), in the same manner as are their edge networks competitors in the digital advertising marketplace. Section 5 of the FTC Act is a responsive “police” enforcement power, as the FTC has very limited rule making authority. Instead, the FTC is charged to enforce Section 5 of the FTC Act and see that entities do not conduct “unfair or deceptive business practices in or affecting commerce.” See 15 U.S.C. § 45(a). The FTC utilizes this statutory language as the basis for its enforcement powers, especially in the data breach and privacy fields. Simply put, the FTC, unlike the FCC, does not have an easy path to rulemaking, and thus enforces on a case-by-case basis the application of general standards of deception and unfairness. Also, while the FCC can levy fines on regulated companies, the FTC is, with a few exceptions not relevant here, limited to equitable redress such as restitution to consumers and prospective injunctive relief.