On Wednesday, the Chairman Pai-led FCC adopted an Order granting a stay of the data security rules that were adopted as part of the Commission’s 2016 Privacy Order spearheaded by former FCC Chairman Wheeler. The stay will maintain the data security rules that have been in place for several years, but suspend implementation of the expanded data security rules applicable to broadband providers pending an FCC decision on several petitions for reconsideration of the 2016 Order. We have previously discussed those petitions here. In granting the stay, the FCC has sent a strong signal that it will revise its data security rules to align with the FTC’s regime, an alignment that Chairman Pai reinforced on Wednesday in a joint statement with Acting FTC Chairman Maureen K. Ohlhausen. Indeed, the revision would be consistent with the “ISP Privacy Principles” that reflect the FTC framework and which broadband providers “have committed to continue adhering to . . . regardless of whether the Commission’s broadband privacy rules are stayed.”
The Order agrees with the petitioners’ claims that the FCC data security regime “sweeps too broadly and too vaguely” because it extends beyond the “reasonableness” standard adopted by the FTC and “would subject ISPs to more burdensome regulation than other participants in the Internet ecosystem are subjected to by the FTC.” Applying the traditional standards for granting a stay, the Order finds that the petitioners are likely to prevail in persuading the FCC to realign its rules and parallel the FTC’s privacy framework; that the costs and risks of complying with the enhanced but vague standards adopted in 2016 are substantial and not recoverable; and that the balance of equities favors preserving the status quo, for which there is no record of harm to consumers.
The new Order notes that some data security obligations will remain in place during the stay. Broadband providers are still obligated to comply with Section 222 of the Communications Act (which has applied to telecommunications carriers for many years), the Commission’s interim guidance on those rules, and “other applicable federal and state privacy, data security, and breach notification laws.” The FCC’s 2007 data authentication rules and other rules pursuant to Section 222 that address the Customer Proprietary Network Information (“CPNI”) collected by telecommunications carriers will continue to apply to traditional telecommunications carriers (but not broadband providers). If, as appears likely, the FCC soon reverses its prior re-classification of broadband as a telecommunications service, broadband providers will be subject to the FTC’s privacy and security regime, as they were before the FCC’s 2015 Open Internet Order reclassified broadband as common carriage and removed broadband from the FTC’s jurisdiction. Note, however, that the new Order does not change the FCC’s prior decision to no longer require telecommunications carriers to make annual CPNI certifications or maintain record-keeping of marketing campaigns using CPNI. In addition, the stay does not immediately alter a number of requirements from the 2016 Order, which in any event will not go into effect unless and until they have received OMB approval, including new notice requirements, customer approval requirements, and data breach notification requirements.