Use the Lexology Navigator tool to compare the answers in this article with those from other jurisdictions.    

Privacy and data security

Net neutrality

What is your jurisdiction’s regulatory stance on net neutrality?

Currently, the Federal Communications Commission (FCC) has ex ante net neutrality rules and has classified broadband providers as common carriers. These rules prohibit blocking lawful content, throttling lawful content or engaging in paid prioritisation. The FCC adopted a broader internet conduct standard that prohibits practices that unreasonably interfere with or disadvantage the ability of consumers to reach the content of their choosing. The FCC also adopted transparency rules for internet service providers (ISPs) and heightened privacy protections for ISP customers. Further, the FCC has the authority to resolve a complaint that a broadband internet access provider is engaging in unfair or unjust practices for interconnection agreements. The FCC is currently considering a proposal to reclassify broadband providers as information services (rather than as telecoms services) and remove some or all of the ex anterules. Congress recently repealed the FCC’s regulations governing the use of customer proprietary information by broadband internet access providers. However, the statute requiring telecoms providers’ use of customer proprietary network information still applies. The regulatory future of the current net neutrality rules is currently uncertain, and many stakeholders have asked Congress to pass a net neutrality statute governing this space.


Are there regulations or restrictions on encryption of communications?

The United States does not restrict encrypted communications. Telecoms networks must be configured to allow law enforcement to serve warrants for the interception of communications, but nothing restricts the ability of consumers to encrypt their communications as they travel over the telecoms network. Export of encryption protocols is restricted in some cases.

Data retention

Are telecoms operators bound by any rules or requirements on the retention of consumer communications data? If so, for how long must data be retained?

There is no general data retention requirement at this time. Telecoms providers are required to retain records for 90 days on the request of a government entity (18 USC Section 2703(f)). Some sensitive customer proprietary network information is restricted from disclosure. This information includes the telephone numbers a subscriber calls, the frequency, duration and timing of such calls and additional services purchased by the customer. Telecoms carriers are required to file annual reports ensuring compliance with the Centre for the Protection of National Infrastructure rules.

Government interception/retention

What rules and procedures govern the authorities’ interception of communications and access to consumer communications data?

Multiple statutes and the Constitution govern the interception of communications and access to consumer communications data. The Fourth Amendment prohibits the government from intercepting communications absent a warrant or special circumstances. Other laws, such as the Wiretap Act, prohibit the interception of communications made by radio or electronic transmission without lawful process. These laws provide civil and criminal penalties for violations. The scope of these laws can be the subject to litigation. However, telecoms providers are required to configure their systems in such a way that they can intercept customer communications when presented with a valid court order or warrant (47 USC Sections 1001-1010).

Data security obligations

What are telecoms operators’ general data security obligations to consumers?

As part of the net neutrality rules passed in 2015, the FCC required broadband ISPs to take reasonable measures to protect customer data from unauthorised disclosure. However, this portion of the net neutrality rules was stayed by the FCC in 2017 pending a petition for reconsideration. The rules would have required that ISPs comply with the Federal Trade Commission’s privacy protection framework along with Health Insurance Portability and Accountability Act and Gramm Leach Bliley Act requirements. The FCC is also charged with protecting the privacy of communications that are transmitted by interstate wire or radio (47 USC Section 605(a)) and has imposed limitations on incumbent telephone companies’ use of consumer data.

Click here to view the full article.