The Federal Communications Commission (FCC) had a busy year in 2014. During the past 12 months, the FCC proposed new regulations on net neutrality [1] and pursued the largest privacy action in its history against TerraCom, Inc. and YourTel America, Inc.[2] While so far in 2015 the FCC has kept its cards close to its chest, it is expected that the FCC will continue to be active regulating broadband Internet service providers (Providers). And, with President Obama’s plea to the FCC to promote net neutrality, [3] this activity may expand into the FCC testing the privacy waters to see if the agency should fully commit to exclusive regulation of this area.

This article will explore some of the concerns with the FCC’s authority to regulate Providers, highlight the FCC’s recent privacy enforcement history, and question whether the FCC is equipped to be the sole regulator of broadband Internet service providers.

Reclassification Concerns

Though the FCC has general authority to regulate Providers, [4] the FCC may not impose certain obligations on Providers if those obligations would be tantamount to treating Providers as common carriers. [5] As used in this article, a Provider is an entity that facilitates a consumer’s use of telecommunications services to connect to the Internet through “last-mile” transmission lines. [6] Access is usually “furnished through broadband,” if not, then through some other communications technology.[7]

A common carrier, as defined by the Communications Act, is a provider of “basic [communication] services . . . subject to the duties that apply to such entities, including that they ‘furnish communication service upon reasonable request’ . . . [and] engage in no ‘unjust or unreasonable discrimination in charges, practices, classifications, regulations, facilities, or services.’” [8] The implication of being treated as a common carrier, as opposed to a mere Provider, is that a common carrier must “serve the public indiscriminately.” [9]

In the context of broadband Internet, if Providers were deemed common carriers, they would most likely have to adhere to net neutrality. Proponents of net neutrality have encouraged four principles:

  1. Anti-blocking – Providers would be unable to block access to any website or service that a consumer requests if the content on the website or service is legal.
  2. Anti-throttling – Providers could not “slow down” or “speed up” the transmission speed of content based on the Provider’s preferences.
  3. Increased transparency – Providers would be required (or at least encouraged) to disclose network practices and performance as well other conditions that effect service to end-users.
  4. No paid prioritization – Providers could not prioritize traffic from certain content providers even if these content providers were willing to pay for such prioritization.[10]

The D.C. Circuit Court of Appeals recently addressed how the FCC’s current classification of Providers affects the FCC’s ability to impose net neutrality in Verizon v. FCC. The court held that Section 706 of the Telecommunications Act of 1996 [11] granted the FCC authority “to take steps to accelerate broadband deployment,”[12] and the court affirmed the FCC’s general authority to regulate and to impose restrictions on Providers. But the court also held that the FCC could not impose restrictions on Providers if such restrictions would subject Providers to obligations of common carriers. [13] Because the FCC has not classified Providers as common carriers under Title II of the Communications Acts, [14] it cannot subject them to common carrier restrictions, including anti-discrimination and anti-blocking rules. [15]

In response to the court’s holding, FCC Chairman Tom Wheeler expressed his openness to the FCC reclassifying Providers as common carriers. Particularly, in his statement accompanying the Notice of Proposed Rulemaking in In re Protecting and Promoting the Open Internet, Wheeler supported reclassification if such action would allow the FCC “to follow the roadmap laid out by the D.C. Circuit,” because he believes it is “the fastest and best way to get [net neutrality] protection in place.” [16] President Obama also has suggested that the solution to establishing net neutrality rules is reclassifying Providers as common carriers. [17] But were the FCC to reclassify Providers, it could have unforeseen consequences.

Two camps have expressed grave concerns with reclassification: dissenting FCC Commissioners (Ajit Pai and Michael O’Reilly) and the Federal Trade Commission (the FTC). In the same Notice of Proposed Rulemaking in In re Protecting and Promoting the Open Internet, Pai questioned whether conferring Title II common carrier status on Providers would be ineffective and cause the “Internet [to] fare no better.” [18] Similarly, O’Reilly has described the FCC’s actions regarding net neutrality as a “regulatory boondoggle” and the proposed reclassification as an attempt to “impose unnecessary and defective net neutrality regulations.”[19]

The FTC has noted a different concern: privacy, security and data protection (PSDP). In two official comments before the FCC, [20] the FTC has noted its vast experience in PSDP issues in general,[21] and in broadband Internet PSDP issues specifically.[22]

The FTC has recognized its shared jurisdiction with the FCC to regulate “broadband Internet access and related content.” [23] But the FTC has urged the FCC not to reclassify Providers as common carriers—or at least not to strip the FTC of shared jurisdiction—because doing so would be to the detriment of consumers, and disable the FTC from protecting against data security breaches and other harms to consumers in the broadband Internet sector. [24]

The FTC’s authority to regulate PSDP is found in, among other things, Section 5 of the Federal Trade Commission Act’s (Section 5) [25] proscription against “deceptive” or “unfair” acts or practices. The FTC has been at the forefront of policing PSDP, announcing at least eight privacy cases in the last year alone. [26] The FTC’s authority to regulate PSDP has been repeatedly considered,[27] and the view has been unanimously supported by the FTC Commissioners. [29] the most recent of which,In re TerraCom, Inc. and YourTel America, Inc.[30] resulted in a “$10 million [fine] for several violations of laws protecting the privacy of phone customers’ personal information.” [31]

In the Notice of Apparent Liability for Forfeiture (the “Notice”) in In re TerraCom, Inc. and YourTel America, Inc., the FCC claimed it had authority under Sections 201(b) and 222(a) in Title II of the Communications Act (concerning duties of common carriers) to impose fines on TerraCom and YourTel for failing to protect their customers’ personal information. [32] Section 201(b) provides that “all . . . practices . . . shall be just and reasonable, and any such . . . practice . . . that is unjust or unreasonable is hereby declared unlawful.” [33] Section 222(a) provides that each “telecommunications carrier has a duty to protect the confidentiality of proprietary information (PI) of . . . customers.” [35]

The Notice went on to define PI to include not only the statutorily defined term “customer proprietary network information” (CPNI) [36] but also “privileged information, trade secrets, and personally identifiable information” (PII).[38]

Despite the FCC lauding In re TerraCom, Inc. and YourTel America, Inc. as “the largest privacy action” [39] in the FCC “long history of working to protect the privacy of American consumers,”[40] at least two FCC Commissioners have openly questioned the FCC’s authority to enforce PSDP violations against Providers and/or common carriers. Commissioner Pai stated that the FCC “has never interpreted the Communications Act to impose an enforceable duty on [common] carriers to ‘employ reasonable data security practices to protect’ PII.” [41] Commissioner O’Reilly took an even stronger stance, stating that he was “not convinced that the FCC has authority to act” and that it was his “firm belief that [the Communications Act] was never intended to address the security of data on the Internet.”[42]

Should the FCC Be the Sole Regulator of Broadband Internet Providers?

In my opinion, the answer is “no,” for reasons that will be explained below. But we should carefully review the premise of the question. To the extent the FCC allowed for the FTC to share regulation of PSDP matters—as the FTC has endorsed—I take no stance on whether the FCC should reclassify Providers as common carriers, or whether the FCC’s enforcement of PSDP violations is appropriate.

But there are strong arguments why the FCC should not be the sole regulator of Providers and why the FCC should share jurisdiction with the FTC. While the benefits to the FTC are obvious, below are a few reasons (independent of the reclassification issue) why shared jurisdiction over Providers could benefit the FCC, FTC, consumers, and Providers:

  • The FCC is still figuring out whether it has the authority to regulate PSDP issues. In re TerraCom, Inc. and YourTel America, Inc. is, by the FCC’s admission, the FCC’s “first data security case.” [43] The FCC Commissioners are divided on whether the FCC has authority under Sections 201 and 222 to bring enforcement against Providers for PSDP violations. As of the date of this article, no case has challenged this authority.

    In contrast, all five FTC Commissioners seem to agree that the FTC can use Section 5 to bring PSDP violation actions. Moreover, a federal district court has upheld the FTC’s authority under Section 5. [44] Given theVerizon decision, it is likely that the FCC is waiting for a challenge to its authority under Sections 201 and 222 before firmly committing to reclassifying Providers.

    The current ambiguity of the FCC’s authority leaves the potential for consumers to be less protected than if jurisdiction was shared by the FTC and FCC. Moreover, as the FCC is still figuring out the extent of its authority, Providers would be subject to uncertain standards if the FCC were their sole regulator. While the FCC has cited NIST as a source it reviews for guidance on PSDP issues, it has failed to adopt NIST standards or any other standard from which Providers can gain certainty.

    But Providers can derive guidance from the FTC’s history of PSDP enforcement and policy statements. Were the FCC to be the sole regulator, guidance could be slow to come.

  • The FTC has more experience with PSDP issues . While the FCC has had a string of recent privacy-related actions that may provide some guidance to consumers and Providers, the FTC has had at least 50 privacy-related actions. The FTC also has “engaged in a variety of policy and education initiatives to promote privacy and data security,” [45] and in 2010 was a founding member of the Global Privacy Enforcement Network”[46] (“GPEN”), an international organization that “promotes information sharing and international assistance in enforcement of privacy laws.”[47] The FCC only recently joined GPEN in 2014. [48]

Different perspectives on PSDP regulation of Providers will ultimately encourage clarity. Right now the FTC is arguably more knowledgeable on PSDP issues, but the FCC has greater understanding of the policies surrounding broadband Internet. Similar to the shared jurisdiction between and amongst the federal government and the states, regulation by both the FTC and FCC could coax out clarity on how PSDP issues should apply to broadband Internet and Providers. In other words, the FTC’s exercise of regulatory authority over Providers should inform the FCC in its policy making, and vice versa. This understanding should encourage the FCC to strike the appropriate balance between protecting customer’s PI and accelerating broadband deployment.

Final Thoughts

While some may contend the FCC is better suited to guide Providers on PSDP issues specific to broadband Internet, the fact remains that given the FTC’s vast experience and enforcement action budget of more than $130 million [49](in comparison to the FCC’s $47 million enforcement bureau budget[50]), today the FTC is better equipped to handle PSDP enforcement actions. If the FCC wants to change this perception and exercise its muscle to regulate PSDP issues specific to broadband Internet providers, the FCC must demonstrate that it (a) has the authority to enforce PSDP violations and (b) has the resources to protect consumers from PSDP violations related to their Internet use.

I expect that the FCC will figure out the answers to these questions before determining whether to reclassify broadband Internet service providers as Title II common carriers in an effort to expedite establishing net neutrality rules. The FCC’s actions in 2015 should go a long way in determining how the FCC proceeds.