The new Federal Communications Commission (FCC) Privacy and Data Security Rule for broadband internet access service (BIAS) providers (Privacy Rule) was set to start phased implementation on March 2, 2017. We have previously detailed what the Privacy Rule would require and when in prior blog posts available here and here. However, on March 1, 2017, the new Republican majority issued a temporary stay of the Privacy Rule, in a joint statement from Acting Federal Trade Commission (FTC) Chairwoman Maureen K. Ohlhausen and FCC Chairman Ajit Pai posted here.
This Privacy Rule stemmed from the FCC’s 2015 Open Internet Order, which may also be subject to revision under the new administration. The FCC’s Open Internet Order applied Section 222 of the federal Communications Act to BIAS providers for the first time. This order gave the FCC jurisdiction over BIAS providers such as internet service providers (ISPs), but the FCC declined requests to take jurisdiction over edge networks (online service providers that do not offer internet access but offer services that look like a communications provider, such as Facebook, Google and Yahoo). As a result, the FCC took jurisdiction over the BIAS industry – which had previously been regulated by the FTC – on matters of privacy and data security, among other things. This essentially split the internet industry between the two regulators.
Under the Privacy Rule, the FCC took a far more restrictive approach to regulation of privacy and data security than the FTC has taken. This is largely due to the FCC having much greater rule-making and consumer protection authority than does the FTC. For instance, under the Privacy Rule, it would become much more difficult for BIAS providers to provide interest-based advertising and other services that take advantage of big data. For example, the Privacy Rule would have required BIAS providers to obtain consumers’ express consent to the use of service data for such purposes, whereas edge networks and other non-BIAS companies under FTC jurisdiction merely need to provide transparency and avoid the use of sensitive data absent consent. In addition, interest-based advertising is subject to self-regulation. (For more information, see www.aboutads.info.)
Under the Privacy Rule, the FCC’s restrictive approach to BIAS largely differed from the FTC’s traditionally technology-neutral approach to privacy and data protection, an approach criticized by industry. As noted in dissents by FCC commissioners Ajit Pai and Michael O’Rielly, the result under the Privacy Rule would lead to vastly different rules for different types of online services, with consumers being subject to different privacy principles and data protection schemes depending on the type of platforms and services they use online. With the change of administrations, that seems unlikely to be implemented.
In the joint statement announcing the stay, the new FTC and FCC chairpersons stated that the Privacy Rule “[i]s not consistent with the FTC’s privacy framework [and that] the stay will remain in place only until the FCC is able to rule on a petition for reconsideration of its privacy rules.” Noting the disparity in regulations applied to BIAS providers and edge networks, the chairpersons stated that the FCC’s regulation of BIAS providers and the FTC’s regulation of edge networks did not serve consumers’ interests by creating two distinct frameworks, with one framework for ISPs and another for all other online companies. The chairpersons noted, “Going forward, [the FTC and FCC] will work together to establish a technology-neutral privacy framework for the online world.”