It’s official: next Thursday, March 31, 2016, the FCC will vote on a Notice of Proposed Rulemaking seeking comment on a proposed framework for new privacy and data security rules for broadband Internet access service (BIAS) providers. This proceeding will have important implications for not only the broadband providers subject to the rules, but also for the Internet ecosystem as a whole.
This rulemaking proceeding stems from the 2015 Open Internet Order, which reclassified BIAS as a telecommunications service and applied several of the FCC’s core consumer protection provisions—including Section 201 and 222 of the Communications Act—to BIAS. Section 201(b) prohibits “unjust or unreasonable” practices, which the FCC has interpreted to require reasonable data security practices. Section 222 (and the Commission’s interpretations of that section) establishes a complex framework for the protection of proprietary information (PI), carrier proprietary information (CPI), and customer proprietary network information (CPNI). CPNI, in short, is the information that a carrier has about its customer solely by virtue of the customer-provider relationship. However, because the CPNI rules promulgated pursuant to Section 222 were designed with traditional telecommunications services in mind, the FCC declined to impose those rules on BIAS, instead opting for a rulemaking proceeding to create new broadband CPNI rules.
While the Commission will not release the text of the NPRM until after the March 31st Open Meeting, Chairman Wheeler’s Fact Sheet sheds some light on the likely direction of the item. Specifically, the proposal will rely on three “core principles”: choice, transparency, and security. With respect to choice, the proposal establishes a consent framework similar to the existing framework, which permits certain uses of customer data without the need for additional consent (e.g., billing and managing the network), but requires opt-out or opt-in consent from the customer before using or sharing customer data in other circumstances (e.g., marketing communications related-services to which the customer does not subscribe or marketing non-communications-related services). As for transparency, the proposal would require BIAS providers to offer clear, conspicuous, and understandable information about the provider’s privacy practices. With respect to security, the item proposes to require BIAS providers to “take reasonable steps to safeguard” customer data, including specific minimum standards for data security. The proposal also would impose data breach notification requirements that would require BIAS providers to notify affected customers within 10 days of discovery, to notify the Commission no later than 10 days after discovery, and to notify law enforcement (i.e., FBI and Secret Service) about larger breaches within 7 days of discovery. The Commission will also seek comment on other approaches for implementing privacy rules.
Importantly, while some had hoped that the FCC would harmonize its privacy and data security rules with the ex post enforcement approach of the Federal Trade Commission (FTC), the FCC here appears to double-down on its existing ex ante approach to privacy and data security regulation. As a result, the rulemaking has the potential to further expose tensions between the FCC and FTC with respect to privacy and data security policy. This remains a critical issue for businesses to monitor as this item moves forward.
Like most FCC items, the devil is in the details, and unfortunately we will not know those details until the Commission releases the text of the NPRM. That said, here are a few of the unanswered questions that we will be tracking:
- How will the proposed rules define broadband CPNI?
- Will there be different proposed rules for mobile and fixed BIAS?
- How will the proposed rules apply to non-BIAS data services (such as connected home products) that a broadband provider offers to its customers?
- Will the FCC propose specific rules for “proprietary information” under Section 222(a)?
- Will the FCC revise its “basket of services” approach to traditional services?
- How will the FCC’s rules affect third-party apps that rely on data from carriers to provide their services?
- Will these rules include an annual certification requirement, as the existing rules do?
- How will this rulemaking proceeding affect the existing CPNI rules for traditional telecommunications services?