The Order does not forbear from applying Section 222 of the Act to broadband Internet access service (BIAS) providers. It did, however, forbear from applying its existing rules implementing Section 222, in recognition that those rules deal with the privacy of customer information connected with their use of the traditional telephone network, and thus do not readily apply in the broadband context. The question of applying Section 222 to broadband is likely to be both complex and contentious as the Commission proceeds in this area.
Section 222 and the Commission’s CPNI Rules
Section 222 governs the protection and use of certain customer information by telecommunications carriers. The FCC found that forbearance from Section 222 was not in the public interest because “[b]roadband providers . . . are in a position to obtain vast amounts of personal and proprietary information about their customers.” As a result, without regulatory privacy protections, “use or disclosure of that information” could be at odds with consumer interests. In justifying this conclusion, the Commission also returned to its “virtuous cycle” theory: failing to apply privacy protections for BIAS customers could “lower the likelihood of broadband adoption and [lead to] decreasing consumer demand.”
At the same time, the Commission concluded that forbearance is appropriate with respect to Section 222’s existing implementing rules because those rules are not necessarily “well-suited” to broadband service. For example, the Commission noted that the current rules focus on information related to voice services, such as “call detail” records, but do not readily apply to many of the types of information that a BIAS provider would have access to, such as a customer’s web browsing history. The Commission indicated that this forbearance was only temporary, pending the adoption of Internet-specific rules pursuant to a separate rulemaking. When that rulemaking will commence remains to be seen, but, as we noted in a recent PrivSec blog post, Chairman Wheeler announced that the Commission plans to hold a stakeholder workshop next month to discuss the best approach to consumer privacy as it relates to the Order.
A new rulemaking proceeding will likely probe providers’ current operations and practices, including their handling of customers’ Internet and data usage information. Language in the order suggests that the Commission may consider whether providers’ use of broadband customer information for purposes beyond traffic routing, such as collecting usage data or web browsing history, should be proscribed under new regulations. It is also possible that the Commission may adopt a wide range of use limitations (including marketing restrictions), opt-out/-in consents, notice, authentication, disclosure and breach reporting rules for BIAS customer information (consistent with the framework of existing rules for voice customer information).
Interaction with Other Laws
By choosing not to forbear from Section 222, the Commission is dramatically expanding the scope of privacy obligations under that provision. However, the Order does not expand or otherwise supersede BIAS providers’ duties under other security and privacy statutes. The Commission confirmed that nothing in its new rules is intended to supersede or otherwise limit providers’ existing duties to comply with law enforcement, national security, emergency communications and public safety mandates under statutes like CALEA, FISA, and ECPA. Indeed, because CALEA has already been construed to apply to broadband providers the Commission declined to forbear from Section 229 (which requires implementation of CALEA).
Notably absent from the Order was any reference to interaction with Section 631 of the Act, which governs the collection, use and disclosure of subscriber “personally identifiable information” by a cable operator when providing a cable service or “other service.” Since 2007, the requirements of both 222 and Section 631 have applied to VoIP services provided by cable operators. While there is little reason to believe that the reclassification would alter that practice with respect to a reclassified BIAS, the referenced rulemaking to establish the new Section 222 rules may address and clarify the interaction between these two competing sections.
The Commission did not take any additional action concerning the requirement to disclose privacy policies as part of its “enhancements” to the transparency rule, which currently requires providers to make certain disclosures regarding its network management practices, performance characteristics and commercial terms (including consumer privacy issues such as the collection, inspection, storage, disclosure and use of network traffic). While the Commission granted “small providers” a temporary exemption from the enhanced disclosure requirements, the privacy disclosures have not changed and remain applicable to all providers.
Of particular note, the Commission made several references to the use of packet inspection technologies by BIAS providers to monitor traffic for network management purposes, as well as to determine the lawfulness of certain sites and content (such as cases involving copyright infringement). This technology has often been the subject of criticism by consumer privacy advocates, and this proceeding was no exception. The Commission, however, determined that the rules adopted in the Order – including the transparency provisions and the carve-out for providers’ “reasonable” practices – accompanied by the privacy tools available to consumers, adequately addressed the privacy concerns.
The Order indicates that the FCC’s Consumer Advisory Committee will be developing a format for network management disclosures which, when finalized, will offer a safe harbor to those that utilize it, so BIAS providers will want to review and consider that format when it is released and approved. In any event, to the extent providers do not include this information directly in their published privacy policies, they should consider including a referral and link to their existing network management disclosures.
Enforcement & Jurisdictional Challenges
The Commission’s new privacy regime also presents a heightened risk of potential enforcement actions. The agency has recently initiated enforcement actions based on claimed data breaches (not addressed by existing regulations under Section 222), alleging that such breaches violate a carrier’s duties under both Section 222 and Section 201(b). Although there remain serious questions about the viability of such actions, as noted in Commissioner O’Rielly’s dissent, this order seems to reaffirm the Commission’s plan to broadly construe the scope and reach of providers’ extensive (and presently undefined) privacy duties under those statutes. This focus on enforcement is consistent with statements that Travis LeBlanc, Chief of the FCC’s Enforcement Bureau, has been making at various public appearances, including during a panel last week at the International Association of Privacy Professionals’ annual global privacy summit in Washington, D.C.
In the absence of applicable CPNI rules, the Commission is likely to use this broad authority to police and enforce providers’ compliance with statements and practices they set forth in their privacy policies, akin to the privacy and information security enforcement activities of the Federal Trade Commission.
The FTC, in turn, has publicly criticized the FCC’s efforts to assume a new enforcement role, raising concerns that the enlarged scope of activities for “common carriers” will lead to enforcement challenges between the agencies. Before reclassification, the FTC could ostensibly use its Section 5 enforcement authority to enforce the privacy promises and security practices of BIAS providers (although even the FTC’s ability to bring enforcement actions against companies that do not employ “reasonable security measures” is currently being challenged by Wyndham Hotels in a case pending before the U.S. Court of Appeals for the Third Circuit). After reclassification, the FTC’s role with respect to BIAS providers will be significantly reduced pursuant to the FTC Act’s common carrier exemption—an exemption the FTC has long lobbied should be eliminated.
Unfortunately for industry efforts to comply with their statutory obligations, even the common carrier exemption is unclear, as the FTC has taken the position in a pending enforcement action against AT&T that the exemption is a narrow “activity-based” exception that only applies to the degree the entity is engaged in “common carrier activities.” Whether this FTC claim will withstand judicial scrutiny, and where the “common carrier activity” line will be drawn, remains to be seen. In any event, BIAS providers that also provide video and other non-common carrier services are likely to remain subject to both FCC and FTC jurisdiction (and jurisdictional battles) until the courts or Congress determine how jurisdiction should be allocated.