U.S. FCC Decision Triggers Potential Sea Change in Broadband ISP Data Privacy and Security Requirements
Section 222 of the Communications Act Will Apply
In the Order, the FCC determined that Section 222 of the Act (47 U.S.C. § 222) would apply to broadband Internet access service providers. Going forward, broadband ISPs will be subject to a series of data privacy requirements under Section 222, including restrictions related to “customer proprietary network information” (“CPNI”). For example, they will have to comply with:
- A general duty to protect the confidentiality of proprietary information of, and relating to, other telecommunication carriers, equipment manufacturers, and customers;
- Restrictions on how they may use proprietary information obtained from other carriers for purposes of providing telecommunications services; and
- Statutory restrictions on how they may use, disclose, or permit access to CPNI without a customer’s consent.
In reaching this conclusion, the FCC reasoned that consumers’ privacy needs are no less important when they use broadband Internet access service than when they rely on telephone service. In addition, the FCC found that consumer concerns about the privacy of personal information could affect demand for broadband services and lower both broadband adoption and deployment.
The FCC also noted that it takes Section 222’s protections “seriously.” As evidence, the FCC pointed to a recent data security enforcement action where it proposed a $10 million penalty against two companies that stored customers’ personal information, including social security numbers, on unprotected and unencrypted Internet servers. (See our prior post here.)
The FCC’s Existing CPNI Rules Will Not Apply
The FCC stated that it will forbear from applying its existing rules implementing Section 222 (the CPNI rules) because it found that they are “not well suited to broadband Internet access service.” In particular, the FCC found that these rules are more focused on concerns that have been associated with voice telephone service and do not address many of the types of sensitive information to which broadband providers are likely to have access. As a result, broadband providers will not be required to comply with the FCC’s current Section 222 CPNI rules.
The FCC reiterated that the exclusion for broadband providers applies only to its rules and not to Section 222.
Broadband-Specific Data Privacy Rules are Forthcoming
The FCC indicated that it will develop new rules implementing Section 222 with respect to broadband Internet access services in a separate rulemaking proceeding. Details on this separate proceeding are forthcoming, but FCC Chairman Wheeler has announced that the agency will hold an April workshop for stakeholders to discuss how best to move forward.
CALEA, FISA, and ECPA Obligations Remain Intact
The FCC also confirmed that the new rules do not supersede any obligation a broadband provider may have—or limit its ability—to address the needs of emergency communications or law enforcement, public safety, or homeland or national security authorities, including under CALEA, FISA, and ECPA.
Broadband ISPs Now Qualify for the “Common Carrier” Exemption
If and when the reclassification becomes effective, broadband ISPs will fall within the “common carrier” exemption under Section 5 of the Federal Trade Commission (“FTC”) Act. To the extent that the exemption applies, broadband ISPs would no longer be subject to the FTC’s general jurisdiction to take enforcement action against unfair or deceptive acts or practices.