Privacy and data security are high priorities of the Federal Communications Commission (FCC) under the leadership of Chairman Tom Wheeler. In addition to significant enforcement actions against AT&T and TerraCom/YourTel that take a page out of the playbook of the Federal Trade Commission (FTC), the FCC’s recent Open Internet Order for the first time imposes the privacy obligations of Section 222 of the Communications Act of 1934, as amended (the Act) on broadband Internet service providers.
Changing Legal Landscape
The FCC’s Open Internet Order significantly changes the privacy legal landscape. There, the FCC reclassified the provision of broadband Internet access services from an “information service” to a “telecommunications service” subject to Title II of the Act. Among other things, the reclassification of broadband Internet service providers as common carriers appears to largely, if not entirely, strip the FTC of jurisdiction over broadband providers due to the FTC’s own jurisdictional limitations.
To close the resulting gap in federal authority over the privacy practices of broadband Internet services providers, the FCC determined that Section 222 of the Act should apply to reclassified broadband Internet service providers immediately. At the same time, the FCC also decided to forbear from applying the legacy rules that apply to traditional telephone companies to broadband Internet access services and to instead adopt new rules customized for such newly reclassified services. In refraining from applying the legacy “customer proprietary network information” (CPNI) rules to broadband Internet access services, the FCC effectively admitted that a statutory provision designed to prevent incumbent local exchange carriers from having unfair competitive advantages in cross-marketing circuit-switched voice telephone services is not well suited to the context of broadband Internet access services.
The FCC’s Open Internet Order has broad implications. Since the FCC seeks to apply Section 222 to broadband Internet access services immediately, every broadband service provider will soon have a statutory duty to protect the confidentiality of CPNI and will be restricted from using, disclosing, or permitting access to such information without customer consent (barring a stay of the Open Internet Order; see note 1). The scope of those restrictions is murky, at best, given Section 222’s orientation toward voice telephone services, enacted in a circuit-switched era before wide adoption of the Internet.
On April 28, 2015, the FCC held a public workshop in Washington, D.C. to begin the debate over whether and how to adopt rules implementing Section 222 of the Act for broadband Internet access services.
Highlights of the Workshop
The FCC workshop highlighted some key issues that the FCC will have to tackle in the expected upcoming rulemaking:
With regard to privacy issues, are broadband service providers unique, or should they be treated like other members of the Internet ecosystem?
Should the FCC ensure consistency with the FTC with regard to online privacy, and if so, how?
How should the FCC apply Section 222 of the Act, which was designed to apply to voice telephone services, to broadband Internet access?
In opening remarks, Chairman Wheeler observed that “privacy is unassailable” and framed the workshop as the start of an effort to determine how to ensure that Section 222 protects consumer privacy while also encouraging a “virtuous circle” of innovation and investment in network infrastructure.
Associate Professor Matt Blaze of the University of Pennsylvania School of Engineering and Applied Science offered a technological perspective on broadband privacy issues. According to Blaze, broadband Internet service providers are seeking to move from “stateless” or “dumb” networks, which principally transmit packets of data, to “smart” networks, which seek to monetize information about their customers’ online activities by partnering with online advertising networks, performing deep packet inspection, or using cookie injection. Blaze stressed that metadata, such as location information, URLs visited, or who users communicate with, can be highly revealing yet is not shielded from broadband Internet service providers through consumer “countermeasures” like encryption. Accordingly, Blaze concluded that protecting consumer privacy in connection with broadband service providers warrants a policy solution rather than a technological approach.
Following Blaze’s presentation, two workshop panels featuring privacy advocates, broadband Internet access industry representatives, government officials, and academics provided a glimpse of the emerging debate.
The first panel pitted Robert Quinn, AT&T Chief Privacy Officer and Senior Vice President-Federal Regulatory, against Laura Moy, Senior Policy Counsel for New America’s Open Technology Institute. Quinn argued that data available to broadband service providers is comparable to, and potentially less extensive than, the data available to online advertising networks, data brokers, social networks, and mobile operating systems. According to Quinn, broadband service providers operate and compete in the same advertising-supported online ecosystem as these and other businesses. Consequently, Quinn eschewed what he called an outdated “entity-based” approach to privacy regulation in favor of consistent treatment of consumer data across the Internet environment by the FCC and FTC. By contrast, Moy argued that broadband service providers have a uniquely comprehensive view of consumer online activity. In addition, according to Moy, consumers expect broadband service providers, as “gatekeepers” to an “essential service,” to keep consumer information private in a way they do not expect of other online businesses. Moy further contended that the fact that other participants in the ecosystem are collecting and using consumer data does not weigh against more restrictive privacy regulation of broadband service providers.
How to Apply Section 222 to Broadband Providers
The workshop’s second panel focused on the application of Section 222 to broadband Internet access. Industry and academic representatives repeatedly emphasized that the FCC should follow FTC privacy guidance. By contrast, Public Knowledge Senior Vice President Harold Feld questioned the application of FTC guidance to Internet network operators, an area within the particular expertise of the FCC.
Another theme that emerged was the challenging issues the FCC would confront in implementing Section 222, which was written with voice telephone services in mind, to broadband Internet access. In light of the difficulty and importance of the task, industry representatives urged the FCC to develop a comprehensive rulemaking record beginning with a notice of inquiry rather than a proposed rule.
Industry representatives also urged the FCC to adopt a consistent framework for consumer data across Internet participants. Center for Democracy & Technology (CDT) General Counsel Erik Stallman agreed with the concern about asymmetrical privacy obligations between broadband service providers and others. However, Stallman argued that this concern meant that new CPNI requirements should serve as a model for baseline requirements for all participants in the Internet ecosystem.
Just the First Step
It remains to be seen whether CDT will realize its hope that the FCC’s new privacy requirements for broadband Internet service providers will set a de facto standard for all Internet companies. But what is already clear is that the FCC’s expected rulemaking will generate one of the most significant policy debates in Washington on consumer privacy issues in the near future, and the outcome will have a dramatic impact on the industry. Although the FCC has yet to announce a timeframe for any rulemaking, its prompt decision to convene a workshop may be a sign that Chairman Wheeler will seek to move swiftly on this issue.
 The Open Internet Order will be effective on June 12, 2015. However, an application for stay pending judicial review was filed with the FCC on May 1, 2015, which, if granted, could delay the effective date indefinitely.
 The Open Internet Order has been challenged in court. See, e.g., Nat’l Cable & Telecomm. Ass’n v. FCC, No. 15-1090 (D.C. Cir. filed Apr. 14, 2015); Am. Cable Ass’n v. FCC, No. 15-1091 (D.C. Cir. filed Apr. 14, 2015); AT&T Inc. v. FCC, No. 15-1092 (D.C. Cir. filed Apr. 14, 2015).