Can The FCC Protect Internet Subscribers’ Online Privacy?
On March 31, on a party-line 3-2 vote, the Federal Communications Commission proposed to adopt new rules designed to provide privacy protections for customers of Internet service providers (ISPs). The FCC’s wide-ranging Notice of Proposed Rulemaking (NPRM) asks hundreds of questions as to how it should shape these requirements. There has already been considerable news coverage concerning the scope and details of these rules, and there will be much more debate as the Commission’s inquiry proceeds over the coming months. However, there has been less discussion about the underlying legal issues which made it necessary for the FCC to initiate this proceeding and the questions about whether the FCC can, indeed, adopt the rules it has proposed.
The FCC has regulated certain privacy-related activities for some time. Various provisions of the Communications Act give the Commission limited power to address consumer privacy of cable and satellite TV subscribers, but the enforcement of these statutes has largely related to things like billing information. The FCC has somewhat broader statutory power to protect privacy of telephone subscribers, but the regulatory policies the Commission has enforced were designed in an earlier era and do not address the broader range of information that can now be collected.
Until last year, Internet service was subject to the minimal regulatory scheme set forth in Title I of the Communications Act, which gives the Commission little or no power to address privacy practices of ISPs. The activities of these companies was, however, subject to the jurisdiction of the Federal Trade Commission, which enforces Section 5 of the FTC Act to restrict “unfair or deceptive acts or practices.” However, in its February 2015 Network Neutrality order, the FCC decided that it would “reclassify” ISPs as common carriers subject to the broader authority of Title II of the Communications Act. This created an important gap, because Section 5 specifically exempts common carriers from FTC enforcement. (The U.S. Court of Appeals is currently considering challenges of the Network Neutrality decision; depending on what the Court does, the new inquiry may be partially or entirely moot.)
There is a fundamental difference in the enforcement processes of the FTC and FCC. For the most part, the FTC does not have the power to adopt forward-looking rules. Instead, it generally brings enforcement proceedings on a case-by-case basis after it has determined that a company under its jurisdiction has violated Section 5. These enforcement actions give signals to other companies as to what may or may not be permissible, but this is a rather imprecise process. By contrast, the FCC has broad general rulemaking authority, which it uses to adopt specific prescriptive rules governing conduct. While the FCC can and does bring enforcement action when it receives complaints about violations of those rules, the boundaries are established by the rules, not by enforcement actions.
Because it recognized that its telephone-era privacy rules are ill-suited to address the activities of ISPs, the FCC’s 2015 reclassification decision expressly declined to apply those requirements to ISPs, but instead announced that the Commission would initiate a new proceeding to adopt more appropriate rules in a later proceeding. That is what it has now done.
As discussed below, the FCC’s NPRM is primarily rooted in Section 222 of the Communications Act. However, perhaps recognizing that it may not be able to rely entirely upon Section 222, the Commission did also say it “can also find support” for privacy rules under several other provisions of the Communications Act. This includes its generic authority under Sections 201 and 202 of the Communications Act to prohibit unjust or unreasonable practices by common carriers. The FCC also referred to Section 705 of the Communications Act, which, among other things, has historically been used to require telephone companies to protect the contents of telephone conversations and Section 706 of the Telecommunications Act of 1996, which directs the FCC to take steps to promote broadband deployment. In addition, the Commission adverted to its mandate under Title III of the Communications Act to promote the public interest in regulating wireless carriers. (This may be very important if, as is possible, the Court of Appeals generally upholds the FCC’s Network Neutrality decision, but reverses the Commission as to its application of Title II power to wireless companies.)
Notwithstanding its invocation of those statutes, the primary focus of the NPRM is Section 222 of the Communications Act. As the NPRM explains,
Congress added Section 222 to the Communications Act in 1996. Section 222, entitled “Privacy of customer information,” established a new statutory framework governing carrier use and disclosure of customer proprietary network information and other customer information obtained by carriers in their provision of telecommunications services. Fundamentally, Section 222 obligates telecommunications carriers to protect the confidentiality of proprietary information, including proprietary information about their customers, and in furtherance of that obligation it requires carriers to seek approval before using or sharing customer proprietary network information.
The meaning of Section 222 will be central to the debate over the FCC’s power to regulate online privacy. While Section 222 contains a clear mandate to regulate privacy practices of Title II carriers, the Commission faces a problem in enforcing it as to online services offered by ISPs. To date, the Commission’s regulations have relied upon Section 222(c), which prohibits misuse of "individually identifiable customer proprietary network information," commonly referred to as "CPNI." CPNI is narrowly defined in Section 222(h)(1) as essentially relating to call records and billing information for "telephone exchange service." This simply does not reach the online offerings the FCC now wishes to regulate, such as (among many other forms of data) service plan information, the speed, pricing and capacity purchased, geo-location information, information about the devices being used for access, the Internet addresses being accessed, traffic statistics and bio-identification information.
Because of the limitations of Section 222(c), the Commission seeks instead to rely on the much broader and more general language in Section 222(a), which provides that "every telecommunications carrier has a duty to protect the confidentiality of proprietary information of...and customers,..." The problem is that, until recently, the Commission has not invoked Section 222(a) as a source of specific regulatory authority. In dissenting, Commissioner Michael O’Reilly argued that Section 222(a) was never intended to be an independent grant of authority. Citing to an earlier dissent in an enforcement case, Commissioner O’Reilly explained that prior to 1996, the FCC’s CPNI rules only covered AT&T and the local phone companies spun off when AT&T was broken up, and that Section 222(a) was merely intended to expand CPNI requirements to all telephone companies (i.e., “every telecommunications carrier”). Indeed, his reading is consistent with many prior FCC interpretations of Section 222(a).
The NPRM did not respond to Commissioner O’Reilly by name, but it cited a 2007 decision which, it said, “acknowledged the general mandate to protect confidentiality in 222(a).” It
recognize[d] that earlier Commission decisions focused primarily on Section 222(c)’s protection of CPNI, and could be read to imply that CPNI is the only type of customer information protected. However, those decisions simply did not need to address the broader protections offered by Section 222(a), and we do not so limit ourselves here****The duty to secure the confidentiality of customer information beyond CPNI would not have been as substantial a concern in the years before it became so common for information to be stored electronically.
There are many policy challenges and political obstacles the FCC must surmount if it is to meet Chairman Wheeler’s goal of adopting new privacy rules by the end of the year. And, while there is unquestionably some uncertainty about the FCC’s powers to regulate Internet service under Section 222, reviewing courts traditionally give a great deal of latitude to agencies to interpret and reinterpret their jurisdictional statutes so long as they make plain they are modifying their analysis and give a reasonable explanation for the change. Thus, if the agency gets that far, the odds are that the FCC’s utilization of Section 222 will survive challenge.