FCC To Take on Privacy in NPRM Set for Release Early This Year

At the CTIA meeting in September, the privacy NPRM was a hot topic, with O’Rielly and Commissioner Ajit Pai questioning the need for FCC action. While the NPRM at that point appeared imminent, it didn't make the cut for the remaining three meetings of the year (see 1509110027). A rulemaking is now expected in coming months.

Guidance by the FCC Enforcement Bureau released in May in the wake of the net neutrality order said the bureau expects ISPs to adopt privacy protections “in keeping with the tenets of core basic, privacy protections.” The FCC regulated the collection and use of customer proprietary network information (CPNI) for decades.

“I can only go off the chairman’s words,” O’Rielly said. “He seems to indicate that he wants to still pursue this path. I find it extremely problematic.” The FCC doesn't have the staff to handle privacy issues and lacks expertise in general in that area, O’Rielly said. “The FTC has shown great ability to handle these issues.” The net neutrality order “led us down this path,” he said. “I hope it’s not detrimental to the high-tech community.”

The FCC is still gathering feedback before release of an NPRM, Clyburn said. “The public expects us to be clear and definite and seamless when it comes to what our responsibility is and what the FTC’s responsibility is,” she said. “We should use every section of every act, every subsection at our disposal to ensure that the public has the protections that they need and deserve.”

FTC Commissioner Julie Brill, who spoke on several panels at CES last week, said in response to our question that she would welcome the NPRM. “I absolutely think there’s a role for the FCC,” she said. "It’s a great opportunity for having a sector-specific rule dealing with broadband providers and how they’re going to be treating data. I think there are a lot of choices they need to make in terms of translating the CPNI framework to broadband provision of services and what kind of data is flowing there,” she said. “There’s a need to do a lot of work there.” Brill said she has had several discussions with FCC officials about a potential privacy rule.

John Godfrey, Samsung Electronics North America senior vice president-public policy, said in response to Brill that it's critical for federal agencies to work together on privacy regulation. “What we as companies don’t want is contradictory regulations from different regulators,” he said. “Then we don’t know what to do.”

"I doubt many Americans believe their privacy is too well protected, and that as a consequence the FCC should just sleep on its mandate to make sure carriers protect their personal information,” emailed Free Press Policy Director Matt Wood. "The FCC rightly chose not to forbear from Section 222 when it returned to the solid law of Title II. Broadband providers serve as gatekeepers not only to the Internet, but to vast troves of sensitive information about their subscribers. Some will complain that the FTC already handles privacy, and that other kinds of companies can violate our privacy too. But the fact remains that Congress wrote separate protections into the law for telecom users, including broadband telecom. There is plenty for the two agencies to do and plenty they can do to coordinate."

TechFreedom is looking closely at the issue and preparing a white paper, President Berin Szoka told us. The FCC will likely rely on the traditional CPNI rules, Section 222 (a) of the Communications Act in light of the 2014 TerraCom settlement on alleged Lifeline USF customer privacy violations (see 1507090035), and Section 706, he said. The NPRM will say, “we will use all of these, it’ll be a belt and suspenders, every kit in the toolbox kind of approach,” Szoka said. “The question will be how specific do they get. Do they do things like, for example, requiring opt in, and they probably will.”

Flexibility

The FTC has laid out a general approach, while operating on a case-by-case basis, Szoka said. The FCC NPRM will probably use the word flexible repeatedly, he predicted. But the agency, similar to the FTC, will really mean flexibility for the agency to regulate rather than flexibility for regulated companies, he said. “You’ll see something that looks very much like what the FTC does, with even less constraint and even less need to tip the hat to [preventing] unfairness and deception,” he said. “It’s going to be just like the FTC except worse.”

The FCC has traditionally exercised oversight of CPNI, said Free State Foundation President Randolph May. The problem is the FCC is expanding its regulatory reach into the Internet arena, he told us. “The FCC is in an expansionist, power-grabbing mode. In this case, sound policy would dictate that the FTC, which already has considerable expertise and experience in enforcing privacy safeguards for all participants in the Internet ecosystem, should handle Internet privacy issues,” May said. “This is even more so when you have an FCC Enforcement Bureau that appears committed to aggressiveness to the point of unfairness. For example, the recent substantial fine imposed on Cox Communications for a third-party data breach is out of line with similar situations where the FTC has required implementation of additional safeguards without imposing a fine.”

​“The FTC has been the expert agency on privacy for decades,” said a former FCC official who represents telecom and other clients. “The FCC, under this chairman, has aggressively expanded its jurisdiction into many areas, including the privacy realm. Moving into this space is controversial for any kind of company in the Internet space, be it a network operator or edge provider, because FCC new precedent regarding privacy is being made every day.”