Last October, the Federal Communications Commission (FCC) approved new privacy rules governing how Internet Service Providers (ISPs) are permitted to use and share its customers’ personal information. The rules have been fiercely contested by telecom companies that contend they are being unfairly held to more stringent regulations than so-called edge providers (Google, Facebook, etc.), which are subject only to less restrictive guidelines established by the Federal Trade Commission (FTC). In particular, the FCC rules go beyond FTC regulations in defining “sensitive” customer information to include web browsing and application usage history and requiring ISPs to obtain affirmative “opt-in” consent before using or sharing such information. Certain data security obligations under the rules were scheduled to go into effect on March 2nd, with the remaining provisions relating to data breach notification and opt-in requirements slated for implementation later this year.
Following the election and President Trump’s subsequent appointment of Aji Pai as FCC Chairman, the fate of the privacy rules are very much in doubt. On March 1st, the FCC voted 2-1 to stay implementation of the data security regulations under the privacy rules. Chairman Pai, who voted against the privacy rules as a commissioner, issued a joint statement with Acting FTC Chairman Maureen Ohlhausen emphasizing their intent to “harmonize” the FCC’s privacy rules for broadband providers with FTC’s standards for edge providers.
Meanwhile, Republicans in Congress have put forward bills designed to eliminate the FCC’s privacy rules in full. The legislation relies on the rarely-used Congressional Review Act (CRA), which authorizes Congress to review and overturn recent federal regulations on an expedited schedule and with a simple majority vote. Further, the CRA prohibits the enactment of “substantially similar” rules by the agency in the future – meaning that the FCC may be preempted from regulating ISP privacy issues going forward.
Adding another layer of complexity to the issue, if the FCC cannot regulate data privacy issues involving ISPs, the FTC may not be permitted to fill the void. Last year the Ninth Circuit Court of Appeals held in FTC v. AT&T Mobility, LLC, that AT&T was exempt from FTC oversight based on its status as a “common carrier” under the FCC’s 2015 net neutrality order.