If you thought all the action in privacy regulation centered around the Federal Trade Commission, the Federal Communications Commission would like you to think again. Yesterday, April 28, the FCC held a 3-plus hour workshop that started the regulatory “conversation” on the manner in which the FCC can or should regulate consumer broadband privacy.
Chairman Wheeler kicked off the event with opening remarks that included this unequivocal statement: “Privacy is unassailable.” He also said that “changes in technology do not affect our values.” From these words and the text of the FCC’s “Open Internet” order released earlier this year, not to mention the FCC’s recent $25 million data breach consent decree with AT&T, it is clear the FCC intends to be involved in regulating consumer privacy.
Yesterday’s workshop follows the recent Open Internet order in which the agency determined it would apply certain aspects of its Title II authority to the Internet (namely, certain “common carrier” provisions of the Communications Act). The order has broad impact on issues like consumer access to broadband content that have been widely written about. But what the order means for privacy is that the FCC’s rules on “customer proprietary network information” or CPNI, which have historically applied to traditional telephone companies and interconnected VoIP providers, may apply more broadly in some form or fashion to others in the broadband ecosystem—particularly, broadband Internet access providers.
By way of background, CPNI (defined in Section 222(h)(1) of the Communications Act) is information collected by telecommunications carriers about their customers. CPNI includes things like “quantity, technical configuration, type, destination, location, and amount of use of a telecommunications service” that a customer subscribes to and billing information. It is a fairly specific definition, and it doesn’t include personal information like name, phone number, address, etc.
Section 222(a) of the Communications Act requires telecommunications carriers to protect the confidentiality of customer information, and Section 222(c) restricts the ability of telecommunication carriers to use, disclose, or permit access to individually identifiable CPNI without the customer’s approval or as required by law.
The Open Internet order makes plain that the FCC intends to apply these CPNI confidentiality provisions (or some form of them) to broadband and broadband Internet access providers. But the FCC will need to adopt new rules to apply the CPNI provisions of the statute in this way.
Yesterday’s workshop started that process with a discussion among stakeholders, though no formal rulemaking has been launched. Panelists discussed the privacy implications of broadband Internet access (for example, the kind of data broadband providers have access to) as well as specific concerns with applying Section 222 to broadband Internet access services. One common theme was the potentially overlapping jurisdiction of the FTC and the FCC in the area of privacy. But, significantly, one thing the FCC brings to the table in this area is general rulemaking authority, which the FTC lacks.
We’ll have to watch and wait to see if a notice of inquiry, notice of proposed rulemaking, or other agency guidance will come.