Friday, October 23, 2015

FCC's Internet Privacy Power Grab Unsupported by Law

The Federal Communications Commission is trying to deputize itself as the nation’s Internet data privacy cop. An October 9 letter by Rep. Marsha Blackburn and 13 other members of Congress calls out the Commission's aspirations to become the federal privacy regulator for the Internet. Indeed, Congress never gave the FCC such broad powers. 
This absence of legal authority makes the FCC the rogue cop of data privacy. The FCC’s unauthorized foray into data privacy poses a real rule of law problem. In fact, it's a problem that is snowballing: The FCC asserts data privacy authority through its Open Internet Order (2015); its TerraCom Order (2015) proposed  $10 million in data privacy fines against two telecommunications providers despite the lack of any rules on the books; and a recent Lifeline order imposes data privacy mandates. The FCC's overreach also encroaches on the jurisdiction of the Federal Trade Commission (FTC), an agency with a broader expertise in addressing consumer privacy issues.
Congress is responsible for reining in the FCC and keeping it within the limits of its delegated powers. It is also Congress's responsibility to make sure that clear jurisdictional lines separate the FCC and the FTC. It should be the duty of Congress to decide which agency, if any, has jurisdiction over data privacy. Indeed, if new data privacy authority is contemplated, the FTC should be the common enforcer of simple, clear standards to be consistently applied to all digital platforms.
The FCC bases its claims of authority over data privacy on Section 222. In its Open Internet Order (2015), the FCC reclassified broadband Internet services as Title II common carrier telecommunications services. (This reclassification of broadband is now being challenged in court.) Under that Order, the FCC now applies Section 222 to broadband Internet service providers.
On May 20, 2015, the FCC issued an enforcement advisory on data privacy. The agency has also invoked its self-proclaimed powers over digital privacy in other orders. Its TerraCom Order proposed a hefty $10 million in fines against TeraCom, Inc. and YourTel America, for a data breach involving personal identifiable information (PII). And in the universal service context, FCC insisted in its Lifeline Modernization Order (2015) that subscriber PII falls within its enforcement jurisdiction. The Commission is now weighing a petition seeking reconsideration of that order's data privacy mandates.
Data breaches are very serious, but so are limits on agency jurisdiction. Over the last several years, numerous data breach laws have been passed by state legislatures. And many data breach bills have been introduced and been the subject of hearings in Congress. It strains credulity to believe that the lawmaking process can be so easily short-circuited by a sector-specific agency like the FCC claiming to have possessed such broad data privacy powers all this while.
By its terms, Section 222 is limited to customer proprietary network information (CPNI) in the voice communications context. Specifically, CPNI addresses telecommunications providers' collection and use of individualized consumer data regarding the time and length of calls, phone numbers called, and consumer voice billing. (FCC jurisdiction with respect to cable subscriber privacy and DBS subscriber privacy are also circumscribed under Section 551 and Section 338 of the Satellite Home Viewing Improvement Act, respectively.) CPNI is a different and narrower category than PII.
Aside from questions about over-reaching its Commission’s legal authority, applying Section 222 to broadband Internet service providers is bad policy. As FSF President Randolph May and I have previously explained, "Any New Privacy Regime Should Mean An End To FCC Privacy Powers." If a new federal privacy regime is really called for, it should be up to Congress to make that call. And if Congress so decides, transferring all privacy jurisdiction over communications and information services from the FCC to the FTC is the much preferred policy course.
The old lines differentiating products, services, and provider roles make little sense in today's digital, IP-based converging communications market. And it's unreasonable to think consumers expect privacy protections that differ when data is handled by a mobile broadband service provider or a media content company or applications provider. Transferring all privacy jurisdiction over CPNI from the FCC to the FTC would give consumers a simpler set of privacy expectations.
Making the FTC the common enforcer of common standards would also make compliance easier for providers or companies handling data. It would reduce the likelihood that certain types of information collectors would be unfairly disadvantaged without good cause by being subject to different privacy requirements.

Any data privacy policy change by Congress would be far down the road. The immediate rule of law issue is the FCC effectively changing data privacy policy by administrative fiat. Absent Congress keeping the FCC within bounds of its limited authority over CPNI data, federal courts will have to hold the agency to the rule of law.

* Information concerning the fine proposals and number of providers involved has been corrected (7:20AM 10/23/15)