Out of the Frying Pan & into the Fire: The FCC Takes over Privacy Regulation

22 Pages Posted: 2 Apr 2015 Last revised: 21 Aug 2015

Date Written: August 15, 2015

Abstract

In late 2014, the FCC imposed an unprecedented $10 million fine against Terracom — not for violating the FCC’s CPNI rules issued under Section 222(b) and (e), but for failing to provide “reasonable” data security, a duty the Commission found, for the first time, to flow from the general language of Section 222(a) and the “just and reasonable” standard of Section 201(b). In March, the FCC reclassified all broadband providers under Title II — and chose not to forbear from applying either of these sections to broadband. The FCC has promised to clarify what its approach will be in the future.

This paper will explore this evolving issue in depth, including several key legal questions: What does the Open Internet order’s discussion of IP addresses as the equivalent of phone numbers (in order to justify reinterpretation of “public switched network” and thus reclassification of wireless) mean for privacy regulation? How will CPNI regulation, traditionally focused on the adequacy of opt-in consent, evolve? How might the FCC use its sweeping “general conduct” standard or its claimed Section 706 authority over data practices? (The FCC’s 2014 706(b) NOI specifically asked how privacy and security concerns affect broadband deployment.) How might the FCC’s case-by-case enforcement approach work without clear limiting principles? Is the FCC essentially creating a murkier version of the FTC’s unfairness standard? What lessons can be learned from the experience of the FTC with unfairness and, more recently, with data security and privacy regulation?

How far might the FCC’s regulation extend? Might the FCC reclassify other services beyond broadband? Might it indirectly regulate non-common carriers by maintaining that telecom carriers have a duty not to “permit access” (Section 222(c)(1)) to CPNI by, say, mobile operating system or apps operators except subject to a flow-through of CPNI obligations? Will broadband providers, especially mobile operators, become the new intermediaries responsible for policing the data practices of other players in the ecosystem?

This paper will describe where the FCC may head, the pitfalls of various approaches, and offer normative suggestions for how the FCC, FTC and Congress should handle the privacy and data security practices of broadband providers (and other related services).

Keywords: privacy, FCC, Title II, data security, FTC, regulation, law, common carrier

Suggested Citation

Szoka, Berin and Struble, Thomas, Out of the Frying Pan & into the Fire: The FCC Takes over Privacy Regulation (August 15, 2015). TPRC 43: The 43rd Research Conference on Communication, Information and Internet Policy Paper, Available at SSRN: https://ssrn.com/abstract=2588186 or http://dx.doi.org/10.2139/ssrn.2588186

Berin Szoka (Contact Author)

TechFreedom ( email )

110 Maryland Ave NE, Suite 409
Washington, DC District of Columbia 20002
United States

HOME PAGE: http://techfreedom.org

Thomas Struble

R Street Institute ( email )

1050 17th Street Northwest
#1150
Washington, DC 20036
United States

Do you have negative results from your research you’d like to share?

Paper statistics

Downloads
122
Abstract Views
1,003
Rank
414,744
PlumX Metrics