Congress Uses Congressional Review Act to Repeal 2016 Privacy Order
Earlier this month, President Trump signed into law a congressional Joint Resolution pursuant to the Congressional Review Act repealing the new broadband and telecommunications privacy rules adopted last October by the FCC in its 2016 Privacy Order. Because the bulk of the FCC’s new privacy rules had not yet gone into effect, this action effectively returns broadband providers to the status quo prior to adoption of the Order. That is, broadband providers remain classified as Title II telecommunications carriers in their provision of broadband Internet access service under the FCC’s 2015 Open Internet Order and therefore subject to the statutory commands of Sections 201 (acts and practices of common carriers must be just and reasonable), 202 (prohibiting unjustly or unreasonably discriminatory acts or practices), and 222 (protections for customer proprietary network information – CPNI) with respect to safeguarding customer privacy.
For providers of both broadband and other telecommunications services, the direct effect of the Joint Resolution is relatively limited, given the fact that the core new privacy rules related to notice, choice, data security, and data breach notification had not taken effect. The 2016 Privacy Order specified that the bulk of the old CPNI rules would remain in effect for voice providers until the effective date of the new rules. As the new rules now have been eliminated, the old CPNI rules for voice remain in full force and effect, with the exception of the old CPNI recordkeeping and annual reporting requirements. In a December 2016 Public Notice, the FCC affirmed that the 2016 Privacy Order relieved telecommunications carriers and interconnected VoIP providers of the specific compliance recordkeeping and annual certification requirements in 47 C.F.R. §§ 64.2009(c) and (e), so that once the Order became effective on January 3, 2017, telecommunications carriers and interconnected VoIP providers would no longer will be required to comply with those requirements. Repeal of the 2016 Privacy Order has thus created some uncertainty as to any potential resumption of the old CPNI recordkeeping and annual reporting requirements. We anticipate the FCC will issue guidance on this issue.
Going forward, FCC Chairman Pai and Acting FTC Chairman Ohlhausen issued a joint statement pledging to work together to achieve a “comprehensive and consistent framework” for protecting consumers’ online privacy by harmonizing the FCC’s privacy rules for broadband providers with the FTC’s standards for other companies in the digital economy. Longer term, we expect that the FCC will re-examine its 2015 decision to classify broadband Internet access service as a Title II service, undoing the application of common carrier regulation to broadband privacy and data security practices.
In the meantime, there are several steps broadband providers can take to ensure their compliance with the law as it applies today. While the FCC is likely to issue additional advisory guidance as it works out next steps on broadband privacy, operators should consult the outstanding guidance that was issued by the FCC Enforcement Bureau shortly before the FCC’s 2015 Open Internet Order was to take effect. This 2015 Advisory Guidance addresses the Enforcement Bureau’s approach to enforcement of broadband providers’ compliance with their obligations under Section 222 of the Act to protect the confidentiality of CPNI in the absence of specific implementing regulations applying the statute more specifically to broadband providers. The 2015 Advisory Guidance counseled providers “to take reasonable, good faith steps to protect consumer privacy.” It states that in “examining whether a broadband provider’s acts or practices are reasonable and whether such a provider is acting in good faith to comply with Section 222, the Enforcement Bureau intends that broadband providers should employ effective privacy protections in line with their privacy policies and core tenets of basic privacy protections.” For reference, members of the American Cable Association have adopted, on a voluntary basis, a set of Privacy Principles filed with the FCC as an Appendix in conjunction with a Joint Petition for Stay of the 2016 Privacy Order that include transparency, consumer choice, data security, and data breach notification. These principles are consistent with the FTC’s long-standing privacy framework applicable to all participants in the Internet ecosystem.
Providers are also reminded that they are subject to a variety of state and federal unfair and deceptive trade practices, data security and data breach laws. The FCC also requires broadband providers to disclose their privacy policies as part of the Open Internet disclosures mandated by the Transparency Rule. Broadband providers should review their privacy policies to ensure that they are up-to-date, accurate and consistent with other consumer-facing policies and statements.
If you have any questions about the FCC’s broadband privacy rules, please contact Barbara Esbin at (202) 872-6811 or besbin@cinnamonmueller.com, Bruce Beard at (314) 394-1535 or bbeard@cinnamonmueller.com, or Scott Friedman at (312) 372-3930 or sfriedman@cinnamonmueller.com.