Congress Repeals FCC 2016 Privacy Order via Congressional Review Act
Kelley Drye Client Advisory
On April 3, 2017, President Trump signed into law a Congressional joint resolution eliminating new broadband and voice privacy rules set forth in a November 2016 order (the 2016 Privacy Order) by the Federal Communications Commission (FCC) (the Joint Resolution). The repeal occurred via Congressional Review Act (CRA) procedures, which enable Congress to rescind recently adopted agency rules. The Joint Resolution will have a modest impact on the status quo with respect to both broadband Internet access service (BIAS) providers and traditional voice providers, since few of the new rules in the 2016 Privacy Order had gone into effect when the Joint Resolution was passed into law. However, a less aggressive privacy posture at the FCC is likely to have ripple effects on privacy enforcement at both the federal and state level, as the Federal Trade Commission (FTC) and state attorneys general may attempt to step in to fill the gap, despite potential jurisdictional challenges. As a result, BIAS providers and voice carriers should maintain reasonable privacy and data security policies and procedures to mitigate risks of enforcement intended to mind the gap in some way.
I. FCC Privacy Background
The FCC’s privacy jurisdiction stems from two provisions of the Communications Act of 1934, as amended: section 201(b), a general consumer protection provision that prohibits telecommunications carriers from engaging in “unjust and unreasonable practices,” and section 222, which requires carriers to protect the confidentiality of customer proprietary network information (CPNI), a category that includes billing information and information about a customer’s use of a carrier’s network. Historically, these provisions only applied to voice telecommunications services and interconnected voice-over-Internet Protocol (VoIP), and over the last 20 years the Commission has adopted a raft of voice-centric CPNI rules to implement section 222. When the Commission reclassified broadband Internet access service (BIAS) as a telecommunications service in 2015, however, it imposed section 201(b) and 222 obligations on broadband Internet access service (BIAS) providers, while forbearing from applying the specific voice-centric rules (which the Commission conceded were not a good fit for broadband services).
To fill the gap, in November 2016, the FCC released stringent privacy rules intended to modernize its privacy regime as applied to both BIAS and voice services (the 2016 Privacy Order). Among other things, the FCC imposed new disclosure requirements, adopted a “sensitivity-based” customer choice framework, and heightened its data security and data breach notification requirements. At the same time, the FCC streamlined its existing recordkeeping and annual certification requirements, adopted an enterprise business exemption, and created a small provider exemption for certain aspects of the rules.
These rules proved controversial, and were opposed by many ISPs for deviating from the FTC framework, which prohibits “unfair and deceptive acts or practices” and applies to the rest of the Internet ecosystem. Among other differences, the FCC’s new rules broadly defined the category of “sensitive information” subject to opt-in customer consent to include web browsing and app usage history of broadband subscribers. When the rules were released, then-Republican FCC Commissioner (and current FCC Chairman) Ajit Pai criticized them for their lack of regulatory parity. Eleven parties sought reconsideration of many aspects of the rules, and several trade associations have called on the FCC to adopt a framework in line with the FTC’s approach. The new rules were scheduled to come into effect on a rolling basis throughout 2017, but on March 1, 2017, at the request of industry trade groups, Chairman Pai stayed the implementation of the first new set of rules due to come into effect—the data security rules—and now it is highly unlikely that the remaining rules will come into effect.
II. CRA Background
The Congressional Review Act is a 1996 law that requires an agency to report to Congress on any new rule, and provides Congress a window of 60 legislative days within which to issue a joint resolution of disapproval, which when signed by the President prevents any new rule subject to the joint resolution from taking effect and invalidates any rules that have already gone into effect. After the issuance of a joint disapproval, the agency may not reissue the rule in “substantially the same form” or issue a “new rule that is substantially the same” as the disapproved rule. 5 U.S.C. § 801(b)(2).
The CRA does not define what “substantially the same” means, and there is little case law or legislative history on the subject. In fact, nearly all courts that have looked at the issue have held that the CRA unambiguously precludes judicial review. See, e.g., Montanans for Multiple Use v. Barbouletos, 568 F.3d 225, 229 (D.C. Cir. 2009). As a result, it’s unclear what type of rule would be “substantially the same,” and ultimately Congress would need to decide whether a given rule exceeded the CRA. This provides significant flexibility to agencies to interpret the scope of any joint resolution, particularly when a single political party holds a majority at the agency and in Congress.
Before the most recent change in administration, the CRA had only been used once—in 2001—to invalidate an agency rule. However, since January 20, 2017, it has been used 13 times to repeal rules in areas as diverse as teacher preparation, federal acquisitions, unemployment compensation, and now privacy. The following section describes the impact of the Joint Resolution on the FCC’s privacy regime.
III. The State of FCC Privacy
The Joint Resolution on the FCC’s 2016 Privacy Order disapproves of the “rule submitted by the Federal Commissions Commission relating to ‘Protecting the Privacy of Customers of Broadband and Other Telecommunications Services’ (81 Fed. Reg. 87274) (December 2, 2016).” The resolution does not specify the “rule” at issue other than with reference to the 2016 Privacy Order, and as such it is fair to read the Joint Resolution as applying to the entire 2016 Privacy Order.
While the long-term impact of the CRA on the FCC’s privacy rules remains to be seen, the repeal returns the FCC to the regulatory status quo in the immediate aftermath of the 2015 Open Internet Order. By signing the measure, it appears that the President invalidated the 2016 Privacy Order in its entirety. Below, we describe the impact of this change on BIAS and other telecommunications service providers.
Impact of CRA on BIAS providers
The immediate impact of the Joint Resolution on BIAS providers is limited. At the time the Joint Resolution was signed into law, none of the principal rule provisions of the 2016 Privacy Order (i.e., those related to notice, choice, data security, and data breach notification) had come into effect. Further, the statutory privacy obligations and various state privacy and breach notification laws that were in effect before the Joint Resolution remain in effect. Moreover, in connection with their request to stay the data security rules of the 2016 Privacy Order, the largest BIAS providers had already voluntarily committed to adopt principles consistent with the FTC’s framework.
Going forward, the path is less clear. If the FCC or Congress reclassifies BIAS as an information service (such that BIAS providers are no longer common carriers), the FTC will regain jurisdiction over broadband privacy, as had been the case prior to 2015. Alternatively, if the FCC or Congress does not reverse BIAS classification, the FCC can issue new rules that are not “substantially the same” as those in the 2016 Privacy Order. However, the contours of the CRA’s “substantially the same” prohibition are untested, and it’s unclear whether the Commission could adopt rules in line with section 5 of the FTC Act without running afoul of the CRA. As a further alternative, the FCC could decline to impose rules at all, instead leveraging its statutory authority under section 201(b), section 222, or the Open Internet transparency rule (which requires disclosure of privacy practices), to go after bad actors.
Ultimately, the Joint Resolution neither prohibits FCC enforcement of privacy and security under Section 201(b) (bars unjust and unreasonable practices) and Section 222 (requirements applicable to broadband are unclear), nor does it mean that BIAS providers can collect, use, and share data for any purpose without consent for all marketing purposes. Rather, the impact of the Joint Resolution is that ISPs will likely be subject to oversight reflecting the FTC’s long-standing privacy and data security framework.
Impact of CRA on Other Providers of Telecommunications Services
As with BIAS providers, the effect of the Joint Resolution on voice providers (including interconnected VoIP providers) likely is limited. In the 2016 Privacy Order, the Commission noted that the old CPNI rules would remain in effect for voice providers until the effective date of the new rules, with the exception of the recordkeeping and annual reporting requirements that were eliminated when the Order first went into effect, and a new enterprise customer exception. For the most part, then, the Joint Resolution preserves the status quo.
The reinstatement of the old regime could have two negative impacts on voice providers. Specifically, by turning back the clock to the pre-2016 Privacy Order regime, the Joint Resolution may eliminate the enterprise customer exception and reinstate the recordkeeping and reporting requirements. Importantly, if the Joint Resolution were to reinstate the annual certification requirements in Section 64.2009, there is reason to believe the FCC would decline to require annual certification, either through a waiver or by narrowly reading the Joint Resolution to apply to new rules and not eliminated rules.
The Role of the FTC and State Attorneys General in Broadband Privacy
In the wake of the Joint Resolution, we expect some ripple effects in the enforcement postures of various privacy authorities at the federal and state levels.
At the federal level, so long as BIAS providers are classified as common carriers, the communications services they provide remain exempt from FTC jurisdiction under the “common carrier exemption” in section 5 of the FTC Act. Moreover, last year, in FTC v. AT&T Mobility, the Ninth Circuit ruled that the FTC lacks jurisdiction over the non-common carrier activities of a company if that company is otherwise classified as a common carrier.* Republican and Democratic FCC and FTC commissioners—including Acting FTC Chairwoman Maureen Ohlhausen and FCC Chairman Pai—have called for the elimination of the common carrier exemption by statute, and others have further suggested that the FCC should cede consumer protection authority to the FTC. Whether this happens or not, we expect that the FCC going forward will take a more FTC-like approach to consumer protection issues (focused on case-by-case enforcement rather than ex ante, prescriptive rules). As a result, while we expect fewer privacy- and security-related enforcement actions in the current Republican-controlled FTC and FCC, BIAS providers should nevertheless take steps to maintain reasonable privacy and data security protections to mitigate risk of enforcement.
At the state level, as the FCC takes a less aggressive approach to privacy, we expect to see renewed interest in broadband privacy enforcement among state attorneys general. For example, state attorneys general in states such as California, New York, Massachusetts, and Connecticut have become increasingly active in privacy issues, by virtue of state “mini-FTC Acts,” which prohibit unfair or deceptive acts or practices, and specific privacy and data security laws. More states are following suit. For example, Illinois is currently considering adopting a bill that would require companies to disclose the types of information they collect about consumers and the entities with which they share it. As a result, providers should pay attention to state privacy and data security laws and take steps to mitigate risk of enforcement when serving customers in those states.
Kelley Drye’s Communications and Privacy and Information Security practice groups are well-versed in privacy law at the federal and state level, and stand ready to help interested parties navigate this period of uncertainty. Should you have any questions, please contact the authors of this post.
* For more, check out our podcast on the decision.