The FCC’s Wireline Competition and Consumer and Governmental Affairs Bureaus recently announced that they will hold a joint workshop on Tuesday, April 28 to “explore the Commission’s role in protecting the privacy of consumers that use broadband Internet access service.” Discussions will center around the FCC’s recent Open Internet Order and its implications for the obligations that broadband providers will have going forward with respect to consumer privacy and data security.
As we explained in our earlier blog post and client advisory, the FCC’s Open Internet Order includes new and modified open Internet rules; reclassifies broadband Internet access service (BIAS) as a “telecommunications service” under Title II of the Communications Act of 1934, as amended; and imposes several provisions of Title II on BIAS providers (e.g., consumer protection, privacy, and disabilities access requirements), while forbearing from others. Of particular importance is the Commission’s decision to impose Section 222 on BIAS providers, which mandates that such providers have a duty to protect the confidentiality of proprietary information that they hold about their customers, particularly customer proprietary network information (CPNI). The Commission forbore from requiring BIAS providers to comply with the existing CPNI rules that apply to telecommunications carriers, but indicated that it will initiate a separate rulemaking proceeding to amend the existing rules and determine how they should be applied to BIAS providers going forward. The April 28 joint workshop is expected to kick-start that initiative. The FCC also made clear in the Open Internet Order that Sections 201 and 202 of the Communications Act, which prevent “unjust or unreasonable” practices and prohibit telecommunications service providers from engaging in discriminatory practices, would also apply to BIAS providers.
A thorough understanding of the FCC’s viewpoints on these issues is critical, particularly in light of the Commission’s recent trend of aggressively pursuing consumer privacy and data security enforcement actions and imposing stiff penalties for rule violations. In October 2014, the FCC proposed a $10 million fine against two carriers for failing to properly protect the confidentiality of consumers’ proprietary information collected from applicants for wireless and wired Lifeline services. More recently, the Commission announced that it had reached a $25 million settlement with AT&T to resolve an investigation regarding customer proprietary information and CPNI breaches at three of the company’s call centers. In the announcement of the AT&T settlement, FCC Enforcement Bureau Chief Travis LeBlanc stated that the Commission “hope[s] that all companies will look at this agreement as guidance.” In both cases, Sections 201, 202 and 222 were the bases for the alleged violations. BIAS providers now subject to these same statutory mandates need to understand what they will be required to do once the Open Internet Order becomes effective in June.
This workshop provides a valuable opportunity to gain insight into the Commission’s expectations because participants will be able to “explore a range of matters associated with the application of statutory privacy protections to broadband Internet access service.” We will be monitoring the progress from this workshop, so be sure to check back at the end of April.