Communications Litigation Today was a service of Warren Communications News.
Consumer Dashboard

FCC Says Proposed Privacy Rules Built on Firm Statutory Authority

April 5, 2016 by Howard Buskirk|Top News

The FCC is giving interested parties until May 27 to file initial comments on proposed privacy rules for ISPs. Replies are due June 27. The NPRM, released by the FCC Friday night, runs 147 pages, with accompanying statements by the commissioners. It mentions the FTC, the nation’s more traditional privacy cop, 189 times. The FCC approved the NPRM 3-2 Thursday with dissents by Commissioners Ajit Pai and Mike O’Rielly (see 1603310049).

Privacy protects important personal interests,” the NPRM said. “Not just freedom from identity theft, financial loss, or other economic harms but also from concerns that intimate, personal details could become grist for the mills of public embarrassment or harassment or the basis for opaque, but harmful judgments, including discrimination. The power of modern broadband networks is that they allow consumers to reach from their homes (or cars or sidewalks) to the whole wide world instantaneously.” The rules proposed “build on the Commission’s prior decisions and existing Section 222 rules; other federal privacy laws; state privacy laws; and recognized privacy best practices,” the NPRM said.

The FCC proposes a new category of information -- customer proprietary information (PI), which would be protected under Section 222 of the Communications Act. The category takes in customer proprietary network information (CPNI), which has historically been regulated by the FCC, and personally identifiable information, as collected by ISPs.

The FCC proposes to require ISPs to obtain “opt-in” approval from their customers to use PI for any purpose other than the marketing of other communications-related services. “In an era in which broadband providers are or may be affiliated with content providers, social networks, or companies that serve online ads and forms of social media, opt-in approval is needed to protect the reasonable expectations of consumers, who may not understand that their broadband provider can sell or otherwise share their information with unrelated companies for diverse purposes,” the FCC said. The NPRM noted that opt-in approval already is common, for example when a mobile application “asks for permission to use geo-location information, contact lists, or photographs on a consumer’s smartphone.”

The agency also proposes to impose requirements on ISPs on how they will protect consumer privacy. “We propose to require [broadband service] providers to, at a minimum, adopt risk management practices, institute personnel training practices, adopt customer authentication requirements, identify a senior manager responsible for data security, and assume accountability for the use and protection of customer PI when shared with third parties,” the NPRM said. The FCC asked whether it should require ISPs to put in place a consumer-facing privacy dashboard allowing customers to readily see the types and categories of information collected by ISPs, the categories of entities with which customer PI is shared and what privacy selection the customer has made, “(i.e., whether the customer has chosen to opt in, opt out, or take no action at all with regards to the use or disclosure of her PI), and the consequences of this selection.”

Among the other questions explored is whether some types of information should receive heightened protection. The NPRM cited Social Security numbers, financial account information and geo-location information that, though included within the definition of customer PI, is so sensitive that it deserves “special treatment” by the FCC. “If so, should the Commission create a separate category of highly sensitive information, what should be included, how should such information be treated, and how would such a regime be administered in practice?” the FCC asked.

The NPRM proposes rules requiring ISPs to notify the FCC when any data breach occurs and other federal law enforcement when a breach affects more than 5,000 customers. “We acknowledge the myriad state laws requiring data breach notification, which inform our proposal,” the FCC said. The NPRM acknowledged a danger of overnotification, or “notice fatigue,” on breaches.

The NPRM also asks a battery of questions on whether CPNI rules for phone and interconnected VoIP service should be harmonized with the broadband rules. “Likewise, we seek comment on adopting rules that harmonize the privacy requirements for cable and satellite providers under Sections 631 and 338(i) of the Communications Act with the rules for telecommunications providers,” the FCC said.

The NPRM asks whether it should make use of the multistakeholder process as the rules are implemented. Such a process might be useful in such areas as notice language or security standards, the FCC said. NTIA has made broad use of multistakeholder processes in such areas as mobile application transparency, facial recognition technology and unmanned aircraft systems, the rulemaking said.

The FCC also seeks comment on its statutory authority to impose privacy rules. “We intend our proposed rules to be primarily grounded in Section 222,” the FCC said. “However, we believe that we can also find support in other sections of the Communications Act, including Sections 201 and 202 of the Communications Act, which prohibit telecommunications carriers from engaging in unjust, unreasonable, or unreasonably discriminatory practices; Section 706 of the Telecommunications Act of 1996, as amended ... which requires the Commission to use regulating methods that remove barriers to infrastructure investment; and Section 705 of the Communications Act, which restricts the unauthorized publication or use of communications.”