FCC Proposes Sweeping Privacy and Data Security Rules with Significant Potential Impact on the Broadband Ecosystem
By Steven A. Augustino and Jameson J. Dempsey, Kelley Drye & Warren LLP
On March 31, 2016, the Federal Communications Commission (FCC or Commission) voted along party lines (3-2) to launch a notice of proposed rulemaking (Notice or NPRM) to establish privacy rules for Broadband Internet Access Service (BIAS) providers. This rulemaking stems from the 2015 Open Internet Order and proposes rules to apply Section 222 of the Communications Act of 1934, as amended (Communications Act or the Act), to BIAS. The proposed rules draw from a wide array of federal and state laws, rules, and other guidance, as well as industry best practices, and if adopted could impose prescriptive and complex privacy obligations that would be among the most extensive in the country.
The NPRM proposes to create new rules for broadband privacy that would address customer proprietary information (PI), a category that includes both customer proprietary network information (CPNI) as well as personally identifiable information (PII). If adopted, the FCC’s proposal would impose a privacy framework similar to, but in many respects more prescriptive than, existing voice telecommunications privacy rules. The proposal is designed to:
- Promote transparency through meaningful notice of privacy policies;
- Establish a robust customer choice framework for the use and disclosure of customer PI; and
- Protect customer PI from misappropriation, breach and unlawful disclosure through general and specific data security requirements and breach reporting obligations.
While the bulk of the proposed rules would be separate from the existing voice CPNI rules, the Commission also seeks comment on whether and how to “harmonize” its existing voice CPNI rules with the proposed rules. The Commission also seeks comment on whether and how to harmonize its cable and satellite privacy and data security rules with its proposed framework. Finally, while the Commission has stated that its proposals are not intended to regulate the privacy practices of edge services (e.g., web sites), the Commission seeks comment on whether to require BIAS providers to pass through their privacy and data security obligations (e.g., by contract) to third-party joint venture partners, independent contractors, operating system developers, and equipment manufacturers. Thus, the proceeding affects not only BIAS providers, but, potentially, telecom carriers, VoIP providers, cable providers, satellite providers, equipment manufacturers, and edge services.
Initial comments on the NPRM are due on May 27, 2016 and replies are due on June 27, 2016. Click here to view the full summary of the key proposals and questions.