The Federal Communications Commission is trying to deputize itself as the nation’s Internet data privacy cop.
An Oct. 9 letter by Rep. Marsha Blackburn (R-Tenn.) and 13 other members of Congress called out the agency’s aspirations to become the federal privacy regulator for the Internet. Indeed, Congress never gave the FCC such broad powers.
This absence of legal authority makes the FCC the rogue cop of data privacy. Its unauthorized foray into data privacy poses a real rule of law problem that is snowballing: The FCC asserts data privacy authority through its Open Internet order (2015); its TerraCom order (2015) proposed a $10 million data privacy fi ne despite the lack of any rules on the books; and a recent Lifeline order imposes data-privacy mandates. The FCC’s overreach also encroaches on the jurisdiction of the Federal Trade Commission, with its broader expertise in addressing consumer privacy issues.
It should be the duty of Congress to decide which agency, if any, has jurisdiction over data privacy. Indeed, if new data privacy authority is contemplated, the FTC should be the common enforcer of simple, clear standards to be consistently applied to all digital platforms.
The FCC bases its claims of authority over data privacy on Section 222. In its Open Internet order (2015), the FCC reclassified broadband Internet services as Title II common-carrier telecom services. (This reclassification of broadband is now being challenged in court.) Under that order, the FCC now applies Section 222 to broadband Internet service providers. On May 20, the FCC issued an enforcement advisory on data privacy. The agency has also invoked its self-proclaimed powers over digital privacy in other orders.
Data breaches are very serious, but so are limits on agency jurisdiction. It strains credulity to believe that the lawmaking process can be so easily short-circuited by a sector-specific agency like the FCC claiming to have possessed such broad data privacy powers all this while.
By its terms, Section 222 is limited to customer proprietary network information in the voice communications context. Specifically, CPNI addresses telecommunications providers’ collection and use of individualized consumer data regarding the time and length of calls, phone numbers called and consumer voice billing. (FCC jurisdiction with respect to cable subscriber privacy and DBS subscriber privacy are also circumscribed, under Section 551 and Section 338 of the Satellite Home Viewing Improvement Act, respectively.) CPNI is a different, narrower category than PII.
Any data privacy policy change by Congress would be far down the road. The immediate rule of law issue is the FCC effectively changing data privacy policy by administrative fiat. Absent Congress keeping the FCC within bounds of its limited authority over CPNI data, federal courts will have to hold the agency to the rule of law.
Seth Cooper is a senior fellow at nonprofit think tank The Free State Foundation.
