Ever since service providers expanded to wireless and mobile coverage, the landscape for federal guidance has changed drastically. In the past , the Federal Trade Commission (“FTC”) oversaw enforcement of privacy and data security issues, deriving their authority from Section 5 of the FTC Act, which allows them to pursue action against companies that they deem to be undertaking deceptive or unfair acts and practices in commerce. Section 5 of the FTC Act, however, lists a key exemption for companies considered to be “common carriers.”
If a company is considered to a be a common carrier, the Federal Communications Commission (“FCC”) then typically has jurisdition. While this made sense before broadband, cable, and wireless services became prevalent, the push for “net neutrality” has, ironically, opened the door to less protection and data oversight due to confusion over whether the FCC or the FTC must act on behalf of consumers. In his support of net neutrality, the principle that Internet service providers (“ISPs”) should enable access to all content and applications regardless of the source, without favoring or blocking specific websites or applications, President Obama allowed the FCC to reclassify broadband providers as Title II common carrier service providers under the 2015 Open Internet Order. This suddenly meant that companies that were previously under the FTC’s oversight suddenly became subject to FCC rules instead.
As a result, this has unfortunately created great confusion over how data security breaches and consumer information should be handled because the FCC typically did not handle such litigation. Some experts have even gone as far as to question whether the FCC has the requisite expertise to handle such litigation against these technology companies when it has historically been the FTC who sued companies such America Online, CompuServe, and Prodigy on behalf of consumers.
Even more frustratingly, the confusion may have been avoided by better overall government planning. These problems in overlap were foreseen as early as 2007 in a report filed by the Internet Access Task Force, which noted that “the common carrier exemption is likely to frustrate the FTC’s efforts to combat unfair or deceptive acts and practices and unfair methods of competition in these interconnected markets.”
And now, the confusion has only been further compounded by a 9th Circuit 2016 ruling that turned on whether the entity in question has the ‘status” of a common carrier. While the FTC and FCC have long argued over whether exemptions are given based on status or activity, the 9th Circuit held that the “plain language” of the statute does not make any reference to activities, and therefore ruled against the FTC (and thus consumers) and in favor of technology giant, AT&T.
While consumers have urged the court to reverse the decision, which allowed AT&T to throttle the mobile Internet speed of its customers without explicit consent, the turmoil only continues as the FCC seems to have taken a step back from their new regulatory role. Just this past March, the FCC issued a stay of rule that would have created new consumer privacy protection by requiring ISPs and phone companies to take ‘reasonable’ steps to protect consumer information (e.g., social security numbers, health information, web history, etc.) from theft and data breaches. In their explanation, the FCC cited an interest in shifting authority back to the FTC to “avoid consumer confusion.”
While it remains to be seen which government entity will ultimately provide the best privacy protection for consumers, law practioners would be wise to follow the legal the two agencies and relevant court rulings until clear, brightline guidance emerges.