Last year, a divided Federal Communications Commission voted 3-2 to impose new disclosure obligations on telecommunications companies that suffer data breaches.
The agency specifically
required telecoms to notify consumers, federal law enforcement agencies and the agency about all breaches -- even “inadvertent” ones -- that expose personally identifiable information,
including sensitive financial information.
Broadband industry groups are now asking a federal appeals court to scuttle those rules. The groups argue in papers filed last week that Congress
stripped the FCC of authority to issue the new regulations.
“Administrative agencies have only the powers that Congress gives them," NCTA--The Internet & Television Association, US
Telecom--the Broadband Association and other industry groups argued in an appeal filed with the 6th Circuit Court of Appeals.
"They certainly lack any powers that Congress has expressly
denied them,” the groups added.
The industry organizations point to Congress's 2017 decision to revoke privacy rules passed by the FCC during the Obama administration. Those rules --
which never actually took effect -- would have required broadband carriers to obtain consumers' permission before harnessing information about their web activity for ad targeting.
The Obama-era
privacy rules also required providers to notify customers and law enforcement agencies about some data breaches that exposed personally identifiable information.
Congress repealed the
regulations under the Congressional Review Act -- a 1990s statute that gives federal lawmakers the power to revoke regulations passed by agencies.
That statute also provides that an agency can
never again issue regulations that are “substantially” similar to ones revoked by Congress.
Congress has only rarely used the Congressional Review Act, and it's not clear how
courts will determine when new rules are “substantially” the same as revoked ones.
The broadband groups argue that the new data-breach rules and the ones passed in 2016 are
substantially the same because both sets of regulations deal with breaches that could expose “personally identifiable information.”
In the past, the FCC's rules regarding data
breaches covered only exposure of a narrow category of data -- “customer proprietary network information,” meaning the phone numbers that subscribers called.
The FCC hasn't yet
filed its argument with the 6th Circuit.
This current dispute, while over a relatively narrow consumer protection measure, could offer a preview of what could be a much larger battle over
broadband privacy.
The FCC recently indicated it's gearing up to issue rules that could restrict providers' ability to harness subscriber data.
Last month, the agency said in its
ruling restoring the Obama-era net neutrality rules that broadband providers
are “situated to collect vast swaths of sensitive information about their customers, including personal information, financial information, precise location information, and information
regarding their online activity.” (The net-neutrality rules prohibit providers from blocking or throttling traffic, and from charging higher fees for prioritized delivery.)
The agency added that it was “concerned” that without new rules, internet service providers “have minimal incentive to adopt
adequate administrative, technical, physical, and procedural safeguards to protect their customers’ data from improper or excessive uses by providers themselves, or from further disclosure and
misuse by third parties.”
Should the FCC pass new privacy rules, the broadband industry will almost certainly make the same arguments against them that it is raising against the
data-breach disclosure regulations.
The FCC hasn't yet floated specific regulations, but Chair Jessica Rosenworcel previously voted in favor of the Obama-era privacy restrictions.
She
also has repeatedly suggested that carriers shouldn't allowed to sell customers' geolocation data, and recently voted to fine AT&T, Verizon and T-Mobile nearly $200 million for allegedly selling
access to location data.