Export Compliance Daily is a Warren News publication.
'Big, Big Deal'

Rosenworcel Approach on Data Privacy Raising Jurisdictional Issues for FCC

The reaction has been muted to FCC Chairwoman Jessica Rosenworcel's speech Wednesday launching a Privacy and Data Protection Task Force and urging a more aggressive approach by the agency on data privacy (see 2306140075). But some observers questioned how far the FCC can go under its legal authority to regulate privacy. Rosenworcel said Wednesday sections 222 and 631 of the Communication Act provide the grounding for FCC action. Congress rejected ISP privacy rules approved under former Chairman Tom Wheeler, through a Congressional Review Act resolution (see 1704040059).

Sign up for a free preview to unlock the rest of this article

Export Compliance Daily combines U.S. export control news, foreign border import regulation and policy developments into a single daily information service that reliably informs its trade professional readers about important current issues affecting their operations.

The FCC’s authority over data privacy is “circumscribed and those boundaries should be respected, so I’m not sure a new task force is needed to carry out the authority the agency currently possesses,” emailed Free State Foundation President Randolph May. Congress should enact instead a federal privacy law “that establishes cross-cutting uniform privacy safeguards applicable across various industry segments, with special protections as appropriate, for example, for financial and medical information and the like,” he said.

FCC authority to regulate privacy is “disputed,” HWG’s Adrienne Fowler said in a Center for Democracy and Technology panel after Rosenworcel spoke. Section 222 covers primarily consumer proprietary network information, which is “information that’s related to the duration, use, destination and other technical information related to the use of telecommunications service,” Fowler said.

Rosenworcel suggests a broader definition of CPNI, saying it includes the collection of information that’s used to provide data and mobile phone service, Fowler said: “There’s dispute over whether that is the case or whether the definition of CPNI” covers only “information that’s made available to the carrier solely by the provision of the telecommunications service, whether that limits the FCC’s ability to classify, for example, mobile geolocation information as CPNI.”

Section 222 is “a use-based statute where you are entitled to use and disclose CPNI for the purposes of providing the telecommunications service to which a subscriber has subscribed and a number of other preapproved reasons like preventing use of telecommunications services for fraudulent purposes,” Fowler said. Section 631 is similarly a privacy statute that’s “use-based, that authorizes certain uses of cable and satellite TV customer information and uses beyond those preapproved uses require customer consent,” she said.

The FCC also has other authorities, especially under 47 U.S. Code Section 605, countered Public Knowledge Senior Vice President Harold Feld. The section is part of the original Communications Act of 1934 and “builds on traditional common carrier ideas of privacy,” he said. It’s “sort of a general privacy statute that prohibits the publishing of any information about a communication, including the actual fact of the communication,” he said. The provision “has rarely been invoked,” he said.

The FCC also has Section 201 authority, “which prohibits unjust and unreasonable rates and practices,” Feld said. In the 2015 TerraCom and YourTel order (see 1507090035), the FCC “pointed out that failing to take basic precautions with regard to protection of personal information was also a violation of section 201 for common carriers,” he said: “The commission has suggested in other places that it retains rulemaking under section 201, at least with regard to common carriers, which include of course mobile phones for the voice component.”

The FCC could certainly be more aggressive,” said Caitriona Fitzgerald, Electronic Privacy Information Center deputy director. “They haven’t been very active in using their consumer privacy authorities and even where they’ve taken initial action in the past, follow through hasn’t really been there,” she said.

Fitzgerald cited the 2020 proposed fines against major carriers for illegally selling their customers’ location data, which has yet to lead to fines (see 2002280065). Rosenworcel sought a vote on proposed fines last year (see 2212190055). “That was the strongest action we’ve seen in recent years from the FCC, but as the chairwoman noted there’s been no follow up,” Fitzgerald said: “There’s really been no consequences.” The lack of approved fines raises questions about the legal positions taken by the FCC in the notices of apparent liability, she said.

There might have been little reaction" to Rosenworcel's privacy announcement "but it’s a big, big deal,” former FCC Commissioner Michael Copps told us Thursday. Rosenworcel “is right on target in moving this,” Copps said: The lack of data privacy and strong regulatory oversight for the use of personal data “is taken advantage of every day by bad actors looking to influence what remains of our democratic process. I hope this new task force will lead to effective action. And maybe it can even encourage Congress to address this whole vital area of privacy and data policy.”

Former Commissioner Mike O’Rielly noted jurisdictional lines and privacy are something he has long focused on. “I was somewhat surprised by some of the language and tone used, and will be on the lookout to see if the new task force will be used merely as a stalking-horse to blast industry providers, rather than actually helping consumers,” O’Rielly said. Privacy is complicated and “deserves thoughtfulness” and balance, “especially given the constantly changing dynamic consumer markets,” he said.

Expect to see more activity in this realm coupled with the FCC's interest in AI and blockchain,” predicted another former FCC member, Robert McDowell. “Questions regarding the FCC's statutory authority versus other agencies like the FTC will always be with us,” he said.

Consumers say they want data privacy, but “they behave differently and whenever they have the choice between data privacy and saving a buck, they betray what they say,” emailed Recon Analytics’ Roger Entner. Entner doesn’t see a significant role for the FCC, compared with the FTC, which can regulate every company involved and ensure “an even playing field.” Carriers aren't the worst offenders, he said. Selectively targeting telecom providers “just strengthens the hands of the companies whose entire business model is based on selling people’s private information,” he said.