FCC Appears Poised to Take Hard Look at Provider Data Practices
The FCC appears increasingly likely to take a deeper dive into the data retention and privacy policies of wireless carriers. In recent days, Chairwoman Jessica Rosenworcel sent follow-up letters of inquiry to major wireless carriers and mobile virtual network operators, asking for documents and including further, highly detailed questions about their policies (see 2209070077).
Rosenworcel also circulated for a commissioner vote fines proposed in notices of apparent liability in 2020 against the then four national wireless carriers for failing to safeguard data on their customers' real-time locations (see 2002280065).
Public interest groups have made clear they hope the inquiries will mean greater focus on consumer protection (see 2208220054).
“We applaud the FCC’s efforts to protect people’s privacy by enforcing a federal law designed to protect data we hand over to phone companies, and by taking steps to limit how long those companies keep our data,” emailed Electronic Frontier Foundation Legislative Associate Chao Jun Liu: “This data is intensely personal and the longer it is retained, the greater the risk that it will be misused. This is why it’s essential that the FCC retain its legal authority to protect people’s privacy.”
Others say the FCC’s authority to proceed isn’t clear. They note that five years ago, Congress rejected ISP privacy rules approved under former Chairman Tom Wheeler, through a Congressional Review Act resolution (see 1704040059). The House Commerce Committee is considering bipartisan privacy legislation (see 2207200061) and the FTC recently sought comment on privacy rules (see 2208110068). The FCC declined comment.
“The commission tests, and certainly may exceed, the boundaries of its authority and its expertise whenever it delves into data retention and privacy issues,” former Commissioner Mike O’Rielly told us. “Congress addressed this and rejected FCC actions not too long ago for broadband providers,” he said: “Exactly how that squares with the commission’s latest activity will have to be explored. Just because the issues are interesting, timely, or of interest, doesn’t mean the commission is best [suited] to decide, regulate, or enforce them.”
“This looks like the FCC trying to get into privacy regulations through the back door,” said Recon Analytics’ Roger Entner: “The unresolved question is if this is an FCC matter or an FTC matter.”
“It's unclear what the endgame is on these requests and the subsequently announced investigation,” emailed ITIF Broadband and Spectrum Policy Director Joe Kane. “Transparency is good, but without concrete indications of what the commission believes carriers are doing wrong, it's hard to tell whether this is a warranted crackdown on bad actors or a fishing expedition looking to find a way to wield the vague but popular banner of ‘privacy’ against ‘big business’ network operators,” he said.
The federal government should have a single privacy regulator, said Jonathan Cannon, R Street fellow-technology and innovation and a former acting adviser to Commissioner Nathan Simington. “Having duplicative agencies with their own policies for privacy is going to create unnecessary burdens and uncertainty,” he said: “If Congress passes a federal privacy law, it should include wireless carriers and telcos generally. FCC shouldn't preempt other laws to subject carriers to a different regime.”
“Assuming due process protections are in place, I don’t have a problem with investigating alleged privacy violations that are embodied in duly adopted laws or regulations,” said Free State Foundation President Randolph May. The concern is “Rosenworcel’s stepped-up activity in the privacy area may be spurred by a desire to bolster the FCC’s claim to exercise privacy authority over broadband service providers, wireless or otherwise,” he said: “In today’s digital marketplace environment, it makes sense that there should be a uniform enforcement regime applicable to all providers of broadband services and applications, including web platforms like Google and Facebook, and the FTC should be the body where such generic privacy enforcement authority should reside.”
The FCC's Title II authority over customer proprietary network information “allows the agency to investigate the data practices of the carriers as it relates to their telecommunications service, but there have been calls to shift more of this authority to the FTC as the expert agency for consumer protection,” said American Action Forum Technology and Innovation Policy Director Jeffrey Westling. The FCC “could be trying to make clear their intention to vigorously enforce the CPNI rules, and privacy more broadly, to send a message to Congress not to shift that authority away to the FTC,” he said.