Broadband Privacy Regulations Need to Be Revised by FCC or Repealed by Congress

Last November, the Federal Communications Commission issued new rules governing Internet service providers’ privacy practices. These rules followed a notice of proposed rulemaking issued by the FCC in early 2016. Last summer, CEI submitted joint comments with TechFreedom in response to this proposal, in which we explained how the FCC’s proposed rules exceeded the agency’s legal authority and were unwise as a policy matter.

Days after the FCC issued its new rules, Donald Trump was elected President of the United States. Upon his inauguration, he designated FCC Commissioner Ajit Pai as chairman of the agency. A few weeks ago, Chairman Pai—joined by Republican FCC Commissioner Mike O’Rielly—voted to stay a portion of the FCC’s privacy rules dealing with data security. Also this month, members of Congress in both the Senate and the House of Representatives have introduced resolutions to undo the FCC’s privacy rule.

Last week, CEI submitted comments to the FCC regarding several petitions filed earlier this year urging the agency to reconsider its privacy rules (TechFreedom also filed comments last week). Our reply doesn’t address all of the many arguments we raised last year, but instead focuses on the FCC’s failure to consider a crucial legal problem with its privacy rules.

Specifically, the rules purport to dictate the circumstances in which broadband providers may use the contents of their subscribers’ communications. The rules mandate that providers obtain “opt-in consent” before “using or sharing sensitive customer [personal information],” which includes the contents of subscriber communications. The FCC claims that it has the authority to impose this requirement under Section 222 of the Communications Act.

But Section 222 doesn’t address how providers may intercept or use the contents of their subscribers’ electronic communications. Congress has addressed this matter in another federal law: the Wiretap Act, which is administered not by the FCC, but by the courts. This law reflects Congress’s judgment regarding when a provider may intercept or use the contents of electronic communications that are transmitted over its facilities.

Under the Wiretap Act, a subscriber must consent before a provider may intercept or use the contents of that subscriber’s electronic communications—but courts have construed this consent requirement very differently than the FCC’s formulation laid out in the Order. Whereas the Wiretap Act recognizes that a subscriber “consents” when she expressly or implicitly manifests her assent to such interception, and may do so in a variety of ways, the FCC’s rules prescribe a rigid framework that all providers must follow to secure the requisite consent.

The rules thus conflict with Congress’s decision to authorize providers to intercept or use the contents of their subscribers’ communications with the consent of the subscriber as consent is defined by the Wiretap Act. Especially in light of Congress’s deliberate decision to place the Wiretap Act’s core provisions outside of the Communications Act, the FCC simply does not have the authority to rewrite the Wiretap Act to suit its policy preferences.

Hopefully, therefore, the FCC will revise its rules to comport with federal law—or, better yet, Congress will vote to reverse the rules using a Congressional Review Act resolution of disapproval.