In an Order adopted yesterday, the FCC partially stayed rules requiring broadband Internet Service Providers (ISPs) to implement reasonable data security practices to protect their customers’ privacy. These rules, adopted in October 2016, were scheduled to become effective today, March 2. By the end of January 2017, the FCC had received 11 petitions to reconsider the 2016 Privacy Order, as well as one petition filed by nine trade associations requesting that the FCC stay the rules.

The partial stay will provide interim relief from the data security rules until the FCC can act on the petitions for reconsideration that are still outstanding. The stay does not impact other broadband privacy rules that became effective January 3, 2017, and does not take action on new notice requirements, customer approval requirements, and data breach notification requirements, which are all still pending Office of Management and Budget approval under the Paperwork Reduction Act.

The associations’ stay petition argued that the FCC’s interpretation of “reasonable” data security practices differs from the Federal Trade Commission’s (FTC) standards, and that ISPs have voluntarily committed to adhering to the FTC standards. The FCC agrees that based on language in the 2016 Privacy Order, the data security requirements, as they currently stand, would subject ISPs to more burdensome regulations than other participants in the Internet ecosystem are subjected to by the FTC. Further, a majority of the current FCC commissioner body dissented from the 2016 Privacy Order, including Chairman Pai.

The FCC also acknowledges that the resources broadband providers and other telecommunications carriers would be required to devote to complying with the “too broad” and “too vague” data security measures are substantial, and the providers are already obligated to comply with Section 222 of the Communications Act, and other applicable federal and state privacy, data security and breach notification laws.

JSI remains committed to assisting interested clients understand their privacy obligations. Our broadband privacy team can assist companies with any questions or staff training. Please contact John Kuykendall in JSI’s Maryland office at 301-459-7590 or Dee Dee Longenecker in JSI’s Texas office at 512-338-0473 for more information.

Source: JSI e-Lert