As he rushes to accomplish his list of objectives before the change in administrations, FCC Chairman Tom Wheeler was able to cross one off that list last week. For the first time, the FCC imposed privacy requirements on providers of broadband internet access services (BIAS). The much-anticipated Order requires BIAS providers to notify customers about the types of information the BIAS providers collect about their customers; how and for what purposes the BIAS provider uses and shares this information; and in some circumstances requires customer consent for the use and sharing of this information. This order was an outgrowth of the FCC’s 2015 Open Internet Order, which reclassified BIAS as a telecommunications service and wrested privacy jurisdiction from the Federal Trade Commission.
In a recently issued Notice of Proposed Rulemaking, the FCC asked for comments on proposed rules that would apply the traditional privacy requirements of the Communications Act to providers of broadband Internet access services. This proceeding is an outgrowth of the FCC’s decision last year in the Open Internet Order to reclassify broadband as a telecommunications service, subject to certain requirements under Title II of the Communications Act. Specifically, Section 222 of the Act imposes privacy obligations on telecommunications carriers and, in this proceeding, the FCC is considering whether to apply those rules, or other rules that might be more applicable to protect consumers, to providers of Internet access services.
The proposed rules focus on transparency, choice and data security. According to the FCC, adoption of the rules will ensure that consumers (i) have the information needed to understand what data broadband providers are collecting and what they do with that information, (ii) can decide how their information is used, and (iii) are protected against the unauthorized disclosure of their information.
- Transparency. The FCC expects that broadband providers’ privacy policies would include disclosure of what information they collect and for what purpose, what information is shared and with whom, and how consumers can opt in or out of use and sharing of their personal information.
- Choice. The proposed rules allow the use of personal information as needed to provide broadband services and for other purposes that make sense within the context of the service provider-customer relationship. They also allow service providers to use customer personal information to market other communications services unless the consumer opts out of such usage, but require specific opt-in approval from customers before broadband providers can share customer information with third parties that do not offer communications services. The proposed rules include mechanisms to document customer opt-in and opt-out choices and provisions on how to notify customers of privacy policies.
- Data Security. Broadband providers would be required to ensure the security, confidentiality and integrity of any customer information they receive. This would include requirements for regular risk management assessments and training of employees that handle customer information. The NPRM also proposes to require broadband providers to notify affected customers within ten days of the discovery of a data breach that triggers customer notification requirements, and seeks comment on whether broadband providers should also notify customers after discovery of conduct that could reasonably be tied to a breach. Further, the NPRM proposes to require broadband providers to notify the FCC of all data breaches, and to notify other federal law enforcement of breaches that impact more than 5,000 customers. The NPRM proposes to require notification to federal law enforcement within seven days of discovery of such a breach, and three days before notification to the customer, and would allow law enforcement to seek delay of customer notification. Broadband providers would be required to keep records of any data breaches and notifications for a minimum of two years.
The FCC suggested that it broadly wants to protect personally identifiable information, which, in the broadband context, would include any information that is linked or linkable to an individual and is acquired by the service provider in connection with its provision of broadband services. This could include: (1) service plan information, including type of service (e.g., cable, fiber, or mobile), service tier (e.g., speed), pricing, and capacity (e.g., information pertaining to data caps); (2) geo-location; (3) media access control (MAC) addresses and other device identifiers; (4) source and destination Internet Protocol (IP) addresses and domain name information; and (5) traffic statistics. The FCC seeks comments on whether other types of information should also be protected, including port information, application headers, application usage and customer equipment information.
The FCC acknowledged that there are existing state privacy laws that could overlap with the proposed rules. To resolve any conflicts, the proposed rules would preempt state laws that were inconsistent with the FCC’s rules—with the FCC making preemption determinations on a case-by-case basis. In addition, the rules would prohibit broadband providers from conditioning the offering of service, or the continuation of services, on a customer’s agreement to waive privacy rights guaranteed by law or regulation.
The proposed rules, like the Open Internet Order itself, drew dissents from Republican Commissioners Pai and O’Rielly. They question the FCC’s jurisdiction to regulate Internet service providers, suggest that the Federal Trade Commission has established standards and precedents to protect consumer privacy, and question whether any rules can be effective that are not also applied to edge and content providers, such as Netflix and Twitter. The Open Internet Order is currently being appealed in the United States Court of Appeals for the DC Circuit, and a decision is expected within the next three months.
Comments on the proposed rules are due May 27, 2016. Reply Comments are due June 27, 2016.
The FCC today released its much anticipated Open Internet Order. While it will take some time to digest the 313-page decision (though the new rules only total eight pages), here is a brief summary of the highlights:
- No Blocking. The Order prohibits providers of broadband Internet access services (“broadband services”) from blocking lawful content, applications, services, or non-harmful devices, subject to reasonable network management.
- No Throttling. The Order prohibits providers of broadband services from impairing or degrading lawful Internet traffic on the basis of content, application or service, or use of a non-harmful device, subject to reasonable network management. This includes no degradation of traffic based on source, destination, or content and prohibits singling out content that competes with the broadband provider’s business model.
- No Paid Prioritization. The Order prohibits paid prioritization, which the FCC views as the management of a broadband provider’s network to directly or indirectly favor some traffic over other traffic, including through use of techniques such as traffic shaping, prioritization, resource reservation, or other forms of preferential traffic management, either (a) in exchange for consideration (monetary or otherwise) from a third party, or (b) to benefit an affiliated entity.
- No Unreasonable Interference. The Order also prohibits broadband providers from unreasonably interfering with or unreasonably disadvantaging (i) end users’ ability to select, access, and use broadband Internet access service or lawful Internet content, applications, services, or devices of their choice, or (ii) edge providers’ ability to make lawful content, applications, services, or devices available to end users. The FCC indicates that reasonable network management will not violate this rule.
- Reasonable Network Management. The Order defines reasonable network management as follows:
A network management practice is a practice that has a primarily technical network management justification, but does not include other business practices. A network management practice is reasonable if it is primarily used for and tailored to achieving a legitimate network management purpose, taking into account the particular network architecture and technology of the broadband Internet access service.
- Enhanced Transparency. The rule adopted in 2010, and upheld on appeal, remains in effect. Specifically, broadband providers must accurately disclose information regarding network management practices, as well as performance and commercial terms sufficient for consumers to make informed choices regarding use of the service. The rule has been enhanced by: adopting a requirement that broadband providers always disclose promotional rates, all fees and/or surcharges, and all data caps or data allowances; adding packet loss as a measure of network performance that must be disclosed; and requiring specific notification to consumers that a “network practice” is likely to significantly affect their use of the service. The FCC granted a temporary exemption from these enhancements for small providers (defined for the purposes of this temporary exception as providers with 100,000 or fewer subscribers), and asked the Consumer & Governmental Affairs Bureau to adopt an Order by December 15, 2015 deciding whether to make the exception permanent and, if so, the appropriate definition of “small”.
- Scope of Rules. The FCC clarified that the rules apply to both fixed and mobile broadband Internet access service. The focus is on the consumer-facing service which that FCC defines as:
A mass-market retail service by wire or radio that provides the capability to transmit data to and receive data from all or substantially all Internet endpoints, including any capabilities that are incidental to and enable the operation of the communications service, but excluding dial-up Internet access service. This term also encompasses any service that the Commission finds to be providing a functional equivalent of the service described in the previous sentence, or that is used to evade the protections set forth in this Part.
The definition does not include enterprise services, virtual private network services, hosting, or data storage services. The definition also does include the provision of service to edge providers.
- Interconnection. Because broadband service is classified as telecommunications, the FCC indicates that commercial arrangements for the exchange of traffic with a broadband provider are within the scope of Title II, and the FCC will be available to hear disputes raised on a case-by-case basis. The Order does not apply the Open Internet rules to interconnection.
- Enforcement. The FCC may enforce the Open Internet rules through investigation and the processing of complaints (both formal and informal). In addition, the FCC may provide guidance through the use of enforcement advisories and advisory opinions, and it will appoint an ombudsperson on the subject. The Order delegates to the Enforcement Bureau the authority to request a written opinion from an outside technical organization or otherwise to obtain objective advice from industry standard-setting bodies or similar organizations.
- “Light touch” Title II. While reclassifying broadband services under Title II of the Communications Act, the FCC forbears from applying more than 700 codified rules, including no unbundling of last-mile facilities, no tariffing, no rate regulation, and no cost accounting rules. The FCC also states that reclassification will not result in the imposition of any new federal taxes or fees; the ability of states to impose fees on broadband is already limited by the congressional Internet tax moratorium. The FCC, however, does not forbear from Sections 201 (prohibiting unreasonable practices), 202 (prohibiting unreasonable discrimination), 208 (for filing complaints), Section 222 (protecting consumer privacy), Sections 225/255/251(a)(2) (ensuring access to services by people with disabilities), Section 224 (ensuring access to poles, conduits and attachments), and Section 254 (promoting the deployment and availability of communications networks (including broadband) to all Americans; except that broadband providers are not immediately required to make universal service contributions for broadband services.
The new rules will not go into effect until they have been published in the Federal Register. That publication also starts the clock for parties that want to file petitions for reconsideration or appeals of this decision. With more than 4 million comments filed in the proceeding, you would have to think someone will not be happy with this Order.
The August 20, 2013 Federal Register (“FedReg”) included a notice officially establishing the comment and reply cycle associated with the Federal Communications Commission’s (“FCC” or “Commission”) recently released Modernizing the E-Rate Program for Schools and Libraries Notice of Proposed Rulemaking (“NPRM”).1 According to the FedReg notice, comments are due September 16, 2013 and reply comments are due October 16, 2013. This is the Commission’s latest effort to modernize and streamline the E-Rate program.
The catalyst for this ambitious initiative is President Obama’s ConnectED initiative (the “Initiative”)2, which establishes that within five years 99 percent of U.S. students will have access to broadband and high-speed Internet access (at least 100 MBPS with a goal of 1 GPS within five years) within their schools and libraries. The Initiative includes: 1) providing the training and support for teachers needed for the effective use of technology in the classroom and 2) encouraging the development and deployment of complimentary devices and software to enhance learning experiences and 3) resurrecting the U.S. as a world leader in educational achievement.
The E-rate program was created in 1997 to “ensur[e] that schools and libraries ha[d] the connectivity necessary to enable students and library patrons to participate in the digital world.”3 According to the NPRM, the program commenced when “only 14 percent of the classrooms had access to the Internet, and most schools with Internet access (74 percent) used dial-up Internet access.”4 Seven years later, “nearly all schools had access to the Internet, and 94 percent of all instructional classrooms had Internet access.” A year later, “nearly all public libraries were connected to the Internet….”5
The E-rate program requires recipients to file annual funding requests. Those funding requests are categorized as either Priority One or Priority Two. Priority One funds may be applied to support telecommunications services, telecommunications and Internet access services, including but not limited to, digital transmission services, e-mail services, fiber and dark fiber, interconnected VoIP, paging, telephone service, voice mail service and wireless Internet access. Priority Two funds are allocated for support of internal connections, including, but not limited to, cabling/connectors, circuit cards and components, data distribution, data protection, interfaces, gateways and antennas, servers and software. The funds are calculated as discounts for acquiring, constructing and maintaining the services. Discount eligibility, which ranges between 20-90 percent, is established by the recipient’s status within the National School and Lunch Program (“NSLP”) or an “alternative mechanism”.6 The NPRM indicated that, “the most disadvantaged schools and libraries, where at least 75 percent of students are eligible for free or reduced price school lunch, receive a 90 percent discount on eligible services, and thus pay only 10 percent of the cost of those services.”7
The advent of high-capacity broadband has transformed Internet access into a portal by which students can experience interactive and collaborative learning experiences regardless of their geographic (rural or urban) location while preparing them to “compete in the global economy.”8 As with most improvements, this transformation is encumbered in the ways and means for acquiring, constructing and maintaining such technology. The E-rate program, including its administration and funding provisions, has remained relatively unchanged since 1997. The initial, and still current, cap on funding was $2.25 billion dollars. The FCC has indicated that requests for funding have exceeded that cap almost from the beginning. In 2013, requests for E-rate funding totaled more than $4.9 billion dollars.
Article continues — the full article can be found at FCC Commences E-Rate Program Overhaul.
The Commission’s Implementation of the Twenty-First Century Communications and Video Accessibility Act of 2010 Initiates a Two-Year Deadline for Providers of Advanced Communications Services and Manufacturers of Equipment Used in Advanced Communications Services to Comply with Disabilities Access Requirements.
The Federal Communications Commission (the “Commission”) recently adopted a Report and Order (“R&O”) and Further Notice of Proposed Rulemaking (“FNPRM”) implementing Section 104 of the Twenty-First Century Communications and Video Accessibility Act of 2010 (the “CVAA”), codified as Sections 716, 717 and 718 of the Communications Act of 1934, as amended (the “Act”). The purpose of the CVAA is to “ensure that people with disabilities have access to the incredible and innovative communications technologies of the 21st century.”
Prior to the passage of the CVAA, and pursuant to Section 255 of the Act, the Commission imposed disabilities access requirements on manufacturers of telecommunications equipment (including answering machines, pagers and telephones) and providers of telecommunications services. In 2007, the Section 255 requirements were extended to providers of interconnected VoIP services and manufacturers of VoIP equipment. The CVAA expands the Commission’s regulatory authority to historically unregulated providers of advanced communications services (“ACS”) and manufacturers of equipment used for ACS (collectively the “Covered Entities”) and codifies the requirement as it applies to interconnected VoIP.
ACS includes interconnected VoIP, noninterconnected VoIP, electronic messaging service and interoperable video conferencing services, which are defined as:
- Interconnected VoIP: a service that (1) enables real-time, two-way voice communications; (2) requires a broadband connection from the user’s location; (3) requires Internet protocol-compatible customer premises equipment (“CPE”); and (4) permits users generally to receive calls that originate on the public switched telephone network (“PSTN”) and to terminate calls to the PSTN.
- Noninterconnected VoIP: a service that (i) enables real-time voice communications that originate from or terminate to the user’s location using Internet protocol or any successor protocol; and (ii) requires Internet protocol compatible customer premises equipment” and “does not include any service that is an interconnected VoIP service.
- Electronic Messaging Service: “means a service that provides real-time or nearreal-time non-voice messages in text form between individuals over communications networks. This service does not include interactions that include only one individual (human to machine or machine to human communications).
- Interoperable Video Conferencing Services: services that provide real-time video communications, including audio, between two or more users. This service does not include video mail. The Commission has sought additional comment, pursuant to the Further Notice of Proposed Rulemaking, regarding the definition and application of “interoperable”.
The Commission clarified that the regulations implemented pursuant to the CVAA “do not apply to any telecommunications and interconnected VoIP products and services offered as of October 7, 2010.” The R&O also indicates that any regulated equipment or service offered after October 7, 2010 may be governed by both Sections 255 and 716.
The CVAA established, among other things, a phased compliance timeline due to the financial and technical burdens associated with developing and implementing technological changes required by the CVAA. Covered Entities must comply with Sections 716 and 717 within one year of the effective date. Section 718 compliance must be achieved within two years of the effective date or no later than October 8, 2013. The CVAA also includes long-term reporting obligations, enforcement procedures, limitations on liability for violations and finite compliance deadlines. The Commission decided that the rules, as implemented, would not include any safe harbors or technical standards at this time. Finally, the Commission determined that when implementing the CVAA, its rules should include opportunities for waivers and self-executing exemptions.
In a series of actions within the last five days, the FCC has focused its enforcement attention on cramming — the unauthorized placement of fees onto a consumer’s monthly phone bill by its own phone provider or an unaffiliated third party. These charges could be for telecommunications products and services but could also be for cosmetics or diet products. At an event in Washington, DC on June 20th, FCC Chairman Julius Genachowski announced the launch of a major new effort to educate consumers about cramming and plans for a proceeding that will empower consumers to better protect themselves from cramming. The FCC estimates that up to 20 million Americans may be victims of cramming each year.
In a series of Notices of Apparent Liability (NAL) released last week, the FCC issued fines between $1.5 and $4.2 million against four telephone service providers for cramming. These charges usually range from $1.99 to $19.99 per month and may go undetected for months. To reinforce its concerns about cramming, the FCC also released an Enforcement Advisory stating that “it has acted on four major investigations involving cramming” which it said is an “unjust and unreasonable” practice under Section 201(b) of the Communications Act. The Advisory also stated that the telecom providers “had apparently engaged in constructive fraudulent activity as part of a plan to place charges on consumers’ phone bills for services that the consumers neither requested nor authorized.”
According to a News Release issued last week, the four telecom providers, all headquartered in Pennsylvania, defrauded consumers by billing them for unauthorized dial-around services (a form of long distance service that allows a customer to use a different carrier than the one presubscribed to the telephone number). According to the News Release, 99.9% of the billing charges levied by the alleged violators were bogus. In one NAL, the FCC stated that one of the telecom providers billed “as many as 18,571 consumers monthly, during which time no more than 22 consumers (or 0.1 percent) ever actually used its service.”
According to the NALs, all four telecom providers employed identical Internet-only solicitation and online enrollment for services utilizing the same billing aggregator. The telecom providers practiced the same method of customer verification, which did not include sending “reply required” confirmation e-mails. When consumers later challenged the monthly charges, the telecom provider stated that as part of its customer verification process, it merely confirmed that the consumer’s name and/or address contained on the online enrollment form matched the telephone number provided on the online enrollment form, or confirmed that the IP address provided on the online enrollment form was within a 100 mile radius of the name, address and telephone number included in the online registration.
Continue reading →