Following actions by the Federal Communications Commission (FCC) to suspend the effective date of the FCC’s data security rules, the US Congress—pursuant to the Congressional Review Act—passed a resolution to block the implementation of the privacy and data security rules issued by the FCC under the administration of former President Barack Obama.
The FCC Privacy and Data Security Rules
On October 27, 2016, the FCC adopted privacy and data security rules applicable to broadband internet access service (BIAS) providers—based on the FCC's 2015 Open Internet Order—and other service providers subject to the FCC’s jurisdiction (the "Order"). Among other requirements, the Order established new standards for the collection and use of consumer data based on the data's sensitivity, set rules for notifying consumers of such collection and use, and created data security obligations that included data breach notification obligations.
Opt-In Consent
For "sensitive" information, the Order required affirmative opt-in consent from consumers prior to the use or sharing of certain data associated with such consumers. The Order provided example categories of "sensitive" information—including information related to health, precise geolocation, and children, financial information, Social Security numbers, web browsing and app usage history, call detail information, and content of communications. The opt-in consent requirement for the use and sharing of web browsing history and app usage marked a departure from the Federal Trade Commission’s existing privacy regime, which does not require a company to obtain a consumer's affirmative opt-in consent before using and sharing browsing history and app usage.
Data Security
The Order also established data security obligations for BIAS providers and other entities subject to the FCC's jurisdiction. Under the Order, telecommunications carriers would have had to employ "reasonable measures to protect customer [proprietary information] from unauthorized use, disclosure, or access," taking into account the nature of the carrier's size and activities, sensitivity of the collected data, and technical feasibility.
The FCC Stay
Under the new leadership of FCC Chairman Ajit Pai and in response to a stay petition filed by trade associations to allow the FCC time to address petitions for reconsideration of the Order, the FCC issued a temporary stay of the data security obligations of the Order on March 1. The stay did not address other aspects of the Order such as the notice and consent requirements or data breach notification rules. Following the latest congressional action, the stay and the petitions for reconsideration of the Order are now moot.
The Congressional Vote
On March 23, the US Senate passed Senator Jeff Flake's joint resolution of disapproval of the Order pursuant to the Congressional Review Act (CRA). The CRA, which gives Congress 60 session days after the submission of a new rule to Congress from a federal agency like the FCC to prevent such rule from becoming effective, is being utilized in attempts to "undo" several Obama administration rules.
The Senate's joint resolution of disapproval of the Order passed the US House of Representatives on March 28. Once signed by President Donald Trump—which is likely to occur based on White House support—the Order will not take effect, and the FCC may not adopt a rule that is "substantially the same" as the Order.