We previously reported on the FCC’s 2016 Privacy Order, “Protecting the Privacy of Customers of Broadband and Other Telecommunications Services” impacting Internet service providers’ data privacy practices and obligations and the corresponding timeline for compliance. Intervening events, however, have made the rules imposed by the 2016 Privacy Order moot. On June 26, 2017, the FCC adopted a new order providing guidance on reinstating the pre-2016 Privacy Order regulations. This order was issued pursuant to a joint resolution of Congress under the Congressional Review Act, signed by the President on April 3, 2017, disapproving the FCC’s 2016 Privacy Order. As a result, the 2016 Privacy Order has “no force or effect.” FCC Chairman, Ajit Pai, stated that the purpose of the new order is to “simply make clear that the privacy rules that were in effect prior to 2016 are once again effective.”
The Congressional Review Act was, until recently, a rarely used congressional check on regulatory authority. It not only allows Congress to prevent new rules from taking effect, but also permits Congress to review and invalidate nascent rules within 60 legislative days of their promulgation. According to Commissioner Clyburn, “[t]his is the first time this legislative tool has ever been used on a set of FCC rules.” The Government Accountability Office provides a useful overview of the history of the CRA.
According the FCC’s new order and a related press release, the Code of Federal Regulations will be updated to reflect the reinstatement of the pre-2016 Privacy Order rules. This will be done without notice or public procedure and “will be effective immediately upon publication in the Federal Register.” The reinstated rules can be found here in Appendix A. The FCC noted that this includes “annual compliance certification requirements and recordkeeping requirements,” which carriers must comply with by March 1, 2018.