Federal Communications Commission (FCC or Commission) Chairwoman Jessica Rosenworcel announced the formation of a Privacy and Data Protection Task Force (Task Force) at the FCC during a recent speech at the Center for Democracy and Technology Forum on Data Privacy. The Task Force will coordinate rulemaking, enforcement, and public awareness efforts across the Commission that concern privacy and data protection matters, including data breaches (such as those involving telecommunications providers) and vulnerabilities involving third-party vendors that service regulated communications providers. It remains to be seen, however, how the Task Force will coordinate with other government agencies that have considered privacy and data protection to be within their ambit of authority.
The Task Force’s Key Priorities
The details of the Task Force’s policy and enforcement priorities have not yet been clearly articulated. However, according to the FCC’s webpage on the Task Force, the Task Force’s work will include inquiry into the following:
- Telecom carrier, interconnected VoIP (Voice Over Internet Protocol), cable, and satellite provider responsibilities for privacy and data protection.
- Connections between privacy and data protection and supply chain integrity and vulnerabilities.
- The consequences of a breach in the supply chain (both to consumer privacy and entities that do not take reasonable steps to protect consumer information).
- Potential risks to national security through compromised supply chains.
Task Force Members
The Task Force is an FCC staff working group led by the Enforcement Bureau chief. In addition to Enforcement Bureau staff, the Task Force is made up of representatives from several other FCC divisions, including the Office of the Chairwoman, the Public Safety and Homeland Security Bureau, the Wireline Competition Bureau, the Consumer and Governmental Affairs Bureau, the Space Bureau, the Media Bureau, the Office of the General Counsel, the Office of the Managing Director, Office of International Affairs, Office of Engineering and Technology, and Office of Economics and Analytics.
Privacy and Data Protection Enforcement
The FCC has long protected certain data of telecommunications services consumers and brought enforcement actions for its unauthorized disclosure, but the scope of the Task Force appears to be an expansion of the FCC’s focus. The FCC regulates how telecommunications service providers protect so-called Customer Proprietary Network Information (CPNI). The CPNI regulations safeguard customer data related to the quantity, technical configuration, type, destination, and use of a telecommunications service. Additionally, the Commission enforces the Secure and Trusted Communications Networks Act, signed into law in 2020, which is designed to protect the nation's communication networks from potential risks posed by foreign suppliers. This act involves removing existing and preventing the future use of insecure telecommunications equipment and services, thereby securing consumers' personal data and the nation's communication infrastructure. More recently, on January 6, 2023, the FCC issued a Notice of Proposed Rulemaking (NPRM) to address the increasing number of data breaches in the telecommunications sector. As we summarized in a prior Update, the NPRM includes proposed updates to the Commission’s data breach rules and reporting requirements.
FCC Coordination With Other Government Agencies
It is unclear how closely the Task Force will work with other agencies in implementing policies and conducting enforcement actions related to privacy and data security. Historically, the Federal Trade Commission (FTC) has assumed the role as the leading federal agency focused on privacy and data protection issues. The FCC and FTC have previously entered into memorandums of understanding by which they have agreed to cooperate on consumer protection matters. Other federal agencies, such as the U.S. Department of Justice (DOJ) and the U.S. Securities and Exchange Commission (SEC), also act to mitigate and respond to privacy and cybersecurity risks within the scope of their authority. For now, the FCC states that it will utilize the rulemaking proceeding associated with the above-referenced NPRM to gather crucial information on important issues relevant to privacy and data security.
Reaction to the Data Privacy Task Force
The recent unveiling of the Task Force has elicited a mixed response. While some hail it as a positive move, others argue that the FCC lacks the authority to establish such a body. Critics like Randolph May, the president of the Free State Foundation, question the necessity of such a task force given the "circumscribed" authority of the FCC over data privacy matters. May suggests that "Congress should enact instead a federal privacy law." In contrast, supporters such as Caitriona Fitzgerald, deputy director at the Electronic Privacy Information Center (EPIC), see the Task Force as a positive step, saying, “The FCC could certainly be more aggressive. They haven’t been very active in using their consumer privacy authorities and even where they’ve taken initial action in the past, follow through hasn’t really been there.” Meanwhile, former FCC Commissioner Michael Copps regards Chairwoman Rosenworcel's announcement as a "big, big deal,” hoping that it will lead to effective action and potentially inspire Congress to address privacy and data policy.
Despite the mixed reaction, there appears to be a broad consensus that consumer data privacy requires renewed focus with the rapid development of digital communications technologies.
The authors wish to acknowledge the contributions of Summer Associate Dania Assas to this Update.
© 2023 Perkins Coie LLP