On March 1, 2017, the Federal Communications Commission (FCC) stayed the data security regulations from its 2016 Broadband Privacy Order, which would have required broadband Internet access service providers to “take reasonable measures to protect customer [proprietary information] from unauthorized use, disclosures, or access.” The Privacy Order would have allowed the FCC to look beyond the Federal Trade Commission’s (FTC’s) interpretation of “reasonable measures” with respect to the privacy practices of broadband Internet access service providers and take into account other privacy regimes such as the Health Insurance Portability and Accountability Act and the Gramm Leach Bliley Act. The FCC found that the petitioners who requested the stay were “uniquely likely to succeed on their claim … that this requirement sweeps too broadly and too vaguely, ‘substantially widening the uncertainty and compliance burdens imposed upon ISPs relative to all other Internet entities and heightening the risks of different interpretations.’”
That same day, FCC Chairman Ajit Pai and Acting FTC Chairman Maureen Ohlhausen issued a joint statement criticizing the FCC’s 2015 Open Internet Order, which effectively stripped the FTC of its authority over broadband Internet service providers by reclassifying broadband Internet access as a telecommunications service. In their joint statement, the chairmen departed from the Open Internet Order’s removal of “an effective cop from the beat” and stated, “We still believe that jurisdiction over broadband providers’ privacy and data security practices should be returned to the FTC, the nation’s expert agency with respect to these important subjects. All actors in the online space should be subject to the same rules, enforced by the same agency.” It seems that the FCC is stepping back from privacy and security regulation in favor of the FTC, and businesses and consumers will have to wait to see how the two agencies “work together” to fill the gap.