Since 2014, the Federal Communications Commission (FCC) has engaged in an increasing number of privacy and data security enforcement actions. The scope of the Commission’s jurisdiction over carriers has also dramatically increased – at least temporarily – following its recent net neutrality order, which reclassified broadband Internet access service as a telecommunications service under Title II of the Communications Act of 1934. As a result, the FCC has emerged as a new and potentially aggressive regulator in the consumer privacy and data security space, a role previously occupied primarily by the Federal Trade Commission (FTC). Although the FTC is statutorily prevented from exercising its “unfair or deceptive acts or practices” (UDAP) authority over carriers – Section 5 of the FTC Act explicitly carves out common carriers under the Communications Act from the FTC’s UDAP enforcement jurisdiction – the overlap and similarity in the FCC’s and FTC’s enforcement authority over data security and privacy created significant confusion among regulated entities, as broadband providers do not always function solely in that capacity.
It appears that the FCC and FTC recognize the overlapping nature of their respective enforcement roles in the data security and privacy space, as they entered into a new Consumer Protection Memorandum of Understanding (MOU) on November 16, 2015. Perhaps most notably, the MOU implies that common carriers regulated by the FCC will now be subject to oversight by both agencies. The agencies “express their belief that the scope of the common carrier exemption in the FTC Act does not preclude the FTC from addressing non-common carrier activities engaged in by common carriers.” Moreover, an “exercise of enforcement authority by the FTC” should not be interpreted to constitute a “a limitation on authority otherwise available to the FCC, including FCC authority over activities engaged in by common carriers and by noncommon carriers for and in connection with common carrier services,” and vice versa. Both commissions also agree to engage in “joint enforcement actions, when appropriate and consistent with their respective jurisdiction.” Although it is too soon to know whether such joint enforcement will amount to a material change from the current state of affairs, the threat of double oversight by two agencies actively engaged in data security enforcement is noteworthy.
Under the MOU, the two Commissions will also “continue to work together to protect consumers from acts and practices that are deceptive, unfair, unjust, and/or unreasonable.” According to the MOU, their collaboration will include (but is not limited to):
- Coordination on agency initiatives where one agency’s action will have a significant effect on the other agency’s authority or programs,
- Consultation on investigations or actions that implicate the jurisdiction of the other agency,
- Regular coordination meetings to review current marketplace practices and each agency’s work on matters of common interest that impact consumers,
- Regular meetings at which the agencies will exchange their respective learning about the evolution of communications markets,
- Sharing of relevant investigative techniques and tools, intelligence, technical and legal expertise, and best practices in response to reasonable requests for such assistance, and
- Collaboration on consumer and industry outreach and education efforts, as appropriate.
Finally, the Commissions agree to share consumer complaint data with one another, including via the FTC’s Consumer Sentinel Network, and to engage in “[f]ormal liaison meetings between appropriate senior officials of both agencies to exchange views on matters of common interest and responsibility.”