Recently, the U.S. Court of Appeals for the 9th Circuit issued a decision with profound implications for consumer privacy protection law. In FTC v. AT&T Mobility (9th Cir. Aug. 29, 2016), a 3-judge panel of the 9th Circuit held that the Federal Trade Commission (FTC) lacks jurisdiction over companies that engage in common carrier activity. The result is that there is now a gaping hole in consumer privacy protection law.
Ironically, if this decision isn’t reconsidered and if this hole isn’t patched up, the result will not be a great boon for companies falling outside of FTC regulation. Instead, in the long run, these companies will likely be much worse off. Everybody will lose — consumers and industry. There is nothing good about the 9th Circuit decision, which is foolhardy and naive, the product of abstract musings in the clouds without sufficient consideration of the consequences.
Background About the FTC
The FTC is the largest consumer protection agency in the United States, and it has taken the lead role in protecting privacy and data security. The FTC Act Section 5, 15 U.S.C. § 45, gives the FTC the power to enforce against “unfair or deceptive acts” affecting commerce.
Since the mid-1990s, the FTC has been enforcing Section 5 in cases involving privacy and data security. Deception and unfairness are two independent bases for FTC enforcement. During the past 20 years, the FTC has brought roughly 200 enforcement actions, the vast majority of which have settled.
Section 5(a)(2) contains a list of industries that are carved out from FTC jurisdiction. This list includes banks, airlines, and common carriers.
For more background about the FTC and privacy and security, see Daniel J. Solove & Woodrow Hartzog, The FTC and the New Common Law of Privacy, 114 Columbia Law Review 583 (2014) and Woodrow Hartzog & Daniel J. Solove, The Scope and Potential of FTC Data Protection, 83 George Washington Law Review (forthcoming 2015).
What Is a Common Carrier?
A “common carrier” is not defined in the FTC Act. So what is it? A “common carrier” is defined in the Communications Act of 1934, 47 U.S.C. § 153: “The term ‘common carrier’ or ‘carrier’ means any person engaged as a common carrier for hire, in interstate or foreign communication by wire or radio or interstate or foreign radio transmission of energy.” The Communications Act of 1934 was amended by Telecommunications Act of 1996, but this Act didn’t change the definition of common carrier. Common carriers are regulated by the Federal Communications Commission (FCC).
The FCC recently ruled that providers of broadband Internet should be classified common carriers. The main purpose of classifying broadband Internet providers as common carriers was to subject them to Title II of the 1996 Telecommunications Act, which regulates them as utilities. Broadband providers are thus subject to “net neutrality” and must treat all Internet traffic equally — they can’t throttle traffic from certain entities they do not favor. In a decision this summer, the U.S. Court of Appeals for the D.C. Circuit upheld the new FCC rules. United States TelecomAssociation v. FCC(D.C. Cir. June 14, 2016).
FTC v. AT&T Mobility
The FTC v. AT&T Mobility case involves an FTC Section 5 complaint against AT&T for throttling its unlimited mobile data customers without adequate notification or consent. AT&T argued that the FTC lacked jurisdiction because AT&T is a common carrier. The activities of AT&T in this case occurred before the new FCC rules deeming broadband providers to be common carriers, so at the time of the throttling in this case, AT&T’s broadband data service was not regulated by the FCC. Of course, other parts of AT&T’s business were classified as common carrier activities and regulated by the FCC.
The main issue in the case was whether AT&T should fall under the common carrier exception to FTC jurisdiction as a whole entity or whether only those activities of AT&T that are classified as common carrier should be exempted from FTC jurisdiction. Thus, is the common carrier exception to FTC jurisdiction activity-based or status-based? “Activity-based” means that only the common carrier activities are exempt from FTC jurisdiction; the FTC can regulate non-common carrier activities of AT&T. “Status-based” means that the business is deemed either wholly a common carrier or not a common carrier. If AT&T is a common carrier, then all its activities — even non-common carrier activities — are exempt from FTC jurisdiction.
The 9th Circuit panel concluded the latter — that the common carrier exemption from FTC jurisdiction was status-based. This means that if any portion of a company’s business is classified as a common carrier, then everything that company does falls outside of FTC jurisdiction. The court noted in passing that if the common carrier activity were a “minor division unrelated to the company’s core activities that generates a tiny fraction of its revenue,” then the situation might be different, but little elaboration was made on this point. It is clear, though, that anything more than a “tiny fraction” of common carrier activity will exempt the company from FTC jurisdiction — even if the vast majority of a company’s business is not common carrier activity.
This case has some very troubling implications. Many companies these days do not cleanly fall into categories established decades ago. Companies do not just provide phone service or Internet service or cable TV service. Instead, many companies engage in a huge array of activities. Take Google, for example. They provide Internet service, but it is only one of many services they provide. Yahoo and Facebook might also qualify as common carriers. The AT&T Mobility case threatens to exempt many of these companies from FTC jurisdiction. The court cavalierly failed to elaborate much on just how much common carrier activity triggers the status of common carrier. A “tiny fraction” of revenue isn’t much of a precise standard and doesn’t provide much guidance. But what it does imply is that any nontrivial amount of revenue from common carrier activity might trigger common carrier status and place a company totally outside of FTC jurisdiction.
But what’s so bad about that? Can’t the FCC regulate? The FCC regulates privacy and security of customer proprietary network information (CPNI) through the Telecommunications Act, 47 U.S.C. §222. But CPNI involves information received through the “provision of a telecommunications service.” That means that data obtained through non-telecomm activity isn’t covered. The result is that many, if not most, of the non common carrier activities of a company would not be regulated by the FCC or the FTC. They might thus not be regulated at all!
The lack of FTC jurisdiction means that there is no agency enforcing broken promises in privacy policies, or other deceptive statements. It means that there is no enforcement of Big Data activities. It means that companies such as Google might escape from consumer protection enforcement for privacy and security for the vast majority of their activities. So companies can just lay down some fiber and rid themselves of that annoying nagging FTC that holds them to their promises and makes sure that consumers are protected.
This is an awful decision for consumers. It strips the most important agency protecting privacy and security of its power to regulate some of the most powerful technology companies that have some of the largest repositories of data about consumers.
Why the Case Is Bad for Companies
Should companies be dancing in the streets? After all, the big bad FTC has been banished, and they can free themselves from the yoke of enforcement. In the short term, it seems great. Happy times!
But in the long term, this is very bad. Companies that have any nontrivial amount of common carrier activity will no longer be able to take advantage of Privacy Shield, a major method for transferring data from the EU to the US. Privacy Shield depends upon FTC enforcement, so entities not subject to it cannot take advantage of the Shield.
Moreover, the EU will not be pleased with the FTC’s major loss of jurisdiction. For the past 20 years, the FTC and the U.S. Department of Commerce (DOC) have been in a dialogue with the EU, trying to convince the EU that US privacy regulation is respectable and sufficient. A major part of the argument is the FTC’s enforcement activity. So now all those years of telling EU officials to look at how great FTC enforcement is will be wiped away because the FTC suddenly has lost a major chunk of its jurisdiction.
The very companies that have given EU regulators the most concern — companies like Google — are the ones that are affected by this decision. To the EU, Google is the paradigm case. If Google isn’t regulated anymore by the FTC, then EU regulators will view US privacy law as garbage. They don’t hold US privacy law in the highest esteem already, but the FTC and DOC have worked hard to change perceptions. But now, if this decisions stands, it is hard to imagine how the EU could possibly hold even a modicum of respect for US privacy law.
The EU has recently passed strict new data protection regulation — the General Data Protection Regulation (GDPR) which will impose very large fines — up to 4% of global turnover. I wonder how EU regulators will react when they can use these new enforcement powers and they see that the FTC can no longer enforce against many companies. Will the EU regulators be lax with these companies, happy that they fall outside of enforcement by the FTC? Or will the EU regulators make up for the lack of FTC enforcement by taking on a greater enforcement role themselves? My guess is the latter. The FTC cannot issue fines under Section 5 (unless there is a violation of a consent decree). The EU can issue enormous fines. My bet is that companies might soon find their wallet to be a lot lighter and start longing to have the FTC back on the beat.
I often scratch my head when I see companies challenging FTC enforcement power. This occurred in the Wyndham case, when Wyndham Worldwide challenged FTC enforcement authority over data security. Wyndham lost. I wonder what the endgame was here. If Wyndham had won, would that have meant a nice regulation-free zone? Maybe in the short term, but surely nature abhors a vacuum. Some other regulator would have stepped in. Whom might it be? The likely candidates to step up to the plate would be California or the EU — the strictest cops on the beat.
In my view, having spent a long time studying FTC privacy and security enforcement, I believe that it has been quite reasonable in most cases. The FTC generally goes after the low-hanging fruit. It generally enforces against companies that violate well-established industry norms. Its enforcement has, in my view, has been consistent and conservative. Basically, for industry, FTC privacy and security enforcement are close to as good as it gets. Yes, the FTC isn’t perfect for industry, but it’s quite good as regulators go. If you’re dealt a full house, don’t throw back the hand hoping to get better cards. Escape from regulation will be temporary. And the odds are that the toughest cops will be the ones who step in as replacements.
The FTC v. AT&T Mobility case is a silly shortsighted opinion. It interprets the law in a vacuum, failing to see it in light of how companies and industry are evolving, failing to see the bigger picture, failing to provide much clarification about the position it establishes, failing to consider the consequences. Legal interpretation shouldn’t be just an abstract exercise, done without considering the practical implications. It isn’t about concocting an interpretation that looks pretty in theory but awful in fact. Legal interpretation ought to be a pragmatic endeavor, one that interprets a law thoughtfully with an understanding of the consequences. This doesn’t mean that laws should be interpreted solely based on the consequences, but at least the consequences should be a consideration. In the FTC v. AT&T Mobility decision, however, the court barely utters a modicum of consideration of the consequences.
I have joined an amicus brief of many law professors urging the 9th Circuit to reconsider the panel decision en banc. This decision will do considerable damage if left to stand.
* * * *
This post was authored by Professor Daniel J. Solove, who through TeachPrivacy develops computer-based privacy training, data security training, HIPAA training, and many other forms of awareness training on privacy and security topics. This post was originally posted on his blog at LinkedIn, where Solove is a “LinkedIn Influencer.” His blog has more than 1 million followers.
Professor Solove is the organizer, along with Paul Schwartz of the Privacy + Security Forum (Oct. 4-6, 2017 in Washington, DC), an annual event that aims to bridge the silos between privacy and security.