In a very important decision, FTC v. AT&T Mobility (9th Cir. 2018 en banc), the U.S. Court of Appeals for the 9th Circuit en banc reversed an earlier panel decision that severely limited the FTC’s jurisdiction to protect privacy and data security. I strongly criticized the panel decision in an previous blog post.
The FTC has taken the lead role in protecting privacy and data security through the FTC Act Section 5, 15 U.S.C. § 45, which prohibits “unfair or deceptive acts” affecting commerce. Section 5(a)(2) contains a list of industries that are carved out from FTC jurisdiction. This list includes banks, airlines, and common carriers. A “common carrier” is defined in the Communications Act of 1934, 47 U.S.C. § 153: “The term ‘common carrier’ or ‘carrier’ means any person engaged as a common carrier for hire, in interstate or foreign communication by wire or radio or interstate or foreign radio transmission of energy.” Common carriers are regulated by the Federal Communications Commission (FCC).
In FTC v. AT&T Mobility the FTC brought a Section 5 enforcement action against AT&T for a part of AT&T’s business that was not regulated by the FCC. However, the 9th Circuit panel concluded that the common carrier exception to FTC jurisdiction was status-based — it applied to common carriers no matter what activities they were engaged in. This means that if a company engages in a non-minor amount of common carrier activities, then everything that it does, including many activities beyond its functions as a common carrier, fall outside the FTC’s power to regulate under Section 5. Because these are non-common-carrier activities, the FCC often can’t regulate them either. This opens up an odd no man’s land where a company can engage in certain activities and escape regulatory enforcement while other companies engaging in the same activities cannot.
Here’s what I wrote about why the earlier 9th Circuit panel decision was problematic:
This case has some very troubling implications. Many companies these days do not cleanly fall into categories established decades ago. Companies do not just provide phone service or Internet service or cable TV service. Instead, many companies engage in a huge array of activities. Take Google, for example. They provide Internet service, but it is only one of many services they provide. Yahoo and Facebook might also qualify as common carriers. The AT&T Mobility case threatens to exempt many of these companies from FTC jurisdiction. The court cavalierly failed to elaborate much on just how much common carrier activity triggers the status of common carrier. A “tiny fraction” of revenue isn’t much of a precise standard and doesn’t provide much guidance. But what it does imply is that any nontrivial amount of revenue from common carrier activity might trigger common carrier status and place a company totally outside of FTC jurisdiction.
But what’s so bad about that? Can’t the FCC regulate? The FCC regulates privacy and security of customer proprietary network information (CPNI) through the Telecommunications Act, 47 U.S.C. §222. But CPNI involves information received through the “provision of a telecommunications service.” That means that data obtained through non-telecomm activity isn’t covered. The result is that many, if not most, of the non common carrier activities of a company would not be regulated by the FCC or the FTC. They might thus not be regulated at all!
The lack of FTC jurisdiction means that there is no agency enforcing broken promises in privacy policies, or other deceptive statements. It means that there is no enforcement of Big Data activities. It means that companies such as Google might escape from consumer protection enforcement for privacy and security for the vast majority of their activities. So companies can just lay down some fiber and rid themselves of that annoying nagging FTC that holds them to their promises and makes sure that consumers are protected.
This is an awful decision for consumers. It strips the most important agency protecting privacy and security of its power to regulate some of the most powerful technology companies that have some of the largest repositories of data about consumers.
Fortunately, the 9th Circuit en banc court reversed the panel decision. The en banc court held that the exception to FTC jurisdiction was activity-based not status-based, Because the common carrier exemptionis activity based, only the common carrier activities are exempt from FTC jurisdiction and the FTC can regulate non-common carrier activities of AT&T. The en banc court stated:
Ultimately, the structure of the statute and its contemporaneous legislative history, coupled with more than a century of judicial interpretation, align with the preferred reading and expertise of the two most important regulators with an interest in this appeal. We conclude that the exemption in Section 5 of the FTC Act—“except . . . common carriers subject to the Acts to regulate commerce”—bars the FTC from regulating “common carriers” only to the extent that they engage in common carriage activity. By extension, this interpretation means that the FTC may regulate common carriers’ non-common carriage activities.
Thus, the FTC can regulate the non-common carrier activities of common carriers such as AT&T.
Related Works of Interest
Daniel J. Solove & Woodrow Hartzog, The FTC and the New Common Law of Privacy, 114 Columbia Law Review 583 (2014)
Woodrow Hartzog & Daniel J. Solove, The Scope and Potential of FTC Data Protection, 83 George Washington Law Review (2015)
Daniel J. Solove, A Gaping Hole in Consumer Privacy Protection Law
* * * *
This post was authored by Professor Daniel J. Solove, who through TeachPrivacy develops computer-based privacy and data security training. He also posts at his blog at LinkedIn, which has more than 1 million followers.
Professor Solove is the organizer, along with Paul Schwartz, of the Privacy + Security Forum (Oct. 3-5, 2018 in Washington, DC), an annual event designed for seasoned professionals.
NEWSLETTER: Subscribe to Professor Solove’s free newsletter
TWITTER: Follow Professor Solove on Twitter.
Click here to learn more about Professor Solove’s
new online privacy law course series.
Click here for more information about our
privacy awareness training for GDPR