The FCC’s Net Neutrality Rule: Going beyond blocking, throttling, and fast lanes

After months of debate and speculation, the Federal Communications Commission (FCC) issued its order last month reclassifying broadband Internet access service (BIAS) as a telecommunications service subject to common carriage regulations under Title II of the Communications Act.¹ In doing so, the FCC amended its 2017 order by classifying BIAS as an information service under the Act (and thus not subject to common carrier regulation). It also reinstated rules prohibiting BIAS providers from blocking or inhibiting access to content, sites or applications (or categories of content, sites or applications), prioritizing third-party traffic in exchange for consideration, prioritizing traffic by affiliates and engaging in the unreasonable discrimination broadly defined in the BIAS offer.

Much has been written about the scope and impact of these rules. Highlighting important differences with previous open Internet rules, the FCC now defines inhibition more broadly to include not only degrading access, but also accelerating access to content, sites, or applications (or categories of content, sites, or applications). Adding uncertainty to the issue, the FCC did not decide whether well-known and widely used practices like data caps and zero-rating — and newer techniques for mobile networks such as cutting – break the new rules. The debate over the impact of common-car regulation on investment continues, as the lengthy and heated exchanges between the FCC majority and one of the dissenting commissioners show.

Less attention has been paid to the implications of the order beyond congestion, congestion and fast lanes. The FCC now has much clearer authority to regulate privacy, data security, and cybersecurity issues affecting BIAS and BIAS providers. But its less-than-clear definition of what qualifies as BIAS raises sharp questions about which Internet-related services are covered by the new rules and the FCC’s regulatory reach. And it added an additional wrinkle to an already challenging compliance question by refusing to expressly preempt state laws and regulations dealing with BIAS.

Data privacy and security

The FCC now has full authority over privacy and data security issues related to BIAS and the provision of BIAS to customers.² of 2024 Open Internet Order states that Section 222 of the Communications Act, which protects Customer Proprietary Network Information (CPNI), applies to BIAS and BIAS providers. Among other things, this provision requires telecommunications carriers to protect the confidentiality of CPNI and to limit when carriers can use CPNI. The FCC clarified that the detailed CPNI rules implementing section 222 do NO applies to BIAS or BIAS providers, but cautioned that it may directly apply the statutory requirements of section 222 even in the absence of rules that specifically apply to BIAS.

There has been speculation that the FCC will try to adopt BIAS-specific privacy rules, as it did in 2016 after it first reclassified BIAS as a telecommunications service. This can be challenging given that Congress in 2017 repealed BIAS-specific privacy rules of 2016 under the Congressional Review Act. of 2024 Open Internet Order however, it hints at a different approach that could fuel the debate over the implementation of the Congressional Review Act. The FCC not only emphasized that the application and enforcement of Section 222 did not involve a violation of the Congressional Review Act, but also emphasized that it has authority under Section 201 to impose and enforce privacy-related obligations beyond the CPNI.³ A better preview of the FCC’s likely approach may be the orders it passed days before its release 2024 Open Internet Order imposing $196 million in fines against the largest national cellular service providers in the United States for sharing customer location information with third parties without the customer’s prior consent. We reported on this action in a previous post. Underlying these orders was the FCC’s finding that customer location information is CPNI when received from wireless networks. While the orders did not rely on the BIAS classification of cellular services as telecommunications services, they signaled a willingness to broadly interpret the CPNI and use Section 201 more aggressively in the privacy space.

Cyber ​​security

of 2024 Open Internet Order makes clear that reclassifying BIAS opens the door to a more definitive mandate to enforce cybersecurity standards across broadband networks.⁴ The FCC emphasized the importance of maintaining the integrity and security of critical Internet infrastructure. An expansion of requirements to participate in network outage reporting systems should be expected, such as requirements for BIAS providers to implement cybersecurity and risk management plans to protect their networks. of 2024 Open Internet Order also mentioned efforts to address vulnerabilities that threaten the security and integrity of the Border Gateway Protocol—and shortly thereafter the FCC adopted a Notice of Proposed Rulemaking proposing rules to address these vulnerabilities. Telecommunications carriers were already subject to many of these regulations, but now BIAS-only providers will also be covered.

But what is BIAS?

The real challenge comes from 2024 Open Internet Order we can understand to whom these new obligations will apply. The BIAS reclassification and the new Open Internet rules clearly apply to retail broadband Internet access services that ISPs provide to residential and small business customers. It also makes it clear NO apply to business data services (eg special access), content delivery network (CDN) services, virtual private network (VPN) services, web hosting, data storage and WiFi hotspots for customers in commercial institutions. But the FCC’s approach creates uncertainty beyond these specifically identified services. For example, the FCC declined to categorically exclude 5G IoT services and in-flight entertainment and connectivity services from the definition of BIAS, saying they would have to be reviewed on a case-by-case basis. It also purported to exclude “non-BIAS data services” (formerly “specialized services”) from the definition of BIAS, but then adopted a vague definition of what qualifies as such and warned that even the examples it had given before they wouldn’t always be. considered non-BIAS data services.⁵ In short, determining whether a particular service (even those provided by non-ISPs) may still fall within the definition of BIAS or be subject to FCC enforcement will require going beyond the labels and examining the functionality and service capacity.

There is no National Framework for Privacy and Cyber ​​Security in the Broadband Space

The prospect of broad FCC authority and federal rules over BIAS and BIAS providers does not mean the end of state-level regulation. The FCC refused to “categorically preempt all state or local regulations affecting BIAS in the absence of any specific determination that such regulation interferes” with 2024 Open Internet Order.⁶ It also declined to rule that BIAS was “exclusively interstate,” which makes it easier for state regulatory authorities to regulate aspects of BIAS and avoid preemption arguments. And it suggested that state regulatory authorities would be able to enforce the FCC’s requirements.⁷

The Open Internet Order of 2024 is just the opening of what could be a complex and sharp regulatory process. We will continue to monitor developments and provide our analysis in this space.

1. Preserving and Securing the Open InternetDeclaratory Decision, Order, Report and Order, and Order for Reconsideration, WC Document No. 23-320, WC Document No. 17-108 (May 7, 2024) (2024 Open Internet Order).
2. See Open Internet Order 2024.
3. Id. 324 ¶ (“[T]The Commission has previously taken enforcement action against providers under Article 201 for violating consumers’ privacy rights”); id. 351 ¶ (“[T]he Commission’s privacy authority under Title II is not limited to CPNI. Sections 222(a) and 201 also impose obligations, which we enforce, on carriers’ practices with respect to non-CPNI and PII customer proprietary information.”)
4. Id. ¶¶ 42-50.
5. Id. ¶ 195.
6. Id. 268 ¶.
7. Id. ¶¶ 268, 271.