In a June 14, 2023 speech at the Center for Democracy and Technology (CDT), Federal Communications Commission (FCC or Commission) Chairwoman Jessica Rosenworcel announced that the FCC is launching a new, “first-ever” “Privacy and Data Protection Task Force” (Task Force) at the Commission.
Emphasizing that the FCC “has an important role to play in ensuring the privacy of consumer communications” and that it needs to “concentrate [its] efforts” on the “magnitude of privacy challenges we face,” the Chairwoman explained that the Task Force will bring “technical and legal experts together from across the agency to maximize coordination and use the law to get results—by evolving [the agency’s] policies and taking enforcement action.” Below, we have provided an overview of what we know about the Task Force thus far, potential privacy-related actions the Commission may take now that the Task Force is in place, and questions that the Task Force’s creation raises about the Commission’s future role in the privacy regulatory space.
What is the Task Force, Who Will be on it, and What Will it Do?
According to the press release announcing its launch, the Task Force is an FCC staff working group that will “coordinate across the agency on the rulemaking, enforcement, and public awareness needs in the privacy and data protection sectors.” Those needs include “data breaches – such as those involving telecommunications providers and related to cyber intrusions – and supply chain vulnerabilities involving third-party vendors that service regulated communications providers.”
The Commission has launched a page on its website dedicated to the Task Force that provides an overview of the Task Force, commentary on the Commission’s past and ongoing privacy actions, and notes on potential future FCC privacy actions (see below), though without much in the way of detail. The Task Force’s website also includes a set of privacy protection tips for consumers.
The Commission has not provided much information on how the Task Force will be staffed. Enforcement Bureau Chief Loyaan A. Egal will lead the Task Force, but beyond that, the Commission has only explained that the Task Force will be made up of “staff from across the agency that handle topics including enforcement, equipment authorization, data breach reporting requirements, and undersea cables.” According to the Task Force’s website, the Bureaus and Offices that will be included on the Task Force are: the Office of the Chairwoman, the Enforcement Bureau, the Public Safety and Homeland Security Bureau, the Wireline Competition Bureau, the Consumer and Governmental Affairs Bureau, the Space Bureau, the Media Bureau, the Office of the General Counsel, the Office of the Managing Director, the Office of International Affairs, the Office of Engineering and Technology, and the Office of Economics and Analytics. The press release notes that the Task Force met for the first time earlier this week, though details on that meeting are currently unavailable.
Based on the Task Force website, enforcement appears to be a key focus. The website explains that the Enforcement Bureau has a team specifically dedicated to “investigat[ing] and enforc[ing] violations of the Commission’s privacy and data protection laws and rules[,]” and that this team will be expanded going forward, including by adding personnel with national security experience and clearances necessary “to review classified information and better coordinate with national security colleagues in assessing risks involving the communications . . . and supply chain sectors.” The website further emphasizes that the Enforcement Bureau “will use its resources and the FCC’s discovery and subpoena authorities to procure information not only from regulated communications providers, but also from relevant third parties, including companies that are part of the communications supply chain and who handle customer data[,]” and will “exercise its monetary penalty authority to ensure compliance with the Act and its rules.”
The Task Force Comes Amidst Several Privacy and Security-Related Workstreams at the FCC
Chairwoman Rosenworcel’s remarks to the CDT make clear that the Task Force “will have input in several ongoing efforts at the agency[,]” making privacy and data protection a top priority for the Commission. Specifically, she explained that the Task Force will:
- Be involved in the FCC’s efforts to “modernize” its data breach rules to address breaches that “make vulnerable [customer’s] sensitive data[,]” and be charged “with overseeing the investigations and enforcement actions that follow these data breaches.”
- “[H]elp with the development of rules to crack down on SIM-swapping fraud.” To this end, the Commission intends to “follow up with an effort to adopt new rules in place to put a stop to these scams.”
- “[P]lay a role in [the Commission’s] work under the Safe Connections Act[,]” which helps support access to communications for survivors of domestic violence.
- “[T]ake a look at the data [the Commission] amassed last year” when Chairwoman Rosenworcel sought information about geolocation data retention and privacy practices from the nation’s 15 largest mobile carriers. According to the Chairwoman, the Commission has “investigations underway to follow up on this data gathering, and the Task Force will assume Responsibility for this effort.”
Chairwoman Rosenworcel also addressed pending enforcement actions, and emphasized that she intends to show “that this Task Force means business” from the get-go.
The Task Force Enters a Crowded Field of Federal Action on Privacy, Cybersecurity, and Data Protection
The Task Force’s launch is just one of a myriad of recent federal privacy, cybersecurity, and data protection actions. In March, the White House Office of the National Cyber Director released the National Cybersecurity Strategy, which calls for new regulations in several areas. Multiple workstreams have been underway for years, many promoting collaborative and innovative solutions while others are more prescriptive.
The Federal Trade Commission (FTC) released revisions to its Safeguards Rule for financial institutions, which went into effect on June 9, 2023, and issued a policy statement on biometric information in May, among many ongoing proceedings, including consideration of new rules. The Department of Homeland Security (DHS) is working on several cybersecurity programs including new incident reporting mandates from Congress. DHS is the cybersecurity risk management agency for the Communications Sector and has been the locus of important security work.
While the Commission’s role in federal privacy efforts has long been relatively siloed to regulating “customer proprietary network information” (CPNI), the FCC has been dipping its proverbial toe in the broader privacy regulation waters for some time. For example, in January, the Commission released a Notice of Proposed Rulemaking proposing major changes to the agency’s regulation of customer data, and in doing so inquired about its authority to require breach reporting for social security numbers and other financial information far afield from the CPNI it has traditionally regulated.
By launching the Task Force, the agency has made clear that it is throwing its hat in the ring to be a player in the future of the federal privacy regulatory landscape. But though the Task Force website provides some level of information about what the Task Force will be doing, important questions remain about how the FCC’s foray into this space will work. For example:
- What will the FCC’s role be in interacting with other federal agencies that are entrenched in the privacy space? The Chairwoman in 2022 reconstituted a Federal Interagency Cybersecurity Forum, with herself as the Chair, but the relation of this and the new FCC Task Force to other councils and interagency efforts is not clear.
- Where does the FCC’s authority to launch the Task Force and take these additional privacy actions come from? Chairwoman Rosenworcel explained that “the law provides [the Commission] with clear communications privacy authority, including Section 222 and Section 631 of the Communications Act[,]” and the Task Force website notes that the Telecommunications Act requires carriers to “protect the privacy and security of their customers’ service-related and billing information[.]” But to what extent would the Task Force’s efforts constitute an expansion of this authority?
- Will the Task Force create tension with or duplication of federal data protection and privacy efforts, like the FTC’s rulemakings and enforcement actions or the Cybersecurity and Infrastructure Security Agency’s work on critical infrastructure incident reporting?
- Given the cross-disciplinary nature of the Task Force, how will it use and protect information that is provided to the agency by private companies, either through another agency or via the FCC’s own investigations. The FCC notes it may seek information from an array of companies through letter of inquiry or subpoena, and the FCC may obtain some information about breaches and cyber incidents from DHS and other agencies. But federal policy has long emphasized the need to protect security information provided by private companies. For example, in passing the Cybersecurity Information Sharing Act of 2015, Congress made a point to ensure that information voluntarily shared with the government would not be used for regulatory or enforcement purposes. How will the FCC honor this approach, and how will it handle confidential information provided to the agency from collateral uses or abuses?
The Task Force website is notably silent on certain issues, as there is no mention of the Commission’s Communications Security, Reliability, and Interoperability Council, Technological Advisory Council, or the National Cybersecurity Strategy.
Looking Ahead
The FCC’s announcement is a reminder that the agency is taking an assertive role on privacy and may not defer to other agencies’ work or roles. We can expect continued regulatory and enforcement activity in privacy, data protection, and cyber. Timelines and scope of future action by the Commission are unclear, so it will be worth keeping an eye on the Task Force’s website to see how its work progresses.
[View source.]