Initial Takeaways on the FCC’s New Privacy and Data Protection Task Force
Last week, the Federal Communications Commission (FCC or Commission) launched a new “Privacy and Data Protection Task Force” (Task Force), throwing its proverbial hat into the ring to join the Federal Trade Commission, Department of Homeland Security (DHS), and others as a major player in the future of the federal privacy and data security regulatory landscape. According to the press release announcing its launch, the Task Force is an FCC staff working group that will “coordinate across the agency on the rulemaking, enforcement, and public awareness needs in the privacy and data protection sectors.”
The move is not terribly surprising. While the Commission’s role in federal privacy efforts has long been relatively siloed to regulating “customer proprietary network information” (CPNI), the agency has been dipping its toe further and further into broader privacy issues for some time now, including by recently inquiring about its authority to require breach reporting for social security numbers and other financial information that is far afield from CPNI.
Beyond the press release linked above, FCC Chairwoman Rosenworcel provided some information about the Task Force and its mission in her speech to the Center for Democracy and Technology announcing the Task Force’s establishment. The Commission has also launched a page on its website dedicated to the Task Force. None of these sources contain much in the way of specifics, so as of yet we do not have details in terms of what the Task Force will look like or what exactly it will be doing.
Our initial takeaways—based on the information that is available—are below.
Enforcement Will Be a Priority
The Commission has been fairly quiet about how the Task Force will be staffed. In her speech, Chairwoman Rosenworcel merely explained that the Task Force will bring “technical and legal experts together from across the agency to maximize coordination and use the law to get results . . . .” The press release on the Task Force’s launch similarly only notes that the Task Force will be comprised of staff that “handle topics including enforcement, equipment authorization, data breach reporting requirements, and undersea cables[,]” while the Task Force website just lists the various Bureaus and Offices that will be involved with the Task Force (though without detail on the capacity of their involvement).
However, the Commission has announced one key staffing decision: Enforcement Bureau Chief Loyaan A. Egal has been tapped to lead the Task Force, which indicates that enforcement will be a priority. And the Task Force website reinforces this notion. Specifically, it explains that the Enforcement Bureau has a team dedicated to “investigat[ing] and enforc[ing] violations of the Commission’s privacy and data protection laws and rules[,]” and that this team will be expanded going forward, including by adding personnel with national security experience and clearances necessary “to review classified information and better coordinate with national security colleagues in assessing risks involving the communications . . . and supply chain sectors.”
Moreover, in her speech, the Chairwoman emphasized that she intends to show “that this Task Force means business” from the get-go. To that end, the Task Force website does not mince words in explaining that the Enforcement Bureau “will use its resources and the FCC’s discovery and subpoena authorities to procure information not only from regulated communications providers, but also from relevant third parties, including companies that are part of the communications supply chain and who handle customer data[,]” and will “exercise its monetary penalty authority to ensure compliance with the Act and its rules.”
The Task Force Will Be Involved in Ongoing and Future Proceedings
Although the exact scope of the Task Force’s work is currently unclear, all signs point to it being quite broad.
The Commission’s press release notes that the privacy and data protection needs that the Task Force will be coordinating on include “data breaches – such as those involving telecommunications providers and related to cyber intrusions – and supply chain vulnerabilities involving third-party vendors that service regulated communications providers.” Moreover, Chairwoman Rosenworcel’s speech emphasized that the FCC “has an important role to play in ensuring the privacy of consumer communications” and that it needs to “concentrate [its] efforts” on the “magnitude of privacy challenges we face[.]” As a result, the Task Force “will have input in several ongoing efforts at the agency.” These include:
- The FCC’s efforts to “modernize” its data breach rules to address breaches that “make vulnerable [customer’s] sensitive data.” In particular, the Task Force will be charged “with overseeing the investigations and enforcement actions that follow these data breaches.”
- “[H]elp[ing] with the development of rules to crack down on SIM-swapping fraud.” According to the Chairwoman, the Commission intends to “follow up with an effort to adopt new rules in place to put a stop to these scams[,]” although the timing of this effort is unclear.
- “[P]lay[ing] a role in [the Commission’s] work under the Safe Connections Act[,]” which helps support access to communications for survivors of domestic violence.
- “[T]ak[ing] a look at the data [the Commission] amassed last year” when Chairwoman Rosenworcel sought information about geolocation data retention and privacy practices from the nation’s 15 largest mobile carriers. The Chairwoman noted that the Commission has “investigations underway to follow up on this data gathering, and the Task Force will assume Responsibility for this effort.”
The Commission Has Been Notably Silent on Certain Aspects of the Task Force
Beyond the proceedings specifically referenced in Chairwoman Rosenworcel’s speech, the Commission has been relatively silent about the interplay between the Task Force and other Commission initiatives that, though not directly aimed at privacy or cybersecurity, border on these issues nonetheless. This includes the Communications Security, Reliability, and Interoperability Council, the Technological Advisory Council, and the Communications Equity and Diversity Council.
Perhaps more importantly, the Commission has not yet addressed how the Task Force will fit into the broader federal privacy regulatory space or interact with other federal agencies that are entrenched in this area.
The Task Force’s launch is just one of a myriad of recent federal privacy, cybersecurity, and data protection actions. For instance, in March, the White House Office of the National Cyber Director released the National Cybersecurity Strategy, which calls for new regulations in several areas. However, there was no reference to the National Cybersecurity Strategy in the Chairwoman’s speech or the agency’s press release, and it does not appear to be included on the Task Force website. Additionally, DHS is working on several cybersecurity programs, including new incident reporting mandates from Congress. DHS is the cybersecurity risk management agency for the Communications Sector and has been the locus of important security work, and yet, discussion of DHS’s efforts is nowhere to be seen in the material that has been published about the Task Force so far.
In 2022, the Chairwoman reconstituted a Federal Interagency Cybersecurity Forum, with herself as the Chair. However, it remains to be seen how this forum will factor into the Task Force’s relation to other councils and interagency efforts.
The Task Force’s Launch Raises More Questions Than Answers
As discussed above, though the Chairwoman’s speech, the press release, and the Task Force website provide some level of information about what the Task Force will be doing, important questions remain about how the FCC’s foray into this space will work. Two in particular are worth noting:
- Where does the FCC’s authority to launch the Task Force and take these additional privacy actions come from? In her speech, Chairwoman Rosenworcel explained that “the law provides [the Commission] with clear communications privacy authority, including Section 222 and Section 631 of the Communications Act[,]” and the Task Force website notes that the Telecommunications Act requires carriers to “protect the privacy and security of their customers’ service-related and billing information[.]” But to what extent would the Task Force’s efforts constitute an expansion of this authority?
- Given the cross-disciplinary nature of the Task Force, how will it use and protect information that is provided to the agency by private companies, either through another agency or via the FCC’s own investigations? The FCC notes it may seek information from an array of companies through letter of inquiry or subpoena, and the FCC may obtain some information about breaches and cyber incidents from DHS and other agencies. But federal policy has long emphasized the need to protect security information provided by private companies. For example, in passing the Cybersecurity Information Sharing Act of 2015, Congress made a point to ensure that information voluntarily shared with the government would not be used for regulatory or enforcement purposes. How will the FCC honor this approach, and how will it handle confidential information provided to the agency from collateral uses or abuses?
According to the Commission’s press release, the Task Force met for the first time earlier last week, before the Task Force’s announcement, though details on that meeting are currently unavailable.
Although timelines and scope of future action by the Commission are unclear, we can certainly expect continued activity from the FCC in privacy, data protection, and cyber moving forward. It will be worth keeping an eye on the Task Force’s website to see how these activities progress.