The U.S. Federal Communications Commission (FCC) adopted final rules in its latest “net neutrality” proceeding. The rules, which advanced over the vigorous opposition of the two Republican commissioners, will:
(1) reclassify broadband internet access service (BIAS) as a telecommunications service under the federal Communications Act of 1934, as amended;
(2) reclassify mobile BIAS as a commercial mobile service;
(3) enact rules to prohibit call blocking, throttling, and paid prioritization; and
(4) establish a general conduct standard for BIAS providers.
While the Commission underscored the importance of restoring the open Internet, the FCC also foreshadowed plans to leverage reclassification of BIAS for a potentially expansive agenda in the areas of national security and public safety, cybersecurity, communications supply chain, and consumer privacy.
Throughout her career at the FCC, Chairwoman Rosenworcel has consistently pushed for the FCC to have a greater role in network, cyber, and national security matters. With its action on Thursday, the FCC now has access to an expanded set of “regulatory tools” to advance federal efforts to address increasing challenges and risks in these areas. In addition to allowing the FCC to reinstate net neutrality rules, reclassification will subject BIAS to the FCC’s broader regulatory powers under Title II. The FCC has said it plans to use its expanded authority to adopt and enforce more stringent national security, cybersecurity, and consumer privacy standards for BIAS providers.
Traditional internet service providers fall within the crosshairs of these changes, as well as services that are incidental to or supportive of BIAS and internet traffic exchange that is derivative of BIAS. In addition, the FCC declined to categorically exclude a range of services from the scope of BIAS, saying instead that determinations should be made on an individualized basis. This leaves the door open to other services being categorized as BIAS in the future.
Reclassification will give the Commission stronger legal authority to regulate national security, cybersecurity, communications supply chain, and consumer privacy matters. More specifically, as cataloged in the FCC’s Declaratory Ruling, reclassification will enable potential new rules in the following areas:
-
National security: In its Declaratory Ruling, the FCC describes several ways reclassification could help the FCC protect U.S. communications networks. The FCC has said that its prior revocations of section 214 authorizations of foreign-owned entities that pose a threat to national security now extend to those companies broadband operations. In addition, while it has granted blanket section 214 authority to BIAS providers (with exceptions), the FCC may, in the future, revoke the authorizations of foreign-owned entities that pose a threat to national security to operate broadband networks in the U.S. The FCC may also use its authority under sections 254, 302, and 303(b) of the Communications Act to regulate BIAS providers’ use of equipment and services that pose unacceptable national security risks, or to prohibit interconnection between BIAS providers in the U.S. and data centers controlled by foreign-owned entities that pose a threat to national security.
-
Network outages: The Commission specifically noted that reclassification will enable it to play an active role in monitoring network outages. This could lead to additional duties and obligations for BIAS providers in several areas including:
-
Cybersecurity: While the FCC is actively involved in federal interagency cyber coordination, planning, and response, the current BIAS classification restricts the FCC’s toolkit for addressing vulnerabilities and cyber incidents in the communications sector and other critical infrastructure sectors. Reclassification provides the FCC greater authority to mandate cybersecurity standards and performance goals for BIAS providers rather than relying on voluntary compliance with industry best practices.
-
Border Gateway Protocol (BGP): In 2022, the FCC launched a proceeding on the BGP to explore how to mitigate security vulnerabilities inherent in the BGP’s open, trust-based architecture. The FCC also co-hosted an interagency workshop to discuss existing and forthcoming proposals to improve BGP security. Using its newly applicable Title II authority, the FCC said it may mandate deployment of solutions to address BGP vulnerabilities or establish cybersecurity requirements for BGP, rather than relying on voluntary compliance.
-
Privacy: The FCC currently imposes data privacy obligations on telecommunications carriers under section 222. Following reclassification, the FCC may extend the section 222 privacy and data security framework to BIAS providers.
Any of these policy developments will mark both a significant departure from the FCC’s historical “light-touch” regulation of BIAS and a foray into new areas of regulation that will likely be tested in court. If the FCC prevails, the FCC’s new authorities may pose challenges for companies that now find themselves within the FCC’s broadened regulatory jurisdiction.
Our team at Hogan Lovells has the experience and expertise on classification issues, national security, cybersecurity, and privacy to help companies address these developments, including adapting to reclassification and grappling with the impact of potential FCC regulation in new areas.
Authored by Charles Mathias and Ambia Harper.