FCC Revisits Net Neutrality, Extending Reach and Targeting National Security and Cybersecurity – Technologist
The Federal Communications Commission (FCC or Commission) released a Notice of Proposed Rulemaking (NPRM) regarding reinstating net neutrality rules that would prohibit providers of Broadband Internet Access Service (BIAS) from blocking or throttling Internet traffic or from engaging in paid prioritization of traffic. As part of this proceeding, the FCC proposes to reclassify broadband providers as common carriers, subjecting them to greater regulation. In justifying these changes, the Commission states that the new rules will strengthen its ability to secure communications infrastructure against national security threats and support its efforts to enhance cybersecurity in the communications sector. This NPRM is likely to affect numerous stakeholders inside and outside the communications sector, and may open the door to new regulations and obligations.
Background
The fundamental principle behind net neutrality is that Internet Service Providers (ISPs) must treat all data and content equally. To that end, the FCC is proposing to regulate how ISPs handle traffic on their networks. NPRM ¶¶ 151-68. Critically, the FCC would classify BIAS as a telecommunications service under Title II of the Telecommunications Act of 1996, thus treating BIAS providers as common carriers, which are subject to more onerous regulatory requirements. NPRM ¶ 59. The FCC adopted a similar scheme under President Obama but rolled it back under President Trump. With a new 3-2 Democratic majority of FCC Commissioners, the Commission is now revisiting the issue.
The FCC’s Proposed Rules
The proposed rules would define BIAS as “a mass-market retail service by wire or radio that provides the capability to transmit data to and receive data from all or substantially all internet endpoints, including any capabilities that are incidental to and enable the operation of the communications service, but excluding dial-up internet access service.” NPRM ¶ 59. BIAS also “encompasses any services that the Commission finds to be providing a functional equivalent of the service [in the definition] or that is used to evade the protections set forth in this part.” NPRM ¶ 59 The proposed rules would bar ISPs from blocking content, slowing access, or offering fast lanes for some services for a fee. NPRM ¶¶ 151-58. The proposal also includes a “general conduct” rule giving the Commission leeway to “prohibit practices that unreasonably interfere with or disadvantage consumers or edge providers.” NPRM ¶ 164.
The NPRM suggests “that to the extent coffee shops, bookstores, airlines, private end-user networks such as libraries and universities, and other businesses acquire broadband Internet access service from an ISP to enable patrons to access the Internet from their respective establishments, provision of such service by the premise operator would not itself be considered BIAS unless it was offered to patrons as a retail mass-market service.” NPRM ¶ 62. However, the FCC seeks comment “on any changed circumstances that would justify” a different approach. NPRM ¶ 62.
Who is Subject to the Proposed Rules – and Why It Matters
To assess the impact of the NPRM, businesses should consider whether any of their services might qualify as BIAS. The carveout for businesses that acquire BIAS to provide patrons with access is not written into the proposed BIAS definition and is subject to change. Moreover, the proposed definition gives the FCC wide latitude by allowing it to find that services are functionally equivalent to BIAS. These are key issues to be addressed during the rulemaking.
Businesses should note the risk of new regulations applying to their operations even if they do not offer BIAS. The NPRM asks about creating “cybersecurity requirements for other components that facilitate communications between end points,” NPRM ¶ 32, and “seek[s] comment on the development of third-party services and devices that utilize BIAS,” observing the “substantial market proliferation of third-party services and devices” and noting “that consumers’ use of these offerings significantly outweigh their use of ISPs’ affiliated offerings,” NPRM ¶ 20. Similarly, the NPRM explains that “the current classification of BIAS limits” the FCC’s ability “to address cyber incidents impacting the communications sector, as well as other critical infrastructure sectors,” which suggests that the FCC is looking beyond the communications industry. NPRM ¶ 30.
Additionally, businesses should consider how new rules for ISPs may affect their own business. For example, the FCC might require ISPs to block access to IP addresses associated with malware. NPRM ¶ 32.
Expanding Regulations for National Security and Cybersecurity
Businesses should keep in mind that the FCC may use any final rule as a springboard for future regulation. As FCC Chairwoman Jessica Rosenworcel noted in a statement, net neutrality “is not the end of the story.” By classifying broadband providers as common carriers, she said, the Commission will position itself to pursue regulations supporting national security and cybersecurity, among other initiatives.
The NPRM asks broadly for ideas about regulations that reclassification would make possible to promote national security and cybersecurity. NPRM ¶ 28, ¶ 32. For example, the FCC might pursue rules that increase law enforcement’s ability to seek assistance from service providers, NPRM ¶ 28, ban certain equipment, NPRM ¶ 29, or “mandat[e] that service providers implement cybersecurity practices and risk management plans,” NPRM ¶ 30.
Who Needs to Engage
Companies across all sectors providing some form of BIAS should consider weighing in. Among others, this includes hospitals with private networks, hotel chains, universities, stadiums, factories, airlines, satellite companies, and operators of corporate campuses.
Stakeholders should further consider whether they are developing a service that would not currently qualify as BIAS under the proposal but might in the future. And stakeholders involved in activities that present heightened national security or cybersecurity risks—such as risks arising from a large international presence—should especially consider weighing in.
Even if stakeholders do not provide BIAS, they should consider whether their business relies on activities likely to be impacted by the rules.
Next Steps
Initial comments are due December 14, 2023, and reply comments are due January 17, 2024.
The Communications, Internet, and Media team at Hogan Lovells regularly collaborates with practice groups at the firm across industries to assist stakeholders with regulatory engagement. We are happy to answer questions about the NPRM and what it means for your company.
Authored by Charles Mathias, Katy Milner, Khaosara Akapolawal, and Thomas Veitch.