1DISSENTING STATEMENT OF
COMMISSIONER MIGNON L. CLYBURN
Re: Protecting the Privacy of Customers of Broadband and Other Telecommunications Services, WC 
Docket No. 16-106.
On the very same day a major content distribution network revealed that the private data of 
millions of users from thousands of websites had been exposed for several months, the FCC announced 
its intention to indefinitely suspend rules requiring broadband providers to protect users’ private data. The 
irony here is inescapable. With a stroke of the proverbial pen, the Federal Communications 
Commission—the same agency that should be the “cop on the beat” when it comes to ensuring 
appropriate consumer protections—is leaving broadband customers without assurances that their 
providers will keep their data secure. 
It is for this reason, that I must issue this unequivocal dissent. 
In this Order, the majority fells a tree to ostensibly prune a branch. Rather than interpret a duly-
adopted, flexible rule in a manner that would be consistent with the majority’s understanding of its proper 
scope, they have chosen to gut the rule entirely. If the problem with the data security rule is, for example, 
the ability of the Commission to look to other Congressional mandates for guidance, then simply issue 
interpretive guidance that narrows the scope of the rule. In another context, the majority allowed rules to 
go into effect with a letter of intent not to enforce until the rules were modified. So my question is why 
does the same approach not work here?
The painful answer is this:  Because with the new FCC, the ends justify the means.  This Order is 
but a proxy for gutting the Commission’s duly adopted privacy rules—and it does so with very little 
finesse. First, the Order alleges deleterious divergence from FTC standards, when in actuality there is 
little daylight between the approaches taken by the two agencies. Both agencies require only reasonable 
data security measures, with caveats for the sensitivity of the data, size of the company and technical 
feasibility. Even the voluntary framework that providers submit with their stay request, which the Order 
cites approvingly, uses the exact text from the FCC rule as the baseline for broadband provider 
compliance efforts. This view was reiterated last week by FTC Commissioner Terrell McSweeny who 
stated that “[t]he rules the FCC adopted conform to long standing FTC practice and provide clear rules on 
how broadband companies should protect their customers’ personal information.” Further, the FCC gave 
helpful guidance, stressed that the standards it set out were not the only way to comply with the rule, and 
stated unequivocally that the rules were not a strict liability standard. The Order wrongly cites these as 
additional requirements imposed on broadband providers. 
Second, the Order alleges significant harm to service providers, but cites absolutely nothing to 
prove it. In fact, the stay request does not even begin to estimate the costs associated with compliance. 
Contrast this with the stay requests for the 2015 Open Internet Order, where providers offered affidavits 
involving allegations of specific harms. There, the Commission denied those stay petitions, finding that 
the harms alleged were insufficient to meet the high bar of a stay. Here, petitioners do not even attempt to 
quantify the costs associated with all of the privacy rules, much less the data security rule. Again, the rule 
adopted requires only reasonable data security. It does not put providers at a competitive disadvantage, it 
does not require massive reporting obligations, nor does it even really require providers to change their 
existing conduct. 
The outcome of this Order is not relief of regulatory burdens, as is evidenced by providers 
seeking a stay using the text of the FCC’s rule as the basis for their voluntary code of conduct. What it 
actually does is permit providers to shift the costs for corporate negligence onto private citizens. Because 
of the 9
th
Circuit decision that seriously called into question the ability of the FTC to regulate any 
business that has a common carrier component, the Commission’s action today means that a voluntary 
2industry code is the only comprehensive federal protection for broadband data security. If a provider 
simply decides not to adequately protect a customer’s information and does not notify them when a 
breach inevitably occurs, there will be no recompense as a matter of course. The only recourse for 
customers will be individual forced arbitration before an entity of their service provider’s choosing. 
Rather than the Commission being able to spearhead an investigation and remuneration for consumers, 
each individual will have to discover the breach and prosecute it on their own.  This is the antithesis of 
putting #ConsumersFirst.  
Finally, I must express my disappointment that the Chairman even entertained this item being 
adopted on delegated authority. This would have marked the first time in which the Wireline Competition 
Bureau actually granted a petition for stay. Thankfully, my request to have this considered by the 
Commission preserved some degree of procedural integrity at the FCC. 
Thank you to the staff of the Wireline Competition Bureau. While I dissent, I continue to 
appreciate your efforts.