Blog Post / Privacy & Security Law Blog
FCC Asked To Rule That Anonymized Phone Call Data May Not Be Shared Absent Customer Consent Under CPNI Rules; Comments Due January 17, 2014
By Ronald G. London
12.19.13
By Bob Scott
A coalition of privacy advocates filed a petition for declaratory ruling with the FCC on December 11, 2013 seeking a significant tightening of the Commission’s existing rules that limit the sharing of Customer Proprietary Network Information (CPNI) by telecommunications carriers and other phone service providers. The coalition, led by Public Knowledge, has asked the Commission to rule that phone call data that has been “anonymized” or “de-identified” by removing personal identifiers is nevertheless “identifying information” under the CPNI rules which may not be shared with other companies or entities absent the customer’s consent. The FCC has set a deadline of January 17, 2014 for comments on the petition.
“CPNI” includes call information such as the time, date, destination, location, and network configuration of a call that is known by the service provider solely through its relationship with the customer, plus information on the customer’s bill relating to phone service. Section 222 of the Communications Act places restrictions on the use and sharing of “individually identifiable” CPNI, with an exception that allows service providers to use anonymous aggregated data. The theory of the petition is that all CPNI is “individually identifiable” and protected from use without consent unless it is aggregated.
Earlier FCC decisions, however, tie the protection of CPNI to the privacy interests of customers in information they view as sensitive and personal. Yet the petition asks the Commission to prohibit the use of anonymized call data because, it argues, Congress intended to protect records that refer to a single account regardless of whether those records can be used to identify a person. If accepted, that theory would substantially expand the universe of data protected as CPNI, and prohibit the use of data that in other contexts is perfectly acceptable given the absence of any personally identifiable information.
The petition also includes the argument that anonymized data may not always be safe from re-identification. It presents this point summarily, citing to a well-known study that was used in the health-care context with no real detail or explanation on re-identification possibilities that may exist with anonymized datasets such as masked digits of a phone number.
The FCC has acted promptly on the petition, setting a deadline for initial comments of January 17, 2014. Reply comments will be due February 3, 2014.