FCC Room to Regulate Privacy Protection Seen Limited by Age of Governing Statute

Keep up with the latest developments and legal issues in the telecommunications and emerging technology sectors, with exclusive access to a comprehensive collection of telecommunications law news,...

By Paul Barbagallo  

March 6 --The biggest challenge facing the Federal Communications Commission as a privacy regulator in the 21st Century is the sheer “oldness” of its governing statute, Jennifer Tatel, the agency's associate general counsel, said during a panel discussion at the IAPP Global Privacy Summit 2014.

The last time Congress overhauled the Communications Act was in 1996, just prior to the rise of the Internet and long before the issue of consumer privacy and data protection flared into a major political dispute. And even then, congressional lawmakers were much more concerned about opening up local telecommunications markets to competition than safeguarding the privacy and security of consumers' personal data.

“If it's not CPNI, there's not much we can do.”  


- Jennifer Tatel, FCC associate general counsel

Their final product, the Telecommunications Act of 1996, contained scant few provisions relating to privacy, the most critical one being the use of customer proprietary network information (or CPNI)--the data collected by phone companies about their customers' calls, including the time, date, duration, and destination number of each call.

Section 222 of the Communications Act, as amended by the Telecommunications Act, specifically prevents telecom carriers from disclosing or permitting access to their customers' individually identifiable CPNI without consent. A carrier that receives or obtains CPNI “shall only use, disclose, or permit access to individually identifiable CPNI in its provision of (A) the telecommunications service from which such information is derived, or (B) services necessary to, or used in, the provision of such telecommunications service, including the publishing of directories.”

The law defines CPNI as “information that relates to the quantity, technical configuration, type, destination, location and amount of use of a telecommunications service subscribed to by any customer of a telecommunications carrier.”

“If it's not CPNI, there's not much we can do,” said Tatel, who heads up all the agency's privacy efforts.

CPNI Flashpoint

Recently, the FCC's CPNI regulations have become a flashpoint in the ongoing debate about NSA surveillance and the privacy rights of ordinary citizens.

According to a Nov. 7 New York Times article, AT&T Inc. had sold some of its customers' anonymized call records to the Central Intelligence Agency. A month later, nearly a dozen public-interest groups led by Public Knowledge filed a petition with the FCC for a declaratory ruling that Section 222 of the Communications Act forbids companies from selling de-identified call records to third parties without their customers' consent. Even if wireless companies “mask” several phone number digits from the call records they sell, the remaining data--incoming calls, call times, and call durations--do not constitute anonymous records because they can be linked back to specific individuals, the groups argued.

Though Tatel declined to discuss how the FCC might rule on the petition, she said the agency continues to remain active in protecting consumers' privacy, at least to the extent it can.

She pointed out that in June 2013 the FCC issued a declaratory ruling stating that wireless carriers must also adhere to the agency's CPNI rules, which historically only applied to traditional telephone companies and providers of internet-based phone services. Under the ruling, when a wireless carrier collects a customer's personal information, such as a number dialed, the length of a call, and the location of where a call is placed or received, that company may use or disclose it only as permitted by the commission's CPNI rules. The decision also makes it clear that carriers must take “reasonable precautions” to prevent unauthorized disclosure of such information, including by third-party marketers. But the ruling only applies to wireless carriers, not operating systems run by companies such as Google Inc. or Apple Inc.

And in April 2012, the FCC fined Google for obstructing an inquiry into the company's Street View project, which had collected Internet data from potentially millions of people as specially equipped cars drove slowly by their homes.

During the panel discussion, Natalie Roisman, a partner at Wilkinson Barker Knauer, LLP who advises clients on policy and regulatory issues related to the media and telecommunications fields, noted that House Republicans have begun a process to rewrite the Communications Act, which could provide the FCC with more authority to protect consumer privacy.

“Really anything could be fair game,” Roisman said.

To contact the reporter on this story: Paul Barbagallo in Washington at pbarbagallo@bna.com

To contact the editor responsible for this story: Bob Emeritz at bemeritz@bna.com

Request Tech & Telecom on Bloomberg Law