Telecommunications carriers must take precautions to protect call and location data stored on customers’ devices, according to the Federal Communications Commission (FCC).1 As discussed in a prior WSGR Eye on Privacy article,2 the FCC reacted to the carriers’ use of Carrier IQ to collect customers’ call information, despite its data security vulnerabilities. The FCC sought public comment on whether this type of data collection should fall within the agency’s authority under the Communications Act of 1934, as amended. After reviewing public comments, the FCC issued a Declaratory Ruling concluding that carriers must provide safeguards for certain types of data that carriers cause to be stored on their customers’ devices directly or through their agents. This security requirement applies to data transferred to carriers’ systems as well as data stored on the consumers’ devices.
This ruling affects any service providers collecting call and location data from devices on behalf of telecommunications carriers. Following the ruling, many carriers, as well as those providing services to them, are expected to review how they collect, use, and share information. These service providers also can expect increased diligence from carriers and additional contractual requirements before forming business relationships.
This Declaratory Ruling does not directly apply to apps and service providers collecting call and location data from devices at the direction of consumers. However, past experience suggests that agencies commonly are influenced by complementary actions of their fellow agencies. Therefore, the Federal Trade Commission (FTC), which has taken an active role in privacy and data security enforcement, may look at applying similar requirements to the entities it regulates. Moreover, while the apps and service providers are not directly at risk for any violations of the Communications Act, the FTC may investigate any apps or service providers involved in any matters raised by the FCC against a carrier.
Customer Proprietary Network Information (CPNI)
The FCC reviewed how Section 222 of the Communications Act applied to customer proprietary network information collected and stored on mobile devices. CPNI includes customer-specific personal information related to an individual’s use of a telecommunications service, including dialed phone numbers; frequency, time, and duration of calls; device technical configuration; and the location where calls are dialed or received. To be CPNI, the data must be available to the carrier solely by virtue of the carrier-customer relationship. Specifically, the FCC analyzed whether the above-listed information collected through pre-installed applications or forced updates and stored on the device constituted CPNI. If the data stored on consumers’ devices is CPNI, then Section 222’s privacy protections apply. Section 222 establishes several requirements for telecommunications carriers, including the duty to “protect the confidentiality” of CPNI.
FCC Removes Industry Uncertainty
The FCC noted that the wireless industry was uncertain about its obligations under Section 222 to protect CPNI collected by mobile devices. Through this Declaratory Ruling, the FCC intended to remove the uncertainty. The agency stated that the security obligations apply to CPNI collected at the carrier’s direction when the carrier or its agent has access to, or control over, such information. This includes access, or control over, information while it is stored on the device. The FCC came to this conclusion after finding that telecommunications carriers were in a position to protect the privacy and security of information collected in such a manner.
Carriers Must Implement “Reasonable” Security Measures
The FCC emphasized that the ruling does not ban the collection and use of CPNI; instead, the agency clarified that CPNI must be protected and used only as permitted by law. The FCC stated that it expects carriers to take “reasonable measures” to secure customer information, and such measures may vary based on the sensitivity of the information. For example, the FCC previously has stated that a carrier must encrypt its CPNI databases if it would provide significant additional protection at a reasonable cost given the technology a carrier already has implemented.3 However, in its Declaratory Ruling, the FCC did not require any particular type of safeguard and allows carriers to choose their own methods of protecting CPNI.
Data Not Yet Transmitted to Telecommunications Carrier Still Must Be Protected
The FCC stated that the fact that CPNI located on the device has not yet been transmitted to the carrier does not remove the duty that carriers have to protect the data collected at its direction. According to the FCC, a telecommunications carrier need not receive CPNI to have security obligations; it is enough that they caused the data to be stored on the customers’ mobile devices.
Declaratory Rule Does Not Apply to Third-Party Apps
Third-party apps installed by customers also may raise privacy concerns. However, the FCC’s ruling makes clear that Section 222 does not cover customer-installed third-party apps and their data collection. Information stored on a mobile device that is not accessible by the carrier as part of providing the telecommunications service is not CPNI.
No Effect on Data Use for Network Maintenance and Improvement
The FCC’s ruling does not limit data collection. In general, the existing CPNI rules focus on usage limitations and obtaining appropriate consent after notice. The FCC reiterated that telecommunications carriers can collect CPNI without consent to improve and maintain their networks. The Declaratory Ruling clarifies, however, that such information should be secured.
No Effect on Aggregate Information
Section 222 does not impose a duty to protect all data collected or stored on a device by a telecommunications carrier or its agents. Aggregate customer information (i.e., information “from which individual customer identities and characteristics have been removed”) is not subject to confidentiality obligations under Section 222, which are intended to protect “individually identifiable” CPNI.4
FCC Does Not Support Self-Regulatory Codes of Conduct
Unlike the FTC’s support for self-regulatory codes of conduct, the FCC has taken the position that self-regulatory initiatives are not a substitute for the agency fulfilling its statutory role. Congress specifically has imposed statutory duties upon carriers with respect to CPNI through the Communications Act. Therefore, the FCC may not deem compliance with self-regulatory standards as compliance with obligations under Section 222.
The FCC warned that it would hold carriers accountable for compliance with these statutory and regulatory obligations. Carriers’ inadvertent disclosures of CPNI—even CPNI that resides solely on customers’ mobile devices—may violate Section 222, depending on the facts and circumstances of the case. For example, carriers may be liable for unauthorized access and disclosure by third-party apps to the CPNI collected and stored by the telecommunications carrier or its agents on the device.
Telecommunications carriers likely face increased pressure to provide reasonable safeguards of the data they and their agents store on customers’ mobile devices. As a result, carriers likely will take an active role to ensure that any third-party apps installed at the direction of a carrier collect and store information on mobile devices using security measures that meet the FCC’s requirements. Businesses working with carriers in these areas can continue to expect stringent indemnity requirements and representations regarding compliance, privacy, and data security in their agreements with carriers. Importantly, third-party apps that are installed by customers do not fall under the authority of the FCC. However, these third-party apps likely fall under the jurisdiction of the FTC, which also expects apps to have reasonable data security.
Whether the two agencies’ requirements and approaches will parallel one another remains to be seen. Neither the FCC nor the FTC has undertaken rulemaking or other authoritative measures to define the parameters of “reasonable” security for mobile applications. It seems likely that some level of uncertainty will persist as telecommunications carriers and apps and service providers seek through trial and error to satisfy requirements and avoid investigations and penalties. Following this latest ruling, companies may benefit from renewed review and evaluation of their privacy and data protection practices.
1 In re Implementation of the Telecommunications Act of 1996: Telecommunications Carriers’ Use of Customer Proprietary Network Information and Other Customer Information, FCC 13-89 (June 27, 2013) (hereinafter Declaratory Ruling).
2 The article is available at http://www.wsgr.com/publications/PDFSearch/eye-on-privacy/July2012/index.html#6.