A coalition of privacy advocates filed a petition for declaratory ruling with the FCC on December 11, 2013 seeking a significant tightening of the Commission’s existing rules that limit the sharing of Customer Proprietary Network Information (CPNI) by telecommunications carriers and other phone service providers. The coalition, led by Public Knowledge, has asked the Commission to rule that phone call data that has been “anonymized” or “de-identified” by removing personal identifiers is nevertheless “identifying information” under the CPNI rules which may not be shared with other companies or entities absent the customer’s consent.
“CPNI” includes call information such as the time, date, destination, location, and network configuration of a call that is known by the service provider solely through its relationship with the customer, plus information on the customer’s bill relating to phone service. Section 222 of the Communications Act places restrictions on the use and sharing of “individually identifiable” CPNI, with an exception that allows service providers to use anonymous aggregated data. The theory of the petition is that all CPNI is “individually identifiable” and protected from use without consent unless it is aggregated.
Earlier FCC decisions, however, tie the protection of CPNI to the privacy interests of customers in information they view as sensitive and personal. Yet the petition asks the Commission to prohibit the use of anonymized call data because, it argues, Congress intended to protect records that refer to a single account regardless of whether those records can be used to identify a person. If accepted, that theory would substantially expand the universe of data protected as CPNI, and prohibit the use of data that in other contexts is perfectly acceptable given the absence of any personally identifiable information.
The petition also includes the argument that anonymized data may not always be safe from re-identification. It presents this point summarily, citing to a well-known study that was used in the health-care context with no real detail or explanation on re-identification possibilities that may exist with anonymized datasets such as masked digits of a phone number.
The petition will likely make its way through the FCC for many weeks, if not longer, before the Commission decides to act upon it. We will be tracking this filing and will post if and when the Commission establishes a proceeding with deadlines for comments.