Expanded Privacy Obligations for Telecom Carriers and VoIP Providers Under Consideration at the FCC
Posted by K.C. Halm
The FCC is reportedly close to issuing a decision that would modify current rules governing the use, disclosure of, and access to certain information related to telephone subscriber calling records. Current rules require telecommunications carriers to treat this information, known in the industry as customer proprietary network information (CPNI), as confidential and to limit its use and disclosure. CPNI is broadly defined to include information that relates to the quantity, technical configuration, type, destination, location and amount of use of a telecommunications service. Generally speaking this includes call detail records, call volumes, customer account information, billing information, technical information, service destination, and the service plans to which a customer subscribes. Following several high-profile pretexting cases in 2005 which lead to the release of telephone subscriber records the FCC initiated a proceeding to revisit the scope and effectiveness of its current CPNI rules.
Although the FCC has not yet released a decision outlining how it will amend current CPNI regulations, lobbying and advocacy before the agency has been particularly heavy in recent weeks. This renewed activity comes as a result of reports that the FCC will soon adopt an order expanding current CPNI regulations in several ways. While the details of the new measure are still being worked out, reports suggest that the draft order will impose several new obligations on telecommunications carriers. These obligations include the following:
- First, the new rules may require carriers to notify law enforcement agencies of any breach or unlawful disclosure of CPNI.
- Second, carriers may be required to provide notice to their subscribers of any breach or unlawful disclosure of CPNI. However, law enforcement agencies will have the authority to order the carrier to withhold such notice for a limited period of time to allow law enforcement to initiate an investigation of the breach or disclosure.
- Third, the new rules may require carriers to obtain subscriber authorization, in the form of “opt-in” consent, before providing CPNI to joint venture partners or contractors that assist the carrier in marketing activities.
- Fourth, carriers may be required to implement password protection systems for requests to release CPNI, or other subscriber records, to a requesting subscriber; this mandate would reportedly also require passwords for web-based disclosures of such information.
- Fifth, the new rules may be extended and applied to all providers of interconnected VoIP service --not just telecommunications carriers.
- Sixth, the new CPNI rules may require immediate compliance, without any transition period, except for the web-based password requirements.
The potential new subscriber notice obligations stem from recent requests from the Department of Justice asking the FCC to include in its new rules an obligation to notify customers in the event of a breach of CPNI. However, the DoJ also asked the FCC include a mechanism that would allow law enforcement agencies to order the carrier to delay that notification for a limited period of time while law enforcement conducted an investigation. Delayed notice would, according to the DoJ, allow law enforcement to conduct an investigation into the breach without alerting the bad actors of the fact that the carrier may be aware of the breach and release of CPNI.
A number of carriers are concerned with the potential impact of the mandatory “opt-in” consent for sharing CPNI with joint venture partners and contractors involved in marketing. Carriers have expressed concern that an opt-in requirement for sharing CPNI with joint venture companies and contractors involved in marketing would only raise the costs of providing targeted marketing services, without addressing the problem of pretexting that served as the genesis to the FCC’s new rules. In addition, there are significant questions as to whether such rules would impermissibly impair a carrier’s commercial speech rights under the First Amendment. Indeed, portions of the FCC’s initial CPNI regulations, which included an opt-in requirement, were struck down as unconstitutional by the Tenth Circuit in 1999 for that very reason.
As to the purported application of these rules to interconnected VoIP providers, the legal rationale for such action is unclear. Although the FCC has imposed other common carrier obligations on VoIP providers (E-911, Universal Service, and CALEA obligations) it has so far declined to subject VoIP services to most forms of regulation under Title II of the Communications Act. The decision to expand CPNI obligations on VoIP providers may signal a further erosion of that policy.
Lobbying and advocacy on behalf of carriers and VoIP interests on these proposed new rules continues, as the FCC has yet to act upon the measures discussed above. As a result, it is possible that the final decision coming out of the agency may vary from the current draft circulating within the FCC at the time of this writing. Nevertheless, it seems likely that new privacy-related regulations, in one form or another, will be established by the FCC in the near future.