The FCC Hacks into Mobile Privacy March 2016
By Barlow Keener, Attorney, Keener Law GroupCIPP (Privacy)/US Certified
The whole world of tech pundits, tweets, blogs, and news reports focus on the current privacy crisis. Not a day goes by without data privacy problems rising to the top of Google News. Hackers regularly break into any large company and steal terabits of customer data. And web firms are regularly accused of using customer data improperly without customer consent or knowledge. Web firms all have privacy terms and are held strictly accountable for following their own agreed upon standards. Germany recently initiated a proceeding against Facebook linking antitrust to alleged privacy abuses.
In the U.S., the Federal Trade Commission has been the entity most responsible for carrying out vigorous privacy investigations against web firms like Google or Facebook. But still, a strongly held view by privacy advocates is that the U.S. has lagged behind other countries when it comes to protecting privacy rights involving communications carriers. This is because of a gap in the law limiting the authority of the FTC for regulating common carriers and giving authority to the FCC.
At the end of March 2016, after several years of study and consideration, the FCC announced it will issue a notice of proposed rule making delivering new privacy rules for common carriers. Common carriers include mobile carriers, which is the concern of most privacy advocates, and indeed the devices that contain more privacy data that any other computer we use. The Telecommunications Act of 1996 gave the FCC the authority to issue regulations to protect the privacy of common carrier customers. In 1999, the FCC issued the first orders covering CPNI, or customer proprietary network information. The CPNI rules have been amended over the years. There are not opt-in, opt-out requirements, only accessibility requirements. Carriers can use the CPNI for any use as long as the privacy of the data is maintained. CPNI has traditionally included information like phone numbers; also included is all information “made available to the carrier by the customer solely by virtue of the carrier-customer relationship.”
The idea that a mobile phone device connected by a carrier would contain so much very personal information was unimaginable 15 years ago. Mobile device information available to mobile carriers includes all the data typically passed by an Internet service provider, both encrypted and unencrypted. But data generated also includes GPS location, Wi-Fi access points, device motion, video, photos, texts, audio files, notes, and massive amounts of data generated by apps on the device. When the Verizon supercookie tracking issue arose last year, FCC Chairman Tom Wheeler committed to Congress to investigate the particular issue. Wheeler told Congress
“that ensuring the privacy and security of sensitive personal information about consumers' use of communications services is of utmost importance. As you suggest, we will be considering the extent to which our rules and policies relating to consumer privacy, data security, and transparency may be implicated.”
Now, a year later, the FCC is taking action. The FCC delivered what it called a fact sheet of the proposed rules that would be included in the NPRM. The NPRM will be presented for a vote at the full commission’s March 31, 2016, meeting, followed by a period for public comment. There are three basic permission categories addressed:
• Initial Sale: Data needed for providing and marketing broadband requires customer consent beyond creating the customer-broadband relationship.
• Opt-Out: Broadband providers must give the customer the ability to opt-out from allowing the provider to use the data to market other communications-related services and to share customer data with their affiliates that provide communications-related services.
• Opt-In: Broadband providers must receive the customer’s pro-active opt-in consent for all other uses of the customer’s data and for sharing the data
Carriers will be required to implement risk management practices for protecting information from hackers, beef up customer authentication, institute privacy training, appoint a senior manager for privacy issues, and take responsibility – which means liability – for the use and protection of the data by third parties. Also included are time limits for notifying customers of a data breach – 10 days – and notifying the FCC seven days from discovery. The FCC’s NPRM will not prohibit the mobile carriers from using customer data. However, it will give customers control over whether the data will be used by third parties.
The FCC’s proposal imposing privacy requirements on mobile carriers is inevitable. Courts, agencies, and legislators around the globe are quickly closing in on all entities to protect privacy. U.S. mobile carriers, and wired common carriers, will now be required by the FCC to implement very similar privacy policies that are imposed on web firms like Google, Facebook, WhatsApp, Snapchat, and Instagram.
See more of Barlow Keener's articles at TMCNet
This blog/Web site is made available by the contributing lawyers or law firm publisher solely for educational purposes to provide general information about general legal principles and not to provide specific legal advice applicable to any particular circumstance. By using this blog/Web site, you understand that there is no attorney client relationship intended or formed between you and the blog/Web site publisher or any contributing lawyer. The blog/Web site should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.