The Anonymization/De-identification Debate Moves to the FCC

As explained in our recent PrivSec blog post, on Dec. 11, 2013, a coalition of privacy advocates led by Public Knowledge filed a Petition for Declaratory Ruling with the FCC that, if granted, would significantly expand the scope of Customer Proprietary Network Information (CPNI) data that would be subject to heightened protections under the Commissions’ rules. Those rules limit the use and sharing of confidential customer-specific information by telecommunications carriers and other providers of telephone service, including cable operators and VoIP providers, absent the customer’s opt-in consent. Public Knowledge’s petition asks the Commission to rule that phone call data that has been “anonymized” or “de-identified” by removing personal identifiers, but which remains “individually identifiable,” is nonetheless CPNI that may not be shared with other companies or entities absent the customer’s consent. The FCC swiftly issued a Public Notice asking for comments on the Petition by Jan. 17, 2014, with reply comments to be filed by Feb. 3, 2014.

Background
Under Section 222 of the Communications Act and the FCC’s existing rules, CPNI includes “individually identifiable” information such as the time, date, destination, location, and network configuration of a customer’s telephone service that is known by the provider solely by virtue of the carrier-customer relationship, and information contained in customer bills. The statute and the FCC rules contain several exceptions to this definition of CPNI and allow providers to use CPNI under certain circumstances. One such exception allows service providers to use “aggregate customer information . . . from which individual customer identities and characteristics have been removed.” The FCC has also issued several interpretations regarding the scope and breadth of CPNI and its permitted uses; for example, it has ruled that customer name, address and telephone number do not constitute CPNI and may be disclosed and shared by service providers without prior consent, unless subject to other privacy protections. 

The Petition argues that the Commission should construe Section 222 to find that “all CPNI is either individually identifiable (and subject to the restrictions on use and sharing) or aggregate (and not subject to the restrictions).” It claims that the privacy policies of all four major mobile carriers (AT&T, Verizon, Sprint and T-Mobile) state that they reserve the right to share anonymized or de-identified customer records with third parties, and cites a press report that AT&T has sold such anonymized customer call records to the CIA. The Petition claims that even anonymized data can be manipulated to “re-identify” individuals, and therefore that the cited policies and practices violate the Act’s protection of CPNI. Thus, even where customers’ names, phone numbers and other identifying information are removed from service providers’ records, the petitioners argue that, if such data retains “individual customer characteristics,” it cannot be used without customer consent.

Implications of a Broad Construction of “Individually Identifiable” CPNI
Grant of the coalition’s petition by the FCC could be very problematic for voice service providers of all stripes. Such an interpretation would substantially expand the universe of data protected as CPNI even in the absence of any personally identifiable information; prohibit the use of data that the current rules allows under established FCC interpretations; and restrict the Commission from any future flexibility in interpreting the boundaries and limitations of the statute. In turn, such a ruling could severely limit service providers from using CPNI now or in the future for marketing or any other purposes, absent prior consent. 

Not only could a broad interpretation of the meaning of “individually identifiable” CPNI be problematic for those entities that regularly use CPNI, but a ruling that finds anonymized data is still subject to heightened protections could also be used as precedent in other contexts to limit use of anonymized data. The FTC has already extended protections to device identifiers in its amendments to the rules implementing the Children’s Online Privacy Protection Act (or COPPA) and is now considering the effect the “Internet of Things” has on the de-identification and anonymization of data. Similarly, the “Do Not Track” negotiations have yet to settle when “de-identified” data can be used and what “de-identification” even means.

A broad interpretation of the meaning of “individually identifiable” CPNI is also inconsistent with well-established guidelines from other agencies. NIST, for example, provides guidelines in which the adequacy of de-identification techniques is evaluated in the context of the security of databases against attack, restrictions on the anticipated recipient, and potential combination with other reasonably available information. The risk of re-identification need not be zero to be effective. Likewise, HIPAA recognizes that “de-identified” data can bear some risk of “re-identification,” but if the risk is very low and proper de-identification techniques are used, de-identified data may be put to beneficial uses, rather than being prohibited from all use. 

Service providers that use any form of anonymized CPNI, or other customer data that has been de-identified, should consider filing comments with the FCC on Jan. 17, 2014. Contact the authors or your Davis Wright Tremaine attorney contact for more information about this proceeding.