On June 27, 2013, the Federal Communications Commission issued a
Declaratory Ruling clarifying that
telecommunications carriers have a duty to protect customer
proprietary network information (CPNI) that carriers cause to be
stored on their customers' mobile devices when carriers or
their designees have access to or control over that information.
The Commission did not adopt nor propose any new rules related to
CPNI, but clarified the applicability of existing rules to
information stored on mobile devices.
Section 222 of the Communications Act of 1934, as amended,
requires communications providers to protect consumers'
sensitive personal information to which they have access as a
result of their unique position as network operators. The most
specific obligations concern CPNI, which includes information about
a customer's use of the service that is made available to the
carrier by virtue of the carrier-customer relationship. The
Commission has previously explained that CPNI includes information
such as the phone numbers called by a consumer, the frequency,
duration, and timing of such calls, and any related services
purchased or used by the consumer, such as call waiting. The
location of a customer's use of a telecommunications service
also qualifies as CPNI.
The Declaratory Ruling clarifies that section 222 applies to
information that fits the statutory definition of CPNI when such
information is collected by the subscriber's mobile device,
provided that the collection is undertaken at the carrier's
direction and that the carrier or its designee has access to or
control over that information. The Declaratory Ruling does not
prohibit the collection of CPNI on mobile devices, but makes clear
that carriers are responsible for securing the information and that
the Commission will hold carriers responsible for compliance with
statutory and regulatory obligations.
A customer's consent to the collection and use of data to
either maintain or improve a carrier's network does not
constitute consent for other use, disclosure, or permission of
access, such as storing the information in an insecure manner, nor
does it negate the duty under section 222 to protect proprietary
information from unauthorized access or disclosure. Further, the
FCC Declaratory Ruling provides that CPNI that is on a device and
has not yet been transmitted to the carrier's own servers does
not remove the data from the definition of CPNI if the collection
of information has been done at the carrier's direction.
Because CPNI is defined as information that is made available to
the carrier, even if that information has not yet been transmitted
from the mobile device to the carrier, the configuration of the
device has made the information available to the carrier. However,
Section 222 does not require wireless carriers to protect their
customers against all possible privacy and security risks related
to non-CPNI on a mobile device, including any risks created by
downloaded third-party applications.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.