Consumer, Media Groups Oppose CTIA Lifeline Recon Petition; ACA Backs It

The FCC in June modified its Lifeline rules requiring service providers to retain documentation of consumer eligibility for the low-income USF support program and related issues (see 1506190047). CTIA in August filed a petition asking the commission to reconsider its declarations that Section 222(a) of the Communications Act “imposes a duty of confidentiality upon carriers, other than with respect to Customer Proprietary Network Information” (CPNI) and that Section 201(b) “imposes a duty upon carriers to implement data security measures” (see 1508130048). While supportive of customer data security, CTIA said the commission lacked authority to “police carriers’ practices with regard to customer data that is not CPNI.”

Consumer and media groups opposed the CTIA petition on various grounds. The groups said CTIA stressed it didn’t object to the order’s outcome, but to the FCC's legal basis. “To the extent CTIA merely objects to the Commission’s legal theory and not to substantive action undertaken in the Order, CTIA lacks standing because it suffers no injury in fact,” said their opposition in docket 11-42. “Even assuming CTIA had standing, the Petition is procedurally flawed because the Commission has not imposed new obligations on CTIA’s members.” The order “simply explains the existing duties of [service providers] to avoid confusion about whether protecting the privacy of Lifeline applicants is mandatory and enforceable, or voluntary and unenforceable,” said Appalshop, Center for Democracy & Technology, Center for Digital Democracy, Center for Rural Strategies, Consumer Action, Consumer Federation of America, Consumer Watchdog, Free Press, New America’s Open Technology Institute, Public Knowledge, United Church of Christ Office of Communication and World Privacy Forum.

The groups also said the FCC should deny CTIA’s petition on the substantive merits. “There is no support for CTIA’s argument that the presence of specific provisions applicable to CPNI in Section 222(c) eliminates the general duty imposed by 222(a),” they said. "On the contrary, the legislative history of 222 is consistent with a reading that protects personal information other than CPNI. Nor does the existence of Section 222 limit the Commission’s data security authority under its 201(b) authority to prohibit unjust and unreasonable practices, a reasonable interpretation of which is that the Commission can prohibit carriers from failing to adopt reasonable measures to protect sensitive customer information. ... CTIA’s petition rests on the remarkable contention that applicants for and participants in the Lifeline program are entitled to no protection whatsoever when it comes to carriers’ handling of personal information."

ACA said its small cable members take their privacy duties seriously but said the FCC can't exceed its statutory bounds. Congress struck a "careful balance” in Section 222 between carrier needs and customer privacy interests, the group said in comments. “Nothing in the Act suggests that the Commission has been delegated authority to impose customer data security regulations beyond those associated with the statutorily defined category of CPNI, and neither Section 222(a) nor the more general mandates concerning common carrier practices in Section 201(b) gives the Commission authority to impose customer data security requirements of any kind,” ACA said. “For these reasons, ACA supports CTIA’s request that the Commission reconsider and vacate the discrete portion of the Order on Reconsideration establishing confidentiality and data security obligations under Sections 222(a) and 201(b) of the Act to the extent that they apply to information broader than CPNI.”