An Enhanced Version of CPNI — But Will the New Administration “Undo” The New Rules?
Attentive readers of this Blog know that in October, the FCC adopted new rules primarily designed to enhance the privacy and data security requirements imposed on providers of Broadband Internet Access Service (“BIAS”). Some of the new rules have been published in the Federal Register, and will go into effect on January 3rd. While this proceeding received an enormous amount of press, one big issue that received very little attention is the impact that these new rules will have on all telecommunications carriers, not just BIAS providers.
In its October Report and Order, the Commission adopted a single definition of “telecommunications carrier” (all traditional Title II carriers, plus BIAS and interconnected VoIP providers), and adopted harmonized privacy and data security requirements for all telecommunications carriers. The practical effect is that the Customer Proprietary Network Information (CPNI) requirements for all carriers, not just BIAS providers, have been significantly revised. This impacts not just on-going compliance with substantive CPNI rules, but possibly what carriers must report in their annual CPNI compliance certification as well. These certifications are due on March 1st.
However, while these new requirements could have a big impact on all telecom carriers, there is a real possibility that the new FCC under President Trump could overturn the new rules in their entirety, shave down the requirements, or just choose not to enforce them vigorously. Nevertheless, until the new Commission affirmatively addresses this matter, carriers will still be obligated to comply with the new rules, or risk costly enforcement from the FCC.
Some New Rules Go Into Effect January 3, 2017
The Commission’s Order revamping privacy rules implementing Section 222 of the Communications Act has now been published in the Federal Register, setting the effective date for at least some of those new rules as January 3, 2017. The January effective date applies only to the rule modifying the scope of the carriers covered by the new privacy rules, the new definitions of protected customer information, and a new business customer exemption for non-BIAS providers. Other new rules concerning data security requirements of carriers will go into effect on March 1, 2017. However, most of the “teeth” of the new privacy rules – i.e., the new provisions pertaining to privacy disclosure, customer approval, and breach notification requirements – still require further approval by the Office of Management and Budget before they become effective.
The Commission’s Order provided new definitions of the type of carrier, customer, and type of customer information covered by the enhanced privacy rules. Specifically, the Order:
- Modified the definition of “telecommunications carriers” covered by the agency’s privacy regulations to include: (1) Title II carriers; (2) BIAS providers; and (3) Interconnected VoIP providers.
- Expanded the definition of “customer” covered by the privacy regulations to include not only current customers, but also former customers as well as applicants for telecommunications services.
- Significantly expanded the definition of protected customer proprietary information, now known as “Customer PI,” to include: (1) individually-identifiable Customer Proprietary Network Information (CPNI) – including such information collected or accessed by a BIAS provider; (2) Personally Identifiable Information (PII) – defined in a manner that is harmonized with that of the FTC to include any information that is linked or reasonably linkable to an individual or device; and (3) Content of Communications – any part of the substance, purpose, or meaning of an inbound/outbound communication, or any other party of such a communication that is “highly suggestive” of the substance, purposes, or meaning of that communication.
These new definitions greatly broaden the scope of the data that carriers must protect, under a new umbrella term – Customer PI.
Non-BIAS Business Customer Exemption
Also going into effect on January 3rd is an exemption from the Commission’s general privacy rules for carriers contracting with enterprise customers to provide non-BIAS telecommunications services. Specifically, the exemption applies when a carrier’s contract with a business customer to provide such services: (1) specifically addresses the issues of transparency, choice, data security, and data breach; and (2) provides a mechanism for the customer to communicate with the carrier about privacy and data security concerns. However, the FCC stipulated that carriers subject to this exemption are still required to otherwise comply with the Commission’s privacy rules. In effect, the business customer exemption for non-BIAS telecommunications services is not so much an outright exemption from the privacy rules, but merely a mechanism for alternative enforcement of the rules through contracts.
The Future of the New Rules
As these new privacy/CPNI rules go into effect, traditional telecom carriers and providers of BIAS and interconnected VoIP services are required to comply with them. But the future of these rules is unclear. Republican Commissioners Ajit Pai and Michael O’Reilly bitterly dissented from the Order that enacted the new rules. And after the election of Donald Trump, with a new Republican-majority FCC coming, both of these Commissioners have made it clear that their highest priorities in 2017 include “undoing” the “harmful” policies of the current administration, particularly the new privacy rules. Any attempts to do so, however, will likely occur after the remainder of the new rules go into effect and will take time, especially if the method is re-opening the current proceeding to repeal the rules in their entirety, or shave back some of the requirements.
We will alert you when the remainder of the new Privacy/CPNI rules go into effect, and keep you informed regarding changes coming from the new FCC. In the meantime, if you have questions about the new rules, or their application to specific issues or situations including March 1st CPNI certifications, please contact us.