STATEMENT OF COMMISSIONER PAI
APPROVING IN PART AND CONCURRING IN PART
Implementation of the Telecommunications Act of 1996: Telecommunications Carriers' Use of
Customer Proprietary Network Information and Other Customer Information
, CC Docket No.
The privacy of Americans' phone records is a topic that has been in the news quite a bit lately.
But this morning, the Commission tackles a small piece of this subject that hasn't made the headlines. In
today's Declaratory Ruling, we seek to clarify both when data stored on a mobile device constitutes
customer proprietary network information (CPNI) and when carriers must protect such CPNI pursuant to
section 222 of the Communications Act.
I want to start by thanking my colleagues for their willingness to incorporate many of my
suggestions into the item and especially commend Chairwoman Clyburn for her leadership, which was
critical in reaching this result. I had serious concerns with the original version of this item. But over the
last several days, substantial changes to the Declaratory Ruling have largely allayed those concerns.
Therefore, I am voting this morning to approve in part and concur in part.
Four factors are critical to my decision. First
, I agree that there is no "mobile device exception"
to either section 222 or our CPNI rules. If information is covered by the statutory definition of CPNI set
forth in section 222(h)(1), then it is CPNI, regardless of whether it is located on a mobile device.
, today's Declaratory Ruling is limited in scope. It only applies to information that is both:
(1) collected by or at the direction of the carrier; and (2) may be accessed or controlled by the carrier or
its designee. If a carrier is not responsible for the collection of certain data, then it may not be held
responsible for protecting that data. Likewise, if a carrier doesn't have access to or control over
information, then it is not obligated to safeguard it.
, the Commission provides carriers with maximum flexibility in carrying out their statutory
responsibilities with respect to CPNI stored on mobile devices. In today's item, we do not opine on
various practices and hypotheticals in the absence of a fully developed factual record and concrete set of
facts. Given the complex and quickly evolving technologies at issue, this restraint is wise.
, and perhaps most important, this Declaratory Ruling does not seek to hold carriers liable
for compliance with voluntary codes of conduct under section 201(b) of the Communications Act. I
believe the Commission should welcome the development of private-sector solutions to some of the
challenges facing the industry. Imbuing such codes of conduct with the force of law, however, would
have precisely the opposite effect. Carriers, of course, would be worse off if we changed the meaning of
"voluntary" in "voluntary codes of conduct." But consumers ultimately would be worse off too; if we
effectively ensure that no good deed goes unpunished, the industry will be less likely to take joint,
consumer-friendly action of its own accord.
To be sure, I do not agree with every legal theory set forth in today's item. That's why I am
concurring in part. Specifically, I do not join the item's discussion of section 222(c)(1) and in particular
its claim that the provision makes a carrier responsible for CPNI that it has neither received nor obtained.
On the whole, however, I believe that today's Declaratory Ruling arrives at a reasonable result, one that is
fair to both consumers and carriers.
Finally, I would like to thank Sean Lev, Jennifer Tatel, and Doug Klein of the Office of General
Counsel as well as Michele Ellison, Dave Grimaldi, and Louis Peraertz in the Office of the Chairwoman
for their hard work on this item, including the fruitful discussions that led to this happy outcome. This
item might not receive the same media attention as other recent issues related to privacy, but you deserve
public recognition for your efforts.