The FCC recently clarified that section 222 of the Communications Act of 1934, as amended (Communications Act),[1] does not prevent a telecommunications carrier from complying with the obligation in 18 U.S.C. § 2258A to report violations of specific federal statutes relating to child pornography.[2]
Section 222(c)(1) of the Communications Act provides that, “[e]xcept as required by law,” all telecommunications carriers, including wireless carriers, have a duty to protect the privacy of CPNI.[3]
In its first CPNI Declaratory Ruling, the Commission interpreted the “[e]xcept as required by law” exception contained in section 222(c)(1) of the Communications Act as applying to any report a telecommunications carrier must make to NCMEC under 42 U.S.C. § 13032. The Commission further concluded that “this exception to section 222 only applies to the extent disclosure of CPNI is ‘required‘ and therefore would not cover voluntary disclosures.”
In 2008, Congress enacted new reporting requirements that supersede the reporting obligations set forth in 42 U.S.C. § 13032, which was repealed. The Commission therefore issued this ruling so that it applied to the new statute.
Consequently, to the extent a telecommunications carrier that is a provider of electronic communication services or remote computing services is compelled by 18 U.S.C. § 2258A to disclose CPNI in a report to the Cyber Tipline, that carrier would not be in violation of its privacy duties under section 222 of the Communications Act. And this exception to section 222 applies only to the extent disclosure of CPNI is “required” and therefore would not cover voluntary disclosures.
The purpose of this advisory however is not about the direct ruling the FCC issued. Rather, it establishes that carriers need not disclose CPNI even if informally requested by the FCC or a state or a District Attorney. We have relied on 222 to refuse to disclose CPNI of a carrier‘s customer unless a subpoena is issued and even then, a subpoena is subject to being quashed.
In short, there is no need to knee-jerk release of CPNI of customers and moreover, if doing so is held to be voluntary, the release may be actionable against the carrier.
[1] 47 U.S.C. § 222.
[2] In the Matter of Implementation of the telecommunications Act of 1996: Telecommunications Carriers‘ Use of Customer Proprietary Network Information and Other Customer Information CC Docket No. 96-115 DECLARATORY RULING Adopted: October 12, 2010 Released: October 12, 2010, By the Chief, Wireline Competition Bureau.
[3] 47 U.S.C. § 222(c)(1) (providing that “[e]xcept as required by law or with the approval of the customer, a telecommunications carrier that receives or obtains customer proprietary network information by virtue of its provision of a telecommunications service shall only use, disclose, or permit access to individually identifiable customer proprietary network information in its provision of (A) the telecommunications service from which such information is derived, or (B) services necessary to, or used in, the provision of such telecommunications service, including the publishing of directories”).
