On March 3, 2014, reply comments were filed regarding a Petition for Declaratory Ruling by Public Knowledge, and several other public interest groups, asking the agency to clarify that the Consumer Proprietary Network Information (“CPNI”) definition encompasses non-aggregated, anonymized information. The reply comments focused on the debate over the risk of re-identification of anonymized data raised by the Petitioners. CTIA and T-Mobile stated that the Petitioners overstate the risks of re-identification of anonymized data by misconstruing the applicability of the studies that they cite to support their conclusions, and fail to recognize available methods for preventing re-identification. For example, T-Mobile points out that the Netflix study relied upon by the Petitioners, which identified two Netflix subscribers from anonymized data, had a much more limited impact than the Petitioners state because “identification occurred only after Netflix made the data set public to support a “data mining” contest and thus allowed any interested party to access and attempt to reverse-engineer the data.” However, Public Knowledge et al. assert in their reply comments that there is still theoretically a risk of re-identification of anonymized data although “no one has come forward in saying that they have succeeded in doing so.”
The reply comments demonstrate that the jury is still out on the risks of re-identification of anonymized data, but all agree that there are many socio-economic benefits to the sharing of CPNI with third parties. The Commission should consider this ambiguity when determining the appropriate balance between consumer protection, and the socio-economic benefits of data collection and sharing. If you have any questions or concerns regarding this Advisory please do not hesitate to contact Linda McReynolds, Certified Information Privacy Professional (CIPP/US), at firstname.lastname@example.org.