Protecting the Privacy of Customers of Broadband and Other Telecommunications Services
The Future of Privacy Forum filed comments with the Federal Communications Commission (FCC) in response to the FCC’s proposed rules regarding the privacy and data practices of Internet Services Providers (ISPs). The FCC’s March 31, 2016 Notice of Proposed Rulemaking (NPRM or Notice) seeks to regulate ISP’s data practices pursuant to Section 222 of the Communications Act – a sector-specific statute that includes detailed requirements that apply to telecommunications services, but does not apply to other services offered by broadband providers nor to online services operating at the edge of the network (e.g. web sites).
The FCC’s notice states that responsible data practices protect important consumer interests. FPF wholeheartedly agrees. Because de-identification of personal data plays a key role in protecting consumers’ privacy, one portion of our comments seeks to ensure that the final FCC rules are consistent with the leading current thinking and practices regarding de-identification.
The FCC’s proposed rules erroneously treat data as either fully de-identified or fully identifiable. FPF’s comments urge the FCC to issue a rule recognizing that de-identification is not a black and white binary, but rather that data exists on a spectrum of identifiability. FPF’s comments take particular note of the Federal Trade Commission’s (FTC) extensive guidance regarding de-identification. According to the FTC, data are not “reasonably linkable” to individual identity to the extent that a company: (1) takes reasonable measures to ensure that the data are de-identified; (2) publicly commits not to try to re-identify the data; and (3) contractually prohibits downstream recipients from trying to re-identify the data. Industry self-regulatory guidelines use similar approaches. The FTC and self-regulatory frameworks recognize that data is not either “personal” or “non-personal.” Instead, it falls on a spectrum; with each step towards “very highly aggregated,” both the utility of the data and the risk of re-identification are reduced.
FPF’s comments argue that the proposed FCC rules reflect a rigid binary understanding of personal information that does not align with the spectrum of intermediate stages that exist between explicitly personal and wholly anonymous information. As a result, the FCC rules are simultaneously too narrow and too broad, both excluding and including data uses that should be permitted subject to reasonable controls and safeguards. In independent comments, FTC staff agree, stating “the [FCC’s] proposal to include any data that is ‘linkable’ could unnecessarily limit the use of data that does not pose a risk to consumers. While almost any piece of data could be linked to a consumer, it is appropriate to consider whether such a link is practical or likely in light of current technology. FTC staff thus recommends that the definition of PII only include information that is ‘reasonably’ linkable to an individual.”
FPF therefore proposes an alternative approach, which recognizes that non-aggregate data can be de-identified in a manner that makes it not reasonably linkable to a specific individual. This approach is consistent with leading government and industry guidelines with respect to de-identified data, including key work by the Federal Trade Commission, and is illustrated by FPF’s Visual Guide to Practical De-Identification.