Over Republican Dissents, FCC Fines Major Wireless Carriers for Data Violations
FCC commissioners approved fines against the then-four national wireless carriers for allegedly not safeguarding data on customers' real-time locations, in orders released Monday. The vote was 3-2. AT&T, T-Mobile and Verizon plan to appeal.
The orders were approved April 17, as previously reported (see 2404170075). Notices of apparent liability were proposed in 2020 under then-Chairman Ajit Pai, a Republican. However, Republican commissioners Brendan Carr and Nathan Simington dissented Monday. T-Mobile was fined more than $91 million, plus $12 million for violations by Sprint, which it subsequently acquired. Fines for AT&T topped $57 million and Verizon $47 million.
“These carriers failed to protect the information entrusted to them,” Chairwoman Jessica Rosenworcel said in a statement Monday. “We are talking about some of the most sensitive data in their possession: customers’ real-time location information, revealing where they go and who they are,” she said. Rosenworcel noted the previous administration proposed the fines. The commission “remains committed to holding all carriers accountable and making sure they fulfill their obligations to their customers as stewards of this most private data,” she said.
The orders address a problem that no longer exists, Carr said. For more than a decade, location-based service (LBS) providers worked with the major carriers to obtain location information. That stopped in 2018 when news broke of a local sheriff misusing data (See 2002280065). All the participating carriers ended their LBS programs, “so our decision today does not address any ongoing practice.”
LBS providers “have simply shifted" to obtaining the same type of location information "from other types of entities,” Carr said: “That is why I encouraged my FCC colleagues to examine ways that we could use these proceedings to address that ongoing practice. But my view did not prevail.”
Carr said the FTC, not the FCC, should have addressed any problems. “Unlike the FTC, Congress has provided the FCC with both limited and circumscribed authority over privacy,” he said. The orders are based on a “newfound definition of customer proprietary network information (CPNI) that finds no support in the Communications Act or FCC precedent,” he said.
Simington dissented to all the orders but included a statement for only the T-Mobile order, questioning how the fines were calculated. Simington was not an FCC member when the fines were proposed. “There is no valid basis for the arbitrary and capricious finding … that a single, systemic failure to follow the Commission's rules…may constitute however many separate and continuing violations the Commission chooses to find on the basis of the whole-cloth creation of a novel legal ontology,” Simington said.
“Here it cannot credibly be argued that any of the mobile network operators, in operating an LBS/aggregator program, committed more than one act relevant for the purposes of forfeiture calculation,” Simington said. He said his concerns apply to all the orders. Rosenworcel was the only other commissioner with a statement.
The order “unfairly holds us responsible for another company’s violation of our contractual requirements to obtain consent, ignores the immediate steps we took to address that company’s failures, and perversely punishes us for supporting life-saving location services like emergency medical alerts and roadside assistance that the FCC itself previously encouraged,” an AT&T spokesperson wrote in an email. "After conducting a legal review," the company plans to appeal. The spokesperson noted the order doesn’t cite “a single example in which location data for any AT&T customer was unlawfully shared.”
When a single bad actor “gained unauthorized access to information relating to a very small number of customers, we quickly and proactively cut off the fraudster, shut down the program, and worked to ensure this couldn't happen again,” Verizon said in a statement: “Unfortunately, the FCC’s order gets it wrong on both the facts and the law, and we plan to appeal this decision.” Verizon noted the order addresses a service the company “shut down more than half a decade ago,” which “required affirmative, opt-in customer consent and was intended to support services like roadside assistance and medical alerts.”
“We take our responsibility to keep customer data secure very seriously and have always supported the FCC’s commitment to protecting consumers, but this decision is wrong, and the fine is excessive,” T-Mobile said. “We intend to challenge it.”
“After touting the potential of location-based services to provide benefits like roadside assistance and emergency medical alerts, the FCC refused CTIA’s request for guidance on how providers should run those programs, and is now penalizing providers for facilitating them,” said Nick Ludlum, CTIA senior vice president. Calculation of the fines also “relies on an unlawful methodology,” he said: “The FCC’s action today demonstrates why Congress must examine the FCC’s broken enforcement process.”
Michael Calabrese, director of the Wireless Future Program at New America, said in an email: “This fine on mobile carriers who violated their obligation not to share sensitive customer location data is a timely reminder of why it is so essential for the FCC to have its full Title II authority restored, not just for the sake of open internet rules, but also to hold ISPs accountable for consumer protection more broadly.” He said, “There is no better tracker of personal location than our smartphones and so it is essential that the FCC strictly enforce carrier obligations to both keep that information private and not abuse it for commercial purposes.”