AT&T: Vacate FCC’s 'Nonsensical' CPNI Forfeiture Order
AT&T says the FCC should vacate a recent forfeiture order against the company on grounds that it’s arbitrary, capricious and an abuse of discretion within the meaning of the Administrative Procedure Act, said its petition for review Thursday (docket 24-60223)…
Sign up for a free preview to unlock the rest of this article
If your job depends on informed compliance, you need International Trade Today. Delivered every business day and available any time online, only International Trade Today helps you stay current on the increasingly complex international trade regulatory environment.
in the 5th U.S. Circuit Court of Appeals. In the April 29 order, the FCC imposed a $57.3 million penalty for AT&T’s violations of Section 222 of the Communications Act and commission regulations governing treatment of customer proprietary network information (CPNI). It found that AT&T failed to use reasonable measures for discovering and protecting against attempts to gain unauthorized access to customer location information. However, AT&T said as a “threshold matter,” the location data isn’t CPNI within the meaning of Section 222. Accordingly, the company's petition for review said the FCC lacked statutory authority to issue the order. “At a minimum,” by first announcing its “novel and expansive interpretation” of Section 222 in its enforcement proceeding and “retroactively punishing” the carrier for conduct preceding that announcement, the FCC “failed to provide the fair notice that AT&T was due,” it said. Even assuming otherwise, the agency’s finding that AT&T acted unreasonably in discovering and protecting against unauthorized access to customers’ location data is arbitrary and capricious, it added. The imposition of a $57.3 million penalty based on the existence of 84 distinct location-based-services providers, despite zero breaches by those providers, “defies law and logic,” it said. The FCC “has long lauded the valuable and sometimes life-saving benefits of location-based services, the growth of which AT&T has facilitated by implementing industry-leading data security safeguards,” the petition said. Yet the order “takes the nonsensical position that AT&T should have abruptly cut off access to customer location data in response to a news report of a single provider’s misuse,” of which the FCC had been aware for a year, “and despite the absence of any evidence that AT&T customers’ information was subject to unlawful use,” it said. The agency’s enforcement regime also “runs afoul” of the Constitution, the petition argued. Rather than grant a hearing to an alleged violator, it may elect to issue a notice of apparent liability, pass judgment on its own proposed liability finding and penalty, and then demand payment as a prerequisite to an appeal, the petition said: “That regime violates due process, Article III, the Seventh Amendment, and the nondelegation doctrine.”