END the FCC Data Retention Mandate!

END the FCC Data Retention Mandate!

The FCC requires the telephone companies to keep your telephone records for 18 months for future criminal investigations.

This violates your privacy and should end!

  • The retention of phone records implicates the privacy and freedom of association rights of millions of Americans.
  • The retention of phone records increases the risk of data breaches like the OPM breach in 2015.
  • Modern bundled phone billing makes the 1986 rule unnecessary.
  • The U.S. data retention requirement is at odds with international law and fundamental rights.

How You Can Help

(1) Submit Comments!  Go to the FCC’s web site.  Click on “+ Express” to add your comments.

(2) Promote EPIC’s Campaign

(3) Tweet!

(4) Forward this email to lists, colleagues, and friends!

Comment Now.

Summary

On August 4, 2015, a coalition of civil society organizations, legal scholars, technology experts, and EPIC filed a petition with the FCC asking the Commission to repeal a regulation that requires telephone companies to retain the detailed call records of their customers. The coalition explained that the regulation was unduly burdensome and ineffectual and posed an ongoing threat to the privacy and security of American consumers. On May 17, 2017, the FCC published a Public Notice seeking comment on the petition. Comments are due June 16, 2016.

Top News

  • EPIC Advises FCC to Protect Privacy of Lifeline Subscribers: In comments on an FCC proposed rule, EPIC said that the agency should not track the Internet use of Lifeline subscribers. Lifeline is a federal program that provides broadband service to economically disadvantaged Americans. The FCC is proposing that Lifeline subscribers install apps to track their data usage and that companies retain detailed records about Internet use by Lifeline subscribers. EPIC said: “Americans should not be required to sacrifice their privacy to access the Internet.” EPIC led a campaign and petition opposing the FCC’s requirement that telephone carriers retain detailed records of American telephone customers. (Jan. 28, 2020)
  • Top European Court to Review National Data Retention Laws: Today, the Court of Justice for the European Union will hear challenges to the data retention laws of the UK, Belgium, and France. The Court previously invalidated European and national data retention laws that required companies to retain communications data for law enforcement purposes. The Court said the laws were a “particularly serious” interference with the right to privacy. The new challenges, brought by civil society organizations, contend that European national laws fail to comply with the earlier rulings. EPIC recently urged the FCC to repeal a similar regulation that requires the retention of US telephone records, following an earlier petition to the agency. When the FCC docketed the EPIC petition for public comment, every comment received supported an end to the data retention regulation. (Sep. 9, 2019)
  • More top news

  • EPIC Again Urges FCC to Repeal Data Retention Regulation + (May. 13, 2019)
    EPIC filed comments with the Federal Communications Commission again urging the agency to repeal a regulation that requires the bulk retention of calling records of American telephone customers. EPIC and a coalition of civil rights organizations, technical experts and legal scholars first signed a petition for repeal of the FCC regulation three years ago. When the FCC docketed the petition for public comment, every comment received by the agency favored the EPIC petition to end the data retention regulation. In comments to the agency last year, EPIC again urged the FCC to drop the requirement. In response to an agency proposal to extend the rule, EPIC explained that “the regulation is unduly burdensome, ineffectual, and threatens privacy and security.” EPIC also pointed to recent cases in Europe prohibiting the mass retention of phone records. “The United States has fallen behind other advanced democracies around the world” explained EPIC to the FCC.
  • Irish Court Finds Data Retention Law Violates Human Rights + (Dec. 11, 2018)
    The Irish High Court has ruled that Ireland’s retention of telephone data violates European Law and the European Convention on Human Rights. The Communications Act, which requires all service providers to retain data for two years, is “general and indiscriminate.” The Court also found insufficient safeguards for access to data, noting that the law did not require prior judicial and had few guarantees against abuse.The Court will now issue a final order to determine how the case will proceed. EPIC is participating DPC v. Facebook – an Irish High Court Case recently referred to the top European Court of Justice to determine whether Facebook’s transfer of data from Ireland to the United States violates EU data protection law. EPIC has also petitioned the FCC to end a similar data retention mandate, arguing that it is inconsistent with international law.
  • EPIC Urges FCC To End The Data Retention Mandate + (Aug. 2, 2018)
    EPIC has sent a letter to the Federal Communications Commission urging the FCC to act immediately on a Petition submitted by EPIC and a coalition of civil rights organizations, technical experts and legal scholars exactly three years ago. The Petition called for an end to the FCC rule requiring the mass retention of phone records, known as the “data retention mandate.” EPIC explained in the Petition that the rule was “unduly burdensome and ineffectual and posed an ongoing threat to the privacy and security of American consumers. The U.S. Supreme Court recently declared that cell phone location records are protected under the Fourth Amendment in Carpenter v. United States. EPIC wrote in the letter that “as we anticipated in the original Petition, the retention of cell phone data implicates constitutional interests.” All of the comments received by the FCC on this topic favored an end to the mandate.
  • EPIC Urges Congress to Focus on FCC and Privacy + (Jul. 27, 2017)
    EPIC has sent a statement to the House Commerce Committee for a hearing on the Federal Communications Commission. EPIC urged the Committee to affirm the FCC’s role in protecting online privacy. EPIC also asked the Committee to press the nominees to repeal a FCC regulation that requires the retention of telephone customer records for 18 months. EPIC filed a petition urging the repeal of this mandate more than two years ago and the FCC recently docketed the petition for public comment. Every comment received by the FCC favored the EPIC petition to end the data retention mandate. EPIC has submitted multiple comments to the FCC for strong online privacy protections.
  • EPIC Urges Swift Action on FCC Data Retention Mandate + (Jun. 20, 2017)
    In a statement to the Senate Committee on Appropriationst, EPIC asked Congress to obtain assurances from the FCC Chair to repeal the FCC regulation that requires telephone companies to keep customer’s phone records for 18 months. EPIC warned that the regulation “places at risk the privacy of users of network services.” Two years ago, EPIC, joined by consumer privacy organizations, technical experts, and legal scholars, submitted a formal petition to the FCC, calling for the repeal of the data retention ruie. The FCC recently docketed the petition and accepted public comments on the matter. All of the commentators favored the EPIC petition to end the mandate. The next step will be for the FCC to begin a Rulemaking to Repeal 47 C.F.R.§42.6 (“Retention of Telephone Records”).
  • EPIC Launches Campaign to End FCC Data Retention Mandate + (Jun. 13, 2017)
    EPIC launched the “My Calls, My Data” campaign today, urging the public to support a proposal to end the FCC’s data retention mandate. The 1986 regulation requires telephone companies to keep the telephone numbers dialed, date, time, and call length of all U.S. telephone customers for an 18-month period. An EPIC-led coalition filed a petition in 2015 calling for repeal of the rule, saying that the FCC’s mandate “violates the fundamental right to privacy, exposes consumers to data breaches, stifles innovation, and reduces competition.” The FCC is now seeking comments. “There is hardly a better regulation to end than the FCC’s data retention mandate,” said EPIC President Marc Rotenberg. “It is ineffective, burdensome, and costly.” Comments may be filed online and are due by June 16, 2017.
  • FCC Responds to EPIC’s Petition, Seeks Public Comment on Data Retention Mandate + (Jun. 7, 2017)
    The FCC is seeking comments on an EPIC’s petition to revoke the FCC’s rule requiring mandatory retention of phone records. Current FCC regulations require phone companies to retain sensitive information on all telephone customer calling activity for 18 months, including telephone numbers dialed, date, time, and call length. The petition, filed in August 2015, states that the FCC’s mandate “violates the fundamental right to privacy, exposes consumers to data breaches, stifles innovation, and reduces competition. It is outdated and ineffective. It should end.” The EPIC petition is supported by a broad coalition of civil liberties organizations, technical experts, and legal scholars. The FCC docket number is 17-130. Comments are due on June 16, 2017.
  • EPIC, Coalition Urge FCC to Act on Petition to End Call Data Retention + (Apr. 23, 2017)
    EPIC and a coalition of leading civil society organizations have sent a letter to the Federal Communications Commission urging the Commission to act immediately upon a petition submitted by an EPIC-led coalition almost two years ago. The petition called for an end to the FCC rule requiring the mass retention of phone records. The privacy organizations said that the FCC regulation was “unduly burdensome and ineffectual and posed an ongoing threat to the privacy and security of American consumers.” The FCC requires phone companies to retain sensitive information on all telephone customer calling activity for 18 months, including telephone numbers dialed, date, time, and length. The coalition letter states that “the time has come to give the public the opportunity to comment on whether the data retention mandate should continue.”
  • FCC Adopts Modest Privacy Rules for Broadband Services + (Oct. 27, 2016)
    The Federal Communications Commission today approved privacy regulations for broadband services. The rules require ISPs to obtain consumers’ consent for “sensitive” information, which includes web browsing history and app usage, but excludes IP and MAC addresses which are also used to track Internet users. (A document obtained by EPIC under the FOIA indicates that Google lobbied for this exception.) The rules establish data breach notification requirements but permit companies to charge users for privacy protection and permit arbitration when violations of privacy rights occur. EPIC had urged the FCC to establish comprehensive safeguards for consumer privacy, to ban pay-for-privacy schemes, and to prohibit mandatory arbitration. EPIC has frequently defended FCC privacy rules and currently has a petition pending before the FCC to end the mandatory retention of customer telephone records.
  • Coalition Urges White House to Recognize EU Opinion; End NSA Telephone Records Program + (Apr. 16, 2014)
    In a letter to the White House, a coalition of US organizations urged the Administration to recognize the recent opinion by the Court of Justice, the highest court in Europe, that ended a European data retention mandate. The European law required telephone and internet companies to retain metadata on customers for national security purposes. The European Court of Justice ruled that this practice violates the fundamental right to privacy and is illegal. The US groups argue that the opinion “bears directly on the White House’s review of the NSA Telephone Records Collection Program and also the White House study of Big Data and the Future of Privacy.” The groups urged the White House to 1) recognize the Court’s decision in its upcoming report on big data and privacy; and 2) end the NSA telephone record collection program. The letter states that the decision by European Court “is the most significant legal opinion from any court in the world on the risks of big data and the ongoing importance of privacy protection.” Last year EPIC, joined by dozens of legal scholars and former members of the Church Committee, urged the US Supreme Court to find the NSA’s telephone record collection program unlawful. More recently, EPIC submitted extensive comments warning the White House of the enormous risks of current big data practices. For more information, see EPIC: Data Retention and EPIC: Big Data and the Future of Privacy.
  • European High Court Strikes Down Data Retention Law + (Apr. 8, 2014)
    In a far-reaching and dramatic opinion, the European Court of Justice has ruled that the mass storage of telecommunications data violates the fundamental right to privacy and is illegal. The Data Retention Directive required telephone and Internet companies to keep traffic and location data as well as user identifying information for use in subsequent investigations of serious crimes. According to the Court, the Directive imposed “a wide-ranging and particularly serious interference with the fundamental rights to respect for private life and to the protection of personal data, without that interference being limited to what is strictly necessary.” The Court found that the collection of metadata constitutes the processing of personal data and must therefore comply with Article 8 of the Charter of Rights. The Court also said to find a privacy violation, “it does not matter whether the information on the private lives concerned is sensitive or whether the persons concerned have been inconvenienced in any way.” Last year EPIC, joined by dozens of legal scholars and former members of the Church Committee, urged the US Supreme Court to find the NSA’s telephone record collection program unlawful. For more information, see EPIC – Data Retention, In re EPIC.
  • House Committee Approves Controversial Measure to Require Data Retention for All Internet Users + (Aug. 1, 2011)
    The House of Representatives Judiciary Committee voted to approve a bill that will require Internet Service Providers (ISPs) to retain data on every customer to allow the government to identify and track their online activity for one year. EPIC Director Marc Rotenberg testified against the bill at the subcommittee hearing, and his arguments were cited by committee members including Representative Jerrold Nadler (D-NY). After two days of deliberation, the bill was passed with an amendment to require ISPs to retain even more information: not only internet protocol addresses, but also customer names, addresses, phone records, type and length of service, and credit card numbers. This retention is a radical contradiction of the core American value that we are innocent until proven guilty, said Representative Jason Chaffetz (R-UT). The bill purports to use the data to prosecute child pornography, but Representative James Sensenbrenner (R-WI) was “not convinced it will contribute in any meaningful way to prosecuting child pornography,” and Representative Zoe Lofgren (D-CA) stated that it is an “unprecedented power grab by the federal government – it goes way beyond fighting child pornography.” Representative Bobby Scott (D-VA) pointed out the data would be available for many other uses, including copyright prosecution and divorce cases. This data will be made available to law enforcement officers without a warrant or judicial oversight, and is a convenient way for law enforcement to get powers they couldn’t get in the Patriot Act, said Representative Darrell Issa (R-CA). For more information, see EPIC- Data Retention.

Background

FCC regulations require telephone companies to retain private call records for 18 months:

Each carrier that offers or bills toll telephone service shall retain for a period of 18 months such records as are necessary to provide the following billing information about telephone toll calls: the name, address, and telephone number of the caller, telephone number called, date, time and length of the call. Each carrier shall retain this information for toll calls that it bills whether it is billing its own toll service customers for toll calls or billing customers for another carrier.

47 C.F.R § 42.6 (“Retention of Telephone Toll Records”).

The rule was created in 1963 to help telephone providers calculate the bills of their customers and to allow customers to dispute bills. When it was enacted, the rule required carriers to retain data for six months.

In 1985, the FCC initiated a rulemaking to remove this record-keeping requirement. In response to the FCC’s proposal, the Department of Justice petitioned the Commission to extend the retention period to 18 months, claiming that “telephone toll records are often essential to the successful investigation and prosecution of today’s sophisticated criminal conspiracies.” Telecommunications providers objected to the DOJ’s proposal, but the FCC ultimately chose to extended the retention requirement to 18 months.

Today, as the DOJ has acknowledged, “the efficacy of the Commission’s current Section 42.6 requirement to meet law enforcement needs has been significantly eroded.” Carriers have “moved away from classic billing models, in which charges are itemized,” instead using “non-measured, bundled, and flat-rate service plans.” The change in billing practices has led some carriers to claim “that call records under such new plans are not covered by Section 42.6 because they are not ‘toll records.'” The original justification of the bill—to allow customers to calculate and dispute their bills—is no longer relevant. The rule imposes unnecessary restrictions on businesses that seek to minimize the collection of their customers’ personal information

EPIC’s Coalition Petition

On August 4, 2015, an EPIC-led coalition of 29 civil society organizations and 34 legal scholars and technology experts filed a petition with the FCC asking the Commission to repeal the regulation that requires telephone companies to retain the detailed call records of their customers. The coalition explained that “the rule requiring mass retention of phone records exposes consumers to data breaches, stifles innovation, reduces market competition, and threatens fundamental privacy rights.”

According to the coalition petition, “the 18-month data retention rule serves no purpose.” Although the retention rule is no longer relevant to customer billing and its usefulness as a law enforcement tool has diminished, the petition explained, the mass retention of telecommunications records implicates substantial privacy and associational freedom interests. Telephone call records “not only show who consumers call and when, but can also reveal intimate details about consumers’ daily lives. These records reveal close contacts and associates, and confidential relationships between individuals and their attorneys, doctors, or elected representatives.” And because the toll records retained under the rule “are not specifically tailored or limited to a particular investigation,” the rule requires carriers to retain sensitive data on millions of Americans who are under no suspicion of wrongdoing.

The petition also explained that mandatory retention of sensitive phone records increases the likelihood and impact of large-scale data breaches. For example, in 2015, the Office of Personnel Management discovered that the personal data of 21.5 million current and former Federal government employees and contractors had been stolen. The petition also observed that the FCC itself had brought data breach actions against companies that had failed to protect personal information. For example, the agency proposed “a $10 million fine against two telecommunications carriers for failing to protect the personal information of up to 305,000 consumers.”

On April 24, 2017, after more than twenty months of inaction from the FCC on the petition, EPIC and a coalition of 37 leading civil society organizations submitted a letter to the FCC urging the Commission to act. The coalition letter noted that at least two large data breaches had affected telephone records since the petition had been filed. In November 2015, 70 million prisoner call records were exposed in a data breach. In another breach announcement, a former Verizon employee was accused in September 2016 of selling private call records.

On May 17, 2017, the FCC responded to EPIC’s petition with a Public Notice seeking comment. Comments are due on June 16, 2017. Reply comments are due July 3, 2017.

Documents

  • Coalition Petition for Rulemaking (August 4, 2015)
  • Coalition letter asking the FCC to act on the August 4, 2015, petition (April 24, 2017)
  • FCC Public Notice seeking comment on the Petition for Rulemaking. WC Docket No. 17-130 (May 17, 2017)

Additional Resources

News