STATEMENT OF COMMISSIONER AJIT PAI APPROVING IN PART AND CONCURRING IN PART Re: Implementation of the Telecommunications Act of 1996: Telecommunications Carriers’ Use of Customer Proprietary Network Information and Other Customer Information, CC Docket No. 96-115. The privacy of Americans’ phone records is a topic that has been in the news quite a bit lately. But this morning, the Commission tackles a small piece of this subject that hasn’t made the headlines. In today’s Declaratory Ruling, we seek to clarify both when data stored on a mobile device constitutes customer proprietary network information (CPNI) and when carriers must protect such CPNI pursuant to section 222 of the Communications Act. I want to start by thanking my colleagues for their willingness to incorporate many of my suggestions into the item and especially commend Chairwoman Clyburn for her leadership, which was critical in reaching this result. I had serious concerns with the original version of this item. But over the last several days, substantial changes to the Declaratory Ruling have largely allayed those concerns. Therefore, I am voting this morning to approve in part and concur in part. Four factors are critical to my decision. First, I agree that there is no “mobile device exception” to either section 222 or our CPNI rules. If information is covered by the statutory definition of CPNI set forth in section 222(h)(1), then it is CPNI, regardless of whether it is located on a mobile device. Second, today’s Declaratory Ruling is limited in scope. It only applies to information that is both: (1) collected by or at the direction of the carrier; and (2) may be accessed or controlled by the carrier or its designee. If a carrier is not responsible for the collection of certain data, then it may not be held responsible for protecting that data. Likewise, if a carrier doesn’t have access to or control over information, then it is not obligated to safeguard it. Third, the Commission provides carriers with maximum flexibility in carrying out their statutory responsibilities with respect to CPNI stored on mobile devices. In today’s item, we do not opine on various practices and hypotheticals in the absence of a fully developed factual record and concrete set of facts. Given the complex and quickly evolving technologies at issue, this restraint is wise. Fourth, and perhaps most important, this Declaratory Ruling does not seek to hold carriers liable for compliance with voluntary codes of conduct under section 201(b) of the Communications Act. I believe the Commission should welcome the development of private-sector solutions to some of the challenges facing the industry. Imbuing such codes of conduct with the force of law, however, would have precisely the opposite effect. Carriers, of course, would be worse off if we changed the meaning of “voluntary” in “voluntary codes of conduct.” But consumers ultimately would be worse off too; if we effectively ensure that no good deed goes unpunished, the industry will be less likely to take joint, consumer-friendly action of its own accord. To be sure, I do not agree with every legal theory set forth in today’s item. That’s why I am concurring in part. Specifically, I do not join the item’s discussion of section 222(c)(1) and in particular its claim that the provision makes a carrier responsible for CPNI that it has neither received nor obtained. On the whole, however, I believe that today’s Declaratory Ruling arrives at a reasonable result, one that is fair to both consumers and carriers. Finally, I would like to thank Sean Lev, Jennifer Tatel, and Doug Klein of the Office of General Counsel as well as Michele Ellison, Dave Grimaldi, and Louis Peraertz in the Office of the Chairwoman for their hard work on this item, including the fruitful discussions that led to this happy outcome. This item might not receive the same media attention as other recent issues related to privacy, but you deserve public recognition for your efforts.