A federal district court declined to step in and review a combined $92 million fine imposed by the Federal Communications Commission on T-Mobile and Sprint for selling customer geolocation data to third parties, saying Congress has recognized “the highly sensitive nature” of such information.
In a unanimous decision, the U.S. District Court of Appeals for the District of Columbia ruled that the FCC “correctly determined” that customer location data is protected under the Communications Act and that “The Carriers therefore had a duty to protect such information from misuse by third parties.”
Judge Florence Pan, who authored the opinion, said the FCC also “reasonably concluded” that Sprint and T-Mobile violated that duty when they failed to take measures to prevent buyers from abusing access to that location data.
“Indeed, the Carriers failed to promptly take such measures even after they became aware of serious abuses,” Pan wrote.
In 2018, the New York Times reported that a Missouri sheriff used data sold by the carriers to track the location of a judge and state law enforcement officers.
That kicked off a broader investigation by the FCC into the data-selling practices of T-Mobile, Sprint, Verizon and AT&T. T-Mobile acquired Sprint in 2020.
The investigation found that all four companies had programs in place until at least 2019 that sold access to the location data of customers to two data aggregators, LocationSmart and Zumigo. Those companies in turn sold that data to dozens of different third-party, location-based service providers and other businesses. Because both Sprint and T-Mobile phones must continually ping nearby cell towers to maintain network service, their location data could provide constant real-time tracking of individuals.
The investigation found the telecoms had effectively shirked their regulatory requirements to safeguard their own customers’ location data by outsourcing responsibility to their third-party buyers in contract language. Meanwhile, internal audits of the companies’ customer data-sharing programs revealed numerous instances where auditors knew third parties were not holding to those agreements.
The FCC fined the companies a combined $200 million, with T-Mobile on the hook for $92 million in penalties between their own offenses and the Sprint acquisition.Pan expressed incredulity that T-Mobile and Sprint would ask a court to intervene on their behalf without substantively disputing the FCC’s case.
“Neither denies what happened. Instead, they argue that the undisputed facts do not amount to a violation of the law,” Pan wrote, adding that these and other legal arguments by the telecoms about the case “lack merit.”
Reached for comment, a T-Mobile spokesperson told CyberScoop that the company is “currently reviewing the court’s action. We don’t have anything new to add right now.” Last year, the telecom told CyberScoop they halted the sale of location data to third-party aggregators in 2019.
Eric Null, co-director of privacy and data at the Center for Democracy and Technology, called the ruling a “welcome decision,” and argued that such fines were necessary to hold telecoms accountable when they “sell off customers’ location data to the highest bidder and violate the law.”
“This is a huge win for privacy and for everyone who owns a cell phone,” Null said in a statement. “Location data is one of the most personal and sensitive types of data, and is particularly harmful in the hands of bad actors.”
Source link
