I wonder whether AT&T, unable to realize that phone numbers are PII even in the American regulation, will ever realize that through the CDR data they've also revealed Personal Data of European data subjects and are required to notify supervisory authorities of every affected region. I wish they'd be required to notify each person.
https://www.edpb.europa.eu/system/files/2023-04/edpb_guidelines_202209_personal_data_breach_notification_v2.0_en.pdf