GOP Lawmakers, Attorneys General Want More Expansive Congressional Review Act

WASHINGTON, Oct. 8, 2025 – A court battle is brewing over the power of a regulatory agency to revive a regulation that Congress has voted to nullify under a law called the Congressional Review Act.

A group of two dozen Republican lawmakers, along with 22 GOP attorneys general and several conservative legal foundations, are eager for judges to revist a recent decision that said agencies could do so.

The U.S. Court of Appeals for the Sixth Circuit in August upheld an Federal Communications Commission  order expanding its data breach rules, finding that a 2017 Congressional action blocking a larger package of rules did not bar the agency from bringing back a part of that package.

Several briefs were filed at the court Tuesday asking a full panel of judges to rehear the case. Congress has axed rules using the Congressional Review Act 16 times in 2025, compared to 20 successful uses from 1996 through 2024, and the parties argued every provision of those rules should be permanently barred.

“There is little point in passing a disapproval resolution if the agency could simply reissue the same rule piecemeal and force Congress to play whack-a-mole with each ‘new’ regulation,” the lawmakers said in their brief. They were led by Sen. Eric Schmitt, R-Mo., and Rep. Scott Fitzgerald, R-Wis.

The state attorneys general wrote that “under the panel majority’s view, an agency remains free to readopt a disapproved rule part by part. That interpretation creates an exception that would swallow the entirety of the CRA’s intended effect.”

The rules at issue expanded the definition of a data breach and expanded the categories of data covered by the agency’s privacy rules for telecom providers, effectively increasing the reporting requirements for those companies. In 2016, the FCC had adopted a similar rule as part of a larger item aimed at ISPs, then classified as telecommunications providers under Net Neutrality rules that have since been voided in court.

The trade groups that had sued over the order have also asked judges to rehear the case. The rules are not expected to be enforced heavily – the FCC has actually signalled it might repeal them – but courts had not ruled on the scope of the CRA before, and the industry was also hoping to avoid a situation where agencies can bring back portions of nullified regulations.

FCC Chairman Brendan Carr, a commissioner at the time, dissented from the rules when they were adopted.

“This plainly violates the law,” he wrote at the time. “Indeed, if the FCC’s theory were correct, then agencies could insulate any one of their rules from the CRA (no matter how strongly the House, the Senate, and the President felt about the rule) simply by packaging that one rule together with other rules in a single document.”

The agency had asked the court to hold off on deciding whether to rehear the case, telling judges it was already reviewing the order now that the agency has a Republican majority. 

While that was taken as a sign the FCC is likely to overturn the new data breach rules, the industry and some of the outside commenters had asked judges to invalidate their August order if they did pause the case. Doing otherwise would leave intact the precedent the companies and others are unhappy with.

Judges declined to do so. They simply granted the FCC’s request to pause the case on Tuesday.