ISPs Say 1996 Law Blocks FCC's New Data Breach Rules

WASHINGTON, August 29, 2024 – Telecom companies told the U.S. Court of Appeals for the Sixth Circuit Monday that new Federal Communications Commission data breach rules are too similar to ones nixed by Congress in 2017.

Petitioners' Reply Brief

The FCC’s brief underscores the defects of the 2024 Reporting Rule. Faced with Petitioners’ arguments that the Rule exceeds the FCC’s authority under Section 222(a) of the Communications Act, the FCC downplays its previous reliance on that provision and instead pivots to Section 201(b). But Section 201(b) confers general authority over the terms on which telecommunications carriers offer service to consumers—not over data breach notifications to the government and customers. And the FCC’s Section 201(b) theory would give the FCC limitless regulatory power over telecommunications carriers, raising serious concerns under the major questions and non-delegation doctrines. The FCC’s power to promulgate the 2024 Reporting Rule must therefore find support in Section 222. Yet Section 222 does not permit the FCC to regulate personally identifiable information (PII) of the kind addressed in the 2024 Reporting Rule.

Available for Breakfast Club Members

“Congress disapproved the FCC’s earlier 2016 Reporting Rule, and the FCC all but admits that the two rules are nearly identical. That should end this case,” trade groups for the wireless, cable, and broadband industries wrote in a reply brief submitted to the Cincinnati-based court.

The agency adopted rules in December that expanded the definition of a breach to include inadvertent access to customer data without authorization, as well as the definition of covered data to include more personally identifiable information. The rules also require companies to notify the FCC in addition to law enforcement agencies of a breach and to notify customers sooner. There are some carve outs for situations in which harm is very unlikely or an employee accessed data in good faith.

In a July brief, the FCC argued to judges that the rule was in fact consistent with the Congressional Review Act, the law Congress used to nullify the agency’s previous reporting rule. The rule was one part of a larger suite of broadband privacy policies – ISPs were telecom providers at the time – that Congress struck down, and the agency said it was only blocked from reviving those broadband privacy rules.

“[T]he CRA bars an agency from reissuing a rule that is substantively identical to a disapproved rule, not merely one that shares some characteristics or policies,” the FCC wrote. “A rule that only partly overlaps with a disapproved rule is not ‘substantially the same.’”

As far as its legal authority to expand the scope of covered data, the agency cited Section 201(b) of the Communications Act, in addition to other provisions that deal specifically with more narrowly defined network information related to customers. Section 201(b) requires telecom carrier practices be “just and Reasonable."

Industry challengers said the agency’s reading of that section “would give the FCC limitless regulatory power over telecommunications carriers, raising serious concerns under the major questions and non-delegation doctrines.”

Sixth Circuit judges have been receptive to major questions arguments from ISPs – the recently articulated Supreme Court rule that agencies can’t act on issues of “vast economic and political significance” without explicit authorization from Congress. The court put the FCC’s net neutrality rules on ice earlier this month, finding broadband providers looking to toss the rules on major questions grounds were “likely to succeed on the merits”.

Editor's note: The legal brief associated with this article has been updated from that which was posted originally.