Trade Groups Big and Small Ask Sixth Circuit to Toss FCC’s Data Breach Rules

WASHINGTON, June 3, 2024 – Trade associations representing smaller telecommunications providers joined major ISP industry groups in asking the Sixth Circuit Court of Appeals to throw out the Federal Communications Commission’s new data breach rules.

In a May 29 amicus brief, five such groups argued the rules, adopted by the commission in December and effective as of March, are especially burdensome for small businesses. They also reiterated arguments from larger trade groups that the rules are unlawful.

“The Associations take special interest in the impact of the Order on their small business members,” the smaller groups wrote last week. “These members generally lack access to resources and economies of scale to make it practical for them to absorb substantial regulatory changes or to comply with conflicting and overlapping rules across jurisdictions.”

Signatories included WISPA, NTCA, ACA Connects, CCA and WTA.

The rules at issue created more reporting requirements for telecom carriers and providers offering voice services over the internet. The agency expanded its definition of “covered data” to include identifying information like social security numbers and biometric data, in addition to network information about customer locations.

The agency elected not to apply the rules to broadband-only providers when classifying them as common carriers under the Communications Act, although the part of that law requiring reasonable data privacy measures, section 222, will still apply.

“Many of the commission’s current rules implementing section 222 were adopted to address specific concerns in the voice context,” the agency wrote in its December order. Leaving ISPs out of those rules would “give us the opportunity to carefully evaluate appropriate rules” for broadband, the agency wrote.

Larger trade associations NCTA, CTIA, and USTelecom, along with some state telecom associations, filed suits in March alleging the rules were unlawful both for expanding covered data beyond what is allowed by section 222 and because Congress nullified similar FCC rules in 2017. Those have now been consolidated in the Sixth Circuit.

In 2017, lawmakers used the Congressional Review Act to strike down an expansive FCC privacy regime, which included a provision that expanded the scope of covered data similar to the December order. 

That move prevents the FCC from enacting such a rule again, the smaller trade groups also argued, as federal agencies are barred from enacting rules “substantially the same” as those already nixed by Congress. The commission’s two Republicans dissented from the order on these grounds.

The agency argued in its order that the nullified rules focused largely on broadband providers, which were telecommunications carriers at the time, and lawmakers were primarily concerned about FCC privacy rules conflicting with FTC rules for edge providers. That expanded data breach rules were included as part of the nullified order does not prevent the agency from taking similar steps now, the order argues, because they were not the motivation for the nullification.

“The CRA does not prohibit the adoption of a rule that is merely substantially similar to a limited portion of the disapproved rule or one that is the same as individual pieces of the disapproved rule,” the agency wrote.