Export Compliance Daily is a Warren News publication.
'Absurd Results'

ISPs Raise 'Major Questions' and CRA Issues in Data Rules Challenge

ISPs challenging the FCC’s updated data breach notification rules made their case at the 6th U.S. Circuit Appeals Court about why the rule should be overturned. The filing elaborates on their argument that the agency exceeded its Communications Act authorities when it adopted the rule in December. The Ohio Telecom Association (docket 24-3133), the Texas Association of Business (docket 24-3206) and CTIA, NCTA and USTelecom (docket 24-3252) brought the challenge. The 6th Circuit is considered among the most conservative federal circuits.

In a reply brief filed Monday in all three dockets, the ISPs said the FCC, facing arguments that the rule exceeds the agency's authority “under Section 222(a) of the Communications Act, ... downplays its previous reliance on that provision and instead pivots to Section 201(b).” But, the ISPs added, that section “confers general authority over the terms on which telecommunications carriers offer service to consumers -- not over data breach notifications to the government and customers.”

The FCC’s theory that it has authority under Section 201(b) would grant the agency "limitless regulatory power over telecommunications carriers, raising serious concerns under the major questions and non-delegation doctrines,” the pleading said. The FCC must find support in Section 222, “yet Section 222 does not permit the FCC to regulate personally identifiable information (PII) of the kind addressed in the 2024 Reporting Rule.”

In a much-watched decision two years ago, West Virginia v. EPA, the U.S. Supreme Court elaborated on its use of the “major questions” test and whether an action is a question that Congress must address as the standard for review in weighing regulatory decisions (see 2206300066).

Republican Commissioners Brendan Carr and Nathan Simington dissented when the FCC approved the rules 3-2 in December (see 2312130019). The order expands FCC breach notification rules to cover types of customers' personally identifiable information that carriers and telecommunications relay services providers hold, and expands the definition of "breach" to include certain inadvertent access or disclosure.

Industry questioned whether the rules would withstand a legal challenge before they were approved (see 2312070034). “We reject claims that we did not provide sufficient notice to define the scope of protected consumer information in this manner,” the order said in response.

The industry brief also pointed to Congressional Review Act (CRA) concerns. “Congress disapproved the FCC’s earlier 2016 Reporting Rule, and the FCC all but admits that the two rules are nearly identical,” it said: “That should end this case. Without a viable textual argument, the FCC contends that applying the CRA in these circumstances would unduly hobble agency rulemaking.”

The FCC defended the order in July. Petitioners “ask this Court to impose sweeping new restraints on the federal government’s ability to protect the personal information of telecommunications customers,” the agency said. The restraints, the FCC said, “would not only leave tens of millions of such consumers without any federal regulatory protection for their most private data held by carriers -- including social security numbers and biometrics -- but would also permanently forbid the Commission from issuing similar protections.”

The FCC said the ISPs want the court to ignore precedent, advancing “novel statutory arguments that would rewrite the text of the Communications Act and disregard the Commission’s long history of protecting telecommunications customer privacy.” Accordingly, the 6th Circuit should reject the CRA complaints, the FCC argued. The CRA “prohibits an agency from reissuing ‘substantially the same’ rule as one Congress has previously disapproved, but it does not prohibit an agency from adopting an approach with similar or overlapping features,” the agency said.

Agreeing with the ISPs, the FCC said, would prompt “absurd results, permanently barring agencies from readopting even the most routine parts of disapproved orders, such as legal definitions.”