The authoritative news source for communications regulation
'Congress Ought' to Respond: Thune

Hill Republicans Eye More Pushback on FCC Data Breach Rules Over CRA Concerns

Republican lawmakers are eyeing further action in opposition to FCC data breach notification rules (see 2312130019), but what form this will take is unclear, Capitol Hill aides and lobbyists told us. GOP leaders say the rules sidestep a 2017 Congressional Review Act resolution of disapproval that rescinded similar regulations as part of the commission's 2016 ISP privacy order (see 1704030054). Republican FCC Commissioners Brendan Carr and Nathan Simington raised the CRA in their dissents as the commission approved the rules last week 3-2.

Start A Trial

Congress ought to be heard from” on the FCC’s data breach rules and what Republicans view as deliberate flouting of the 2017 CRA measure’s ban on adopting anything mirroring the 2016 order, Senate Communications Subcommittee ranking member John Thune, R-S.D., told us Monday night. Thune and three other Republican senators -- Minority Leader Mitch McConnell (Ky.), Commerce Committee ranking member Ted Cruz (Texas) and Marsha Blackburn (Tenn.) -- invoked CRA concerns similar to those Carr and Simington raised in a letter to FCC Chairwoman Jessica Rosenworcel ahead of the commission’s approval of the rules (see 2312150068).

I have concerns about a lot of things the FCC is doing” since the commission shifted from a 2-2 tie to a 3-2 Democratic majority in September (see 2309250059), Thune said. A Thune spokesperson earlier confirmed the senator is considering next steps but had nothing to announce. Senate Commerce Republicans didn’t comment.

The FCC “cannot ignore Congress,” said Rep. Kat Cammack of Florida, who led nine other House Commerce Committee Republicans in also urging the FCC last week against adopting data breach rules mirroring the 2016 order (see 2312140067), in a statement to us. “When Congress disapproves of a rule through” the CRA, “it expects agencies to comply with that action and not try to readopt that rule. I am discussing the matter with my colleagues as we consider next steps to make sure the FCC follows what Congress has directed.”

Hill Republicans and other opponents of the data beach order are deciding on tactics, lobbyists told us. A new CRA resolution would allow lawmakers to “make it very clear” that they intended in 2017 for the FCC to never restore any part of its 2016 order, one telecom lobbyist said: They would be able to “signal their frustration with an agency that’s not heeding prior congressional direction.” But in a divided Congress, any legislation aimed at reversing the order would be exceedingly difficult to advance in 2024 given the Democrats' majority in the Senate, the lobbyist said.

'Brave New World'

It’s “worth monitoring” the possibility that Republicans might pursue a CRA simply as a messaging tactic to emphasize their desire for the FCC to undo the data breach rules if Republicans win back control of the Senate and White House next year, a wireless industry lobbyist told us. Another lobbyist questioned whether such messaging is necessary given the two sitting FCC Republicans are vocal opponents of the rules. Republicans wouldn’t be able to use a CRA resolution in 2025 if they control the Hill because the next Congress will begin well past the 60 legislative days lawmakers have to consider the rule once it’s published in the Federal Register and sent to the Hill, lobbyists said.

The new rules certainly are going to prove operationally burdensome and may be challenging to apply in practice because of some of the details that weren’t resolved” when the FCC adopted the order, said Wiley’s Megan Brown. “They’re very broad, and it’s a brave new world for the FCC in this space. There are a lot of compliance and operational questions” that the FCC hasn’t answered. She noted Commissioner Anna Gomez “acknowledged some challenges that the final order did not fix” during the meeting last week.

I don’t expect Congress to actually move anything” that would challenge the data breach rules, said Public Knowledge Senior Vice President Harold Feld. “There may be angry letters from Republicans,” and lawmakers will likely raise the matter the next time Rosenworcel and other FCC commissioners testify on the Hill, “but I find it very difficult to believe particularly this Congress is going to be able to get it together enough” to pursue legislation given Democratic control in the Senate and Republicans’ wafer-thin House majority. The data breach language included in the 2016 ISP privacy rules “wasn’t the part of the order that folks were really upset about when” Congress passed the 2017 CRA, he said.

GOP misgivings about the data breach order underscore why the Biden administration has been urging federal agencies to finish work by the end of April on actions they are concerned a majority-GOP Congress could reverse in 2025 via CRA resolution, Feld said. April is “the absolute latest” they can “absolutely assume they’ll be able to” issue a rule and not have it be subject to a CRA resolution, given the 60-legislative-day threshold would restart in 2025 if the Hill adjourns before that period expires during the current Congress. For the same reason, it’s very likely the FCC will complete by that date its proceeding to bring back much of its rescinded 2015 net neutrality rules and reclassification of broadband as a Communications Act Title II service, Feld said (see 2312150020).

Congress obviously does have a role here” and said via the 2017 CRA bill “that the FCC can’t pass ISP privacy rules” with a legal basis in Communications Act Section 222, as the data breach order does, said Jeffrey Westling, American Action Forum director-technology and innovation policy. “I doubt Congress will pass anything relevant to this because they’ve got much bigger priorities to deal with, but they have oversight authority that they can use” to emphasize GOP opposition to the FCC’s actions. It will be interesting to see how legal challenges to the data breach regulations fare in federal courts because the cases will likely turn on whether the CRA’s bar on the FCC issuing rules “substantially similar” to the rescinded 2016 ISP privacy rules applies to the new order, he said.