5 Petitioners Urge 6th Circuit to Set Aside FCC’s Data Breach Reporting Rule
The FCC’s updated data breach notification rule, adopted Dec. 13, released Dec. 21 and published in the Federal Register Feb. 12, is a “brazen effort to claim regulatory authority” that Congress declined to confer under the Communications Act, but also “specifically rejected” under the Congressional Review Act (CRA), said the consolidated opening brief Wednesday in the 6th U.S. Circuit Appeals Court of five petitioners that seek to invalidate the rule (see 2402210026).
The petitioners are challenging the rule as contrary to law because it imposes certain duties on telecom carriers, VoIP providers and telecommunications relay service providers concerning unauthorized access to or disclosure of customer proprietary network information (CPNI) and personally identifiable information (PII). The Ohio Telecom Association (docket 24-3133), the Texas Association of Business (docket 24-3206) and CTIA, NCTA and USTelecom (docket 24-3252) are the petitioners.
The FCC’s effort “must fail,” the opening brief said. It's a “basic axiom of administrative law, rooted in the republican nature of government,” that an administrative agency lacks power unless and until Congress confers power upon it, it said. An agency’s lack of authority “is all the more obvious where, as here, Congress has directly forbidden the agency’s action,” it added.
Under the Communications Act, telecommunications carriers “bear certain duties to protect the confidentiality of a defined class” of CPNI, the opening brief said. But the Communications Act “imposes no such duties on telecommunications carriers with respect to consumer data other than CPNI,” it said. That’s “not surprising,” as any company’s use and handling of non-CPNI data “is already subject to extensive regulatory oversight,” it said.
The new reporting rule “must be set aside under the Administrative Procedure Act,” said the opening brief. The rule exceeds the FCC’s statutory authority to regulate CPNI by prescribing data-privacy and security provisions “for an entirely new class of data -- consumer PII,” it said. The FCC’s asserted justification for this enlargement of its authority “disregards the text, structure, and history of the relevant provisions of the Communications Act,” it said.
The FCC’s regulation of PII can’t be “reconciled” with the CRA, the opening brief argued. Congress recognized that the agency “overstepped its bounds” when it issued the 2016 broadband privacy order, so it enacted a “joint resolution of disapproval” of it and each of its “constituent parts,” it said.
Under the CRA, that resolution prevents the FCC from issuing a rule that's substantially the same as the 2016 reporting rule, which encompassed the broadband privacy order, the opening brief said. Yet the newest reporting rule and the 2016 reporting rule are “materially identical in essential respects,” it added.
Like the 2016 reporting rule, the new version “imposes broad reporting and recordkeeping obligations with respect to data breaches involving customer PII,” the opening brief said. It also closely resembles the “disapproved” 2016 reporting rule in “numerous other respects.” The FCC “barely asserted otherwise in its rulemaking proceedings.”
Instead, the FCC argued that it could reimpose the 2016 reporting rule in full, so long as it didn’t “simultaneously reissue” the other rules in its 2016 broadband privacy order, the opening brief said. But that argument “rests on a misinterpretation of the CRA that would nullify that statute’s function as a check on administrative agency overreach,” it said.
Administrative agencies “have only the powers that Congress gives them,” said the opening brief. “They certainly lack any powers that Congress has expressly denied them,” it said. Yet the FCC’s newest reporting rule “flouts both of these foundational principles,” it said: “It should be set aside.”