6th Circuit Split Possible as Judges Hear Case on 2023 Data Rules
Judges appeared to differ Thursday as the 6th U.S. Circuit Appeals Court heard an ISP petition to overturn the FCC’s controversial data breach notification rules, which commissioners approved 3-2 a year ago (see 2312220054). Commissioners Brendan Carr and Nathan Simington dissented (see 2312130019). In 2017, a Congressional Review Act resolution of disapproval rescinded similar regulations that were part of the commission's 2016 ISP privacy order (see 2312200001).
Sign up for a free preview to unlock the rest of this article
Communications Daily is required reading for senior executives at top telecom corporations, law firms, lobbying organizations, associations and government agencies (including the FCC). Join them today!
The 6th Circuit is considered a middle-of-the-road circuit, with less of a strict conservative bent than some other circuits. The panel includes Jane Stranch, appointed by Bill Clinton, and Andre Mathis, by Joe Biden. The third judge was Richard Griffin, appointed by George W. Bush.
“Faced with an alarming rise in data breaches” affecting telecom customers, the commission “modified its breach notification rules to cover personally identifiable information, such as social security numbers and unique biometric data,” said Adam Sorensen, appearing for the FCC. “That change is well grounded in the Communications Act.”
The FCC “exceeded its authority” when it approved “virtually the same data breach reporting rule that Congress had vetoed in 2017,” said Latham’s Roman Martinez, who argued on behalf of the Ohio Telecom Association and other petitioners (see 2405300042). “The new rule was the same in all the respects that matter the most,” he said. The other petitioners were the Texas Association of Business, CTIA, NCTA and USTelecom.
The petitioners seem to support the ability of the FCC to regulate “certain categories of data” under Sect. 222 of the Communications Act, Stranch said. “What evidence do you have to suggest that the FCC thought they were regulating to the full extent of their statutory authority in past rulings?” the judge asked Martinez.
“It sounds to me like you are locking in some of the interpretations that are in different orders,” Stranch said. “It seems to me that this presumes that what [the FCC] did in the past was the full extent of their capacity, and I’m not seeing evidence that really supports that.”
All the language from orders until 2014 “supports us,” Martinez responded. The “consistent interpretation for almost 20 years supports us.”
That interpretation was “for 20 years when you didn’t have the problem that you have now,” Stranch said. “There’s no question that, practically speaking, there have been more and more and more significant data breaches,” she said. These breaches “have become like a rolling ball that is a true danger to consumers.”
Martinez represented petitioners in Relentless v. Commerce Department, one of two cases the U.S. Supreme Court used in overruling the Chevron doctrine in June (see 2406280043).
The court shouldn’t analyze the Communications Act “with the presumption that the agency has to have the power,” Martinez said. “Instead, the way to start is to ask the question whether Congress has given the agency the power, and to answer the question we have to look to what the law says.”
Griffin said he was troubled by the FCC’s approach in handing down the data breach order, noting that it was part of a package of rules Congress disapproved in 2017. The FCC tried to get around that by promulgating the rules “on a single basis,” he said. “That way there’s no violation of the CRA.”
“It is a recipe for circumvention of the statute,” Martinez responded. The FCC's theory is "you can take a regulation that is vetoed … and you can just split it up,” he said. Martinez noted that Congress rarely overturns agency rulings using the CRA.
“Your answer is” a regulation “is swept off the map and done forever,” Stranch said. She noted significant differences between the order approved in 2016 and what the FCC approved last year.
Martinez disagreed, saying both orders involved a “sweeping expansion” of regulations with data rules now covering personally identifiable information (PII). The latest regulation is more exhaustive on some levels, he said. Inadvertent breeches are now covered, and the FCC, not just federal law enforcement agencies, must be notified of problems, he added.
Stranch noted that the 2023 order offers protection for industry not in the earlier order through a “good faith” rule. “It’s true the good faith rule is a little bit different -- we don’t think that’s material,” Martinez said.
When FCC Chairwoman Jessica Rosenworcel discussed the order, of “all the things that we are emphasizing -- the good faith rule wasn’t on the list,” Martinez said.
Whether an order is “substantially similar” is “the key,” Griffin said. “It doesn’t have to be identical.”
Petitioners “paint a picture of a highly restricted statutory scheme under which the commission’s hands are tied from responding to meaningful changes in the privacy landscape,” Sorenson said. The FCC, like other agencies, “when it's granted regulatory power over an industry will often proceed incrementally in enacting different kinds of rules as it responds to problems.”
Mathis, who was mostly quiet during Martinez’s argument, asked Sorenson whether the FCC’s standing was stronger under Section 201(b) or Section 222 of the act.
The commission relied on both and “they’re both strong bases for this rule,” Sorenson said. Section “201(b) is a broader provision, older -- 222 is more directed to privacy,” Sorenson said. He noted that the FCC has never said its oversight is restricted to oversight of customer proprietary network information and not PPI.