Industry Examining Its Options After Loss in 6th Circuit Data Case

Carr said at the time the order didn’t attempt to explain how data breach rules aren't more or less the same as those nullified as part of the ISP privacy rules overturned in a 2017 Congressional Review Act (CRA) resolution of disapproval (see 1704030054).

The Ohio Telecom Association, USTelecom, NCTA and CTIA were among the industry groups that challenged the rules. “We are reviewing the 6th Circuit panel’s decision and considering our next steps,” a USTelecom spokesperson said in an email.

“Carr can ease the rules without further litigation, so this might affect the industry's thinking,” Andrew Schwartzman, senior counselor at the Benton Institute for Broadband & Society, told us on Thursday. The most important issue tackled by the court was a holding that the 2024 order doesn’t violate the CRA, he said. “This is an important question as to which there has not been any judicial case law,” he said.

Schwartzman said the decision also helps clarify another matter where there has been some uncertainty. No court has held that the 60-day period for seeking judicial review is triggered by the release date rather than the date of Federal Register publication, he said. When publication is slow, "as sometimes happens, lawyers worry about this and have sometimes filed protectively prior to … publication,” Schwartzman said. The 6th Circuit joins the D.C. and the 3rd circuits “in following the FCC's rule specifying that the trigger date” is Federal Register publication.

Public Knowledge filed a brief supporting the rules “so it’s good to see them upheld,” said PK Legal Director John Bergmayer. What industry or the FCC will do next is unclear, he said. “Carr is in a different situation now where he needs an FCC with authority” to act on the items he wants to address, Bergmayer said.

Chris Frascella, counsel to the Electronic Privacy Information Center, said that, had the court vacated the rule, “it might have created a gap in consumer protections,” which are “especially relevant” given the growing number of data breaches and the role of notification “in mitigating the downstream harms.” In other cases, the FCC has filed for stays “even after oral argument to pull back a rule to rework it internally, and the agency did not do that here,” Frascella said in an email.

Carr’s dissent “is particularly relevant now,” emailed Kristian Stout, innovation policy director for the International Center for Law & Economics. One of the key arguments the court heard about how the FCC got around the CRA “is precisely what Carr flagged,” Stout said. Given the dissent and the court’s narrow interpretation of the CRA’s “substantially the same” standard, “there may be a strategic opening to request en banc review or appeal, leveraging Carr’s original concerns about the CRA and statutory overreach,” Stout said.

December Argument

The 6th Circuit heard the case in December, before the start of the second Trump administration. Judges seemed skeptical of industry arguments that the FCC didn’t have the authority to act or that the order violated the CRA (see 2412120056). It’s widely viewed as a middle-of-the-road circuit, with less of a strict conservative bent than some others.

Bill Clinton appointee Jane Stranch wrote the decision. The case's two other panelists were Andre Mathis, appointed by Joe Biden, and Richard Griffin, appointed by George W. Bush. Frascella noted that the 6th Circuit is also the court that overruled the FCC’s latest net neutrality rules (see 2501020047).

The decision notes that neither the 6th Circuit nor the U.S. Supreme Court “has meaningfully examined the CRA, which has been infrequently utilized during its thirty-year existence.” It’s true “that when Congress disapproved the 2016 Order, it nullified every constituent rule contained therein,” Stanch wrote. To determine whether a new rule is “substantially the same” as a prior one, the CRA makes clear that the prior rule should be construed as the rule identified in the disapproval.

“If Congress intended to prohibit an agency from issuing a new rule that is substantially the same as any part of a prior rule nullified by a disapproval resolution," she said, "it could have said so. That is not the language it chose.”

Stanch also noted substantial differences between the 2016 and 2024 orders. The 2016 order “was far more expansive, imposing a broad array of privacy rules on broadband Internet access services,” she wrote. “The data breach notification requirements were a mere subset of the broader compendium of privacy rules in that Order. The 2024 Order, by contrast, addresses only data breach reporting requirements. The two rules are not substantially the same.”

The 2024 order also addresses other issues, extending the requirement to telecom relay services providers, Stanch wrote. “The two Orders also define the term ‘breach’ differently -- only the 2024 Order includes an exception exempting ‘good-faith acquisition[s] of covered data by an employee or agent of a carrier where such information is not used improperly or further disclosed.’”

In upholding the order, Stanch also discussed the FCC’s broad authority under Section 201(b) of the Communications Act. “As part of its prerogative to regulate unjust or unreasonable practices, the FCC has long applied § 201(b) to a diverse set of problems, from deceptive marketing to exclusive contracts with commercial building owners,” the judge wrote. Although the FCC didn’t invoke Section 201(b) “as a source of authority to regulate aspects of customer data privacy until 2014… it has never disclaimed this authority.”

Stanch also said that “contrary to Petitioners’ assertions, this is not a situation in which an agency has ‘claim[ed] to discover in a long-extant statute an unheralded power to regulate ‘a significant portion of the American economy.’”