How the FCC Plans to Give Itself Control Over Data
By Ethan Yang and Andy Jung
Critics have long accused the administrative state of subverting democracy by creating rules and regulations without the explicit consent of Congress—often in favor of the party controlling the White House. Congress, however, is not totally helpless. The Congressional Review Act (CRA) allows Congress to overrule regulations with a majority vote from both the House and Senate under certain conditions and after clearing certain additional hurdles beyond the normal legislative process.
Once a CRA Joint Resolution is passed, the targeted agency is barred from issuing the same or similar rules. Earlier this year, the Federal Communications Commission (FCC) ignored a 2017 CRA resolution declaring that the agency’s 2016 Broadband Privacy Order “shall have no force or effect.” The Joint Resolution was an explicit directive from elected officials to the agency: abandon the 2016 Broadband Privacy Order and any substantially similar rules. Today, however, the FCC is arguing for a drastically narrower definition of “substantially similar rules.” This argument would, if accepted by the courts, effectively gut the CRA.
Despite clear instructions from Congress, the FCC introduced a data breach rule in February 2024 that is functionally identical to a provision in the rejected Order. Now, the FCC is in the midst of litigation now at the U.S. Court of Appeals for the Sixth Circuit. In the appeal, the FCC argues that, rather than being prohibited from issuing substantially similar rules, the CRA prevents the agency only from issuing the entire 2016 Broadband Privacy Order as a whole. This tortured reading of the CRA is absurd on its face: It would allow the FCC to reissue each provision of the 2016 Privacy Order individually.
A Clear Rebuke by Congress
In 2016, on a 3-2 partisan vote, the FCC issued a rule containing dozens of provisions covering a myriad of privacy concerns in the telecom industry. One of the provisions in the rule required companies to quickly report to the government and data breach victims about breaches containing “personally identifiable information” (PII) and “customer proprietary network information” (CPNI), such as phone numbers and call locations. Although the FCC traditionally has the authority to regulate CPNI, Congress took issue with the agency trying to expand its authority into PII, which captures a much broader set of user information. Congress used the CRA to rescind the provision, along with the entirety of the 2016 Broadband Privacy Order. Such a repeal has only happened twenty times since Congress enacted the CRA 1996.
However, despite this clear directive from Congress, the FCC issued a substantially similar data breach rule in February 2024. The rule is functionally identical to the 2016 provision. The decision to do so, much as in 2016, was subject to fierce debate. Commissioner Brendan Carr dissented:
the Commission makes no real attempt to explain how the data breach rule we adopt today is not the same or substantially similar to the one nullified by the House, the Senate, and the President in the 2017 CRA. This plainly violates the law.
Four senators condemned the rule as an unlawful reissuance of the 2016 regulation, including Senator Ted Cruz (R-TX), Ranking Member of the Senate Commerce Committee, which oversees the FCC. In a letter to FCC Chair Jessica Rosenworcel, the senators wrote,
The FCC’s proposed rules in the Report and Order are clearly ‘substantially similar’ to the nullified 2016 rules. Specifically, the requirements in the Report and Order governing notification to the FCC, law enforcement, and consumers, as well as the recordkeeping requirements with respect to breaches and notifications, are substantially similar to the notification and recordkeeping requirements disapproved by Congress.
In response to the clear disapproval of both Congress, the agency defended its decision by applying what dissenting Commissioner Nathan Simington described as a “wooden” reading of the CRA. The majority argued that the CRA does not apply when the “regulation is similar to, or even the same as, some of the revisions that were adopted in the 2016 Privacy Order — unless the revisions adopted are the same, in substance, as the 2016 Privacy Order as a whole.”
If courts uphold this reasoning, the CRA would become meaningless, as agencies could reissue rejected rules merely by separating the individual provisions. Congress would then have to rebuke regulations line by line to prevent the agency from doing so. If Congress had to be this specific, not only would its task be excessively tedious, it would be easy for agencies to circumvent the will of Congress by exploiting legal technicalities through clever lawyering.
Rendering the CRA a Nullity
The FCC’s interpretation of a “substantially similar” rule under the CRA is one that is effectively identical in its purpose, scope, and function. Under the FCC’s logic, Congress would have to name and condemn all 57 rules in the 2016 Privacy Order individually in a CRA or subsequent ones if it failed to do so if it wanted to stop the FCC from expanding its regulatory authority. Under this interpretation, agencies would be able to intrude into commercial and private life, even when expressly commanded otherwise, on hair splitting technicalities and abstract interpretations. In his dissent, Commissioner Simington called out the agency’s disingenuous behavior:
Readopting the 2016 Privacy Order in piecemeal is exactly what the Commission is doing… two months ago, this Commission began the process of reclassifying broadband as a Title II service, which when complete, will subject broadband providers to these new rules as well, just as the 2016 order did. Last month, we adopted data security, customer authentication, employee training, and other requirements that mirror provisions of the 2016 order. And I have no doubt that this Commission will, if given the chance, adopt even more aspects of the 2016 order.
What the FCC is doing is exactly the opposite of what agencies ought to do when Congress tells them to discontinue a regulation. Worse, the FCC is doing so even after receiving an official and legally binding rebuke from the legislature. Allowing the agency to unilaterally grant itself authority over PII will burden businesses and the general public with a swath of regulations made at the FCC’s discretion.
However good the FCC’s intentions are, its legal theory is unsustainable. The Commission is clearly flouting the will of Congress, and courts will take notice. We also know the CRA is on the Commission’s minds because the new rules have been timed to ensure that Republicans can’t use it to block the privacy order even if they sweep the White House, House, and Senate in November. Such deliberate maneuvering by the FCC shows that the Commission is bent on expanding its power even to the detriment to the rule of law and the popular will.
Andy Jung serves as Associate Counsel at TechFreedom. Ethan Yang is a legal intern at TechFreedom.