data breach

Sen. Ted Cruz (R-Texas) and other Republican senators are fighting a Federal Communications Commission plan to impose new data-breach notification requirements on telecom providers. In a letter sent to FCC Chairwoman Jessica Rosenworcel today, the senators claim the pending FCC action would violate a congressional order.

The letter was sent by Cruz, Sen. Minority Leader Mitch McConnell (R-Ky.), Sen. John Thune (R-S.D.), and Sen. Marsha Blackburn (R-Tenn.). They say the proposed data-breach notification rules are preempted by an action Congress took in 2017 to kill an assortment of privacy and security rules issued by the FCC.

The Congressional Review Act (CRA) was used in 2017 by Congress and then-President Donald Trump to throw out rules that would have required home Internet and mobile broadband providers to get consumers’ opt-in consent before using, sharing, or selling Web browsing history, app usage history, and other private information.

The invalidated FCC rules also included data-breach notification requirements that are similar to those the current FCC now plans to impose. The FCC already enforces data-breach notification requirements, but the pending proposal would expand the scope of those rules.

Rosenworcel’s data-breach proposal is scheduled for a vote at tomorrow’s commission meeting, and it may ultimately be up to the courts to decide whether it violates the 2017 congressional resolution. The Republican senators urged the FCC to rescind the draft plan and remove it from the meeting agenda.

Cruz also protested a recent FCC vote to enforce rules that prohibit discrimination in access to broadband services, calling it “government-mandated affirmative action and race-based pricing.”

Republicans: FCC plan “clearly unlawful”

When an agency-issued rule is nullified by a Congressional Review Act resolution, that rule “may not be reissued in substantially the same form” without authorization from Congress. The key legal question seems to be whether the FCC can re-implement one portion of the nullified rules as long as it doesn’t bring back the entire privacy order.

Cruz and fellow Republicans say that Rosenworcel’s plan would “resurrect a portion of the 2016 Broadband Privacy Order pertaining to data security.”

“This is clearly unlawful: the FCC’s proposed rules in the Report and Order are clearly ‘substantially similar’ to the nullified 2016 rules,” they wrote. “Specifically, the requirements in the Report and Order governing notification to the FCC, law enforcement, and consumers, as well as the recordkeeping requirements with respect to breaches and notifications, are substantially similar to the notification and recordkeeping requirements disapproved by Congress.”

The FCC proposal anticipates this argument but says the agency believes it can re-implement part of the Obama-era privacy order:

We conclude that it would be erroneous to construe the resolution of disapproval as applying to anything other than all of the rule revisions, as a whole, adopted as part of the 2016 Privacy Order. That resolution had the effect of nullifying each and every provision of the 2016 Privacy Order—each part being, under the APA [Administrative Procedure Act], “a rule”—but not “the rule” specified in the resolution of disapproval. By its terms, the CRA does not prohibit the adoption of a rule that is merely substantially similar to a limited portion of the disapproved rule or one that is the same as individual pieces of the disapproved rule.

Thus, according to the FCC proposal, the resolution “does not prohibit the Commission from revising its breach notification rules in ways that are similar to, or even the same as, some of the revisions that were adopted in the 2016 Privacy Order, unless the revisions adopted are the same, in substance, as the 2016 Privacy Order as a whole.”