TechFreedom: FCC’s Data Breach Rule Is ‘Defiance’ of Congress
The FCC’s updated data breach notification rule “encapsulates the wrong way for the administrative state to approach rulemaking,” TechFreedom’s 6th U.S. Circuit Appeals Court amicus brief said Thursday in support of the five petitioners seeking to invalidate the rule as contrary to law (see 2402210026).
After Congress “explicitly told” the FCC not to issue a data breach notification rule, it “has done exactly that,” the brief said. The 6th Circuit should send a “clear message” that agencies are creatures of Congress and “must listen closely to the people’s representatives,” it added. The petitioners are the Ohio Telecom Association (docket 24-3133), the Texas Association of Business (docket 24-3206); and CTIA, NCTA and USTelecom (docket 24-3252).
Congress used the 2017 Congressional Review Act (CRA) to prohibit the FCC from reissuing its broadband privacy order, including the 2016 data breach notification rule, “or any rule that is substantially the same,” TechFreedom’s brief said. Despite that, the FCC published its updated data breach notification earlier this year, it said. This “purportedly” new rule “is substantially the same -- indeed, functionally identical” -- to the 2016 data breach notification rule, it said.
This “defiance” of Congress “conflicts sharply with the subsidiary status of administrative agencies,” it said.
Congress passed the 1980 FTC Improvements Act, prohibiting the FTC from promulgating rules “substantially similar” to the agency’s proposed rule banning television ads directed at children, and the FTC “obeyed,” said the brief. The FTC’s “restrained regulatory approach” to children’s advertising post-1980 “reflects the appropriate agency response to Congress prohibiting substantially similar rules,” it said.
In contrast, the FCC “takes the complete opposite approach,” the brief said. The CRA's plain meaning, “bolstered by the subsidiary status of administrative agencies in our democracy,” forbids the FCC’s issuance of the updated data breach notification rule, it said. The updated rule, for all intents and purposes, is “a maskless reissuance” of the 2016 rule that Congress rejected, it said.