Ted Cruz wants to stop the FCC from updating data-breach notification rules

FCC accused of violating congressional resolution that nullified privacy rules.

Sen. Ted Cruz (R-Texas) and other Republican senators are fighting a Federal Communications Commission plan to impose new data-breach notification requirements on telecom providers. In a letter sent to FCC Chairwoman Jessica Rosenworcel today, the senators claim the pending FCC action would violate a congressional order.

The letter was sent by Cruz, Sen. Minority Leader Mitch McConnell (R-Ky.), Sen. John Thune (R-S.D.), and Sen. Marsha Blackburn (R-Tenn.). They say the proposed data-breach notification rules are preempted by an action Congress took in 2017 to kill an assortment of privacy and security rules issued by the FCC.

The Congressional Review Act (CRA) was used in 2017 by Congress and then-President Donald Trump to throw out rules that would have required home Internet and mobile broadband providers to get consumers' opt-in consent before using, sharing, or selling Web browsing history, app usage history, and other private information.

The invalidated FCC rules also included data-breach notification requirements that are similar to those the current FCC now plans to impose. The FCC already enforces data-breach notification requirements, but the pending proposal would expand the scope of those rules.

Rosenworcel's data-breach proposal is scheduled for a vote at tomorrow's commission meeting, and it may ultimately be up to the courts to decide whether it violates the 2017 congressional resolution. The Republican senators urged the FCC to rescind the draft plan and remove it from the meeting agenda.

Cruz also protested a recent FCC vote to enforce rules that prohibit discrimination in access to broadband services, calling it "government-mandated affirmative action and race-based pricing."

Republicans: FCC plan “clearly unlawful”

When an agency-issued rule is nullified by a Congressional Review Act resolution, that rule "may not be reissued in substantially the same form" without authorization from Congress. The key legal question seems to be whether the FCC can re-implement one portion of the nullified rules as long as it doesn't bring back the entire privacy order.

Cruz and fellow Republicans say that Rosenworcel's plan would "resurrect a portion of the 2016 Broadband Privacy Order pertaining to data security."

"This is clearly unlawful: the FCC's proposed rules in the Report and Order are clearly 'substantially similar' to the nullified 2016 rules," they wrote. "Specifically, the requirements in the Report and Order governing notification to the FCC, law enforcement, and consumers, as well as the recordkeeping requirements with respect to breaches and notifications, are substantially similar to the notification and recordkeeping requirements disapproved by Congress."

The FCC proposal anticipates this argument but says the agency believes it can re-implement part of the Obama-era privacy order:

We conclude that it would be erroneous to construe the resolution of disapproval as applying to anything other than all of the rule revisions, as a whole, adopted as part of the 2016 Privacy Order. That resolution had the effect of nullifying each and every provision of the 2016 Privacy Order—each part being, under the APA [Administrative Procedure Act], "a rule"—but not "the rule" specified in the resolution of disapproval. By its terms, the CRA does not prohibit the adoption of a rule that is merely substantially similar to a limited portion of the disapproved rule or one that is the same as individual pieces of the disapproved rule.

Thus, according to the FCC proposal, the resolution "does not prohibit the Commission from revising its breach notification rules in ways that are similar to, or even the same as, some of the revisions that were adopted in the 2016 Privacy Order, unless the revisions adopted are the same, in substance, as the 2016 Privacy Order as a whole."

Debate over “the whole or a part”

Republican senators are not buying the FCC argument.

"The FCC nevertheless claims it may do this because it is adopting only part of the 2016 Broadband Privacy Order," they wrote. "This interpretation would eviscerate the CRA: An agency cannot enact substantially similar rules struck down by Congress by doing so in a piecemeal manner. Moreover, the CRA expressly prohibits such approach in giving Congress the authority to nullify any 'rule,' which the CRA defines as 'the whole or a part of an agency statement of general or particular applicability and future effect designed to implement, interpret, or prescribe law or policy.'"

The FCC proposal acknowledges the "whole or a part" definition but says that whether a specific Congressional Review Act resolution refers to the "whole" or "a part' depends on the context. The 2017 Congressional "resolution referred to the entirety of the 2016 Privacy Order. Therefore, we conclude that the 'rule' to which the reissuance bar applies is the entire 2016 Privacy Order with all of the rule revisions adopted therein," the FCC draft plan argues.

The FCC proposal also says the congressional debate over the 2017 resolution focused on the broadband-privacy portions and that "floor debate supporting the resolution of disapproval in 2017 did not mention the breach notification provision."

Chair: Current rules are outdated

The proposed rule changes would apply to interconnected Voice over Internet Protocol services and telecommunications relay services (TRS). The breach notification rules would be expanded "to cover all personally identifiable information that carriers and TRS providers hold with respect to their customers," and "breach" would be re-defined "to include inadvertent access, use, or disclosure of customer information," the draft plan says.

In a statement provided to Ars today, Rosenworcel's office said the FCC "has followed a careful process to identify areas in data privacy that are in urgent need of updating." The updated breach-notification rule would include personally identifiable information including Social Security numbers, and cover "both intentional and inadvertent disclosure of customer data," the chairwoman's office said.

The proposal would also remove a mandatory waiting period that currently prevents carriers from notifying customers of a breach until seven business days after notifying the government. With the waiting period eliminated, providers will be able to "notify customers of breaches of covered data without unreasonable delay after notification to the Commission and law enforcement agencies, and in no case more than 30 days after reasonable determination of a breach, unless a delay is requested by law enforcement," the proposal said.

"These common-sense updates reflect how our phones have evolved in the last sixteen years to collect more and more information about who we are and where we go and will hold carriers accountable to keep this information safe and secure," the statement from Rosenworcel's office said.