• by Wendy Davis , Staff Writer @wendyndavis, May 30, 2024

Last year, a divided Federal Communications Commission voted 3-2 to impose new disclosure obligations on telecommunications companies that suffer data breaches.

The agency specifically required telecoms to notify consumers, federal law enforcement agencies and the agency about all breaches -- even “inadvertent” ones -- that expose personally identifiable information, including sensitive financial information.

Broadband industry groups are now asking a federal appeals court to scuttle those rules. The groups argue in papers filed last week that Congress stripped the FCC of authority to issue the new regulations.

“Administrative agencies have only the powers that Congress gives them," NCTA--The Internet & Television Association, US Telecom--the Broadband Association and other industry groups argued in an appeal filed with the 6th Circuit Court of Appeals. 

"They certainly lack any powers that Congress has expressly denied them,” the groups added.

The industry organizations point to Congress's 2017 decision to revoke privacy rules passed by the FCC during the Obama administration. Those rules -- which never actually took effect -- would have required broadband carriers to obtain consumers' permission before harnessing information about their web activity for ad targeting.

The Obama-era privacy rules also required providers to notify customers and law enforcement agencies about some data breaches that exposed personally identifiable information.

Congress repealed the regulations under the Congressional Review Act -- a 1990s statute that gives federal lawmakers the power to revoke regulations passed by agencies.

That statute also provides that an agency can never again issue regulations that are “substantially” similar to ones revoked by Congress.

Congress has only rarely used the Congressional Review Act, and it's not clear how courts will determine when new rules are “substantially” the same as revoked ones.

The broadband groups argue that the new data-breach rules and the ones passed in 2016 are substantially the same because both sets of regulations deal with breaches that could expose “personally identifiable information.”

In the past, the FCC's rules regarding data breaches covered only exposure of a narrow category of data -- “customer proprietary network information,” meaning the phone numbers that subscribers called.

The FCC hasn't yet filed its argument with the 6th Circuit.

This current dispute, while over a relatively narrow consumer protection measure, could offer a preview of what could be a much larger battle over broadband privacy.

The FCC recently indicated it's gearing up to issue rules that could restrict providers' ability to harness subscriber data.

Last month, the agency said in its ruling restoring the Obama-era net neutrality rules that broadband providers are “situated to collect vast swaths of sensitive information about their customers, including personal information, financial information, precise location information, and information regarding their online activity.” (The net-neutrality rules prohibit providers from blocking or throttling traffic, and from charging higher fees for prioritized delivery.)

The agency added that it was “concerned” that without new rules, internet service providers “have minimal incentive to adopt adequate administrative, technical, physical, and procedural safeguards to protect their customers’ data from improper or excessive uses by providers themselves, or from further disclosure and misuse by third parties.”

Should the FCC pass new privacy rules, the broadband industry will almost certainly make the same arguments against them that it is raising against the data-breach disclosure regulations.

The FCC hasn't yet floated specific regulations, but Chair Jessica Rosenworcel previously voted in favor of the Obama-era privacy restrictions.

She also has repeatedly suggested that carriers shouldn't allowed to sell customers' geolocation data, and recently voted to fine AT&T, Verizon and T-Mobile nearly $200 million for allegedly selling access to location data.