Does the Congressional Review Act Bar the FCC's Data Breach Reporting Rule?
The Sixth Circuit wrestles with what it means for a regulation to be "substantially the same" as one disapproved by Congress.
Under the Congressional Review Act (CRA), Congress may pass resolutions of disapproval of agency regulations which have the effect of repealing the disapproved regulation and preventing the agency from re-promulgating another rule that is "substantially the same" as that which was disapproved, unless and until expressly authorized by Congress. In effect, a resolution of disapproval not only repeals a rule, it also effectively repeals the agency's underlying statutory authority to issue such a rule.
Up until now, the scope of this bar on agency action has not been tested. Today, however, in Ohio Telecom Association v. Federal Communications Commission, the U.S. Court of Appeals for the Sixth Circuit split over whether the passage of a CRA resolution disapproving the FCC's 2016 privacy rule, which contained regulations concerning the reporting of data breaches, barred the FCC from adopting its 2024 Data Breach Reporting Rule.
According to Judge Stranch, joined by Judge Mathis, the 2024 rule was not "substantially the same" as the 2016 rule, because it only addressed one of the subjects contained in the 2016 rule. According to Judge Griffin, in dissent, the 2024 rule is so close to the relevant portions of the 2016 rule that it is barred. (Judge Griffin further argued that the FCC lacked the statutory authority to issue the 2024 rule.)
For myself, I believe Judge Griffin has the better of the argument, and is more consistent with a proper understanding of the CRA's text and operation. If Congress disapproves a rule that consists of A+B+C+D, the best reading of the CRA is that the agency cannot repromulgate A, B, C, D, or any combination thereof, without Congressional approval. According to Judge Stranch, however, an agency would remain free to promulgate each part of the disapproved rule seriatim, and that would be fine. An implication of her interpretation would also be that if Congress repeals rule A, an agency could repromulgate A so long as it folds it into another rule. Such an interpretation of the CRA is neither compelled by the statute's text, nor is it consistent with the statute's structure and design.
Excerpts from the respective opinions are after the jump.
From Judge Stranch's majority opinion:
The CRA, incorporating the APA, defines the term "rule" as "the whole or a part of an agency statement of general or particular applicability and future effect designed to implement, interpret, or prescribe law or policy." 5 U.S.C. §§ 551(4), 804(3). The definition makes clear that a rule can constitute either the "whole" or "a part" of an agency statement, depending on the applicable context. Section 801, in turn, provides that an agency may not issue "a new rule that is substantially the same" as "[a] rule that does not take effect (or does not continue)" because of the enactment of "a joint resolution of disapproval . . . of the rule." Id. § 801(b). Thus, for purposes of determining whether a new rule is substantially the same as a disapproved-of prior rule, the prior rule is to be construed based on the language chosen by Congress for the applicable disapproval resolution.
Using the CRA's mandatory fill-in-the-blank format, id. § 802(a), Congress passed a resolution stating: "Congress disapproves the rule submitted by the Federal Communications Commission relating to 'Protecting the Privacy of Customers of Broadband and Other Telecommunications Services' (81 Fed. Reg. 87274 (December 2, 2016)), and such rule shall have no force or effect." 131 Stat. at 88 (emphases added). By the resolution's terms, "the rule" that Congress rejected and rendered inoperable was the entire 2016 Order—Congress disapproved of the 2016 Order as a "whole." 5 U.S.C. § 551(4). Thus, the proper comparison is between the 2024 Order and the entire 2016 Order.
Petitioners argue that the phrase "rule that does not take effect (or does not continue)" refers not "to the rule specified in the joint resolution of disapproval," but rather, to any constituent part of the broader rule that has been nullified by the applicable disapproval resolution. Petitioners' Br. 48-51 (quotation omitted); see Dissenting Op. at 41 (agreeing with Petitioners' construction). That reading contravenes the text of the CRA. Section 801(b)(2)'s reference to "a rule that does not take effect (or does not continue)" refers back to § 801(b)(1), which provides that "[a] rule shall not take effect (or continue), if the Congress enacts a joint resolution of disapproval, described under section 802, of the rule." 5 U.S.C. § 801(b)(1) (emphasis added). The "rule that does not take effect (or does not continue)" is, by the Act's express terms, the rule identified in the disapproval resolution pursuant to the procedures delineated in § 802.
It is true that when Congress disapproved the 2016 Order, it nullified every constituent rule contained therein. That conclusion is plainly required by the CRA's mandate that "[a] rule shall not take effect (or continue), if the Congress enacts a joint resolution of disapproval . . . of the rule." Id. It is also true that the disapproval resolution limited the FCC's statutory authority going forward by proscribing it from promulgating a new rule "substantially the same" as the rejected rule. But to determine whether a new rule is "substantially the same" as a prior rule, the CRA makes clear that the prior rule should be construed as the rule identified in the disapproval resolution. If Congress intended to prohibit an agency from issuing a new rule that is substantially the same as any part of a prior rule nullified by a disapproval resolution, it could have said so. That is not the language it chose.
Petitioners prognosticate that this construction would make a disapproval resolution "easy to circumvent" by reissuance of "any of the individual parts of [a] disapproved rule." Petitioners' Br. 54; see Dissenting Op. at 41-42 (similarly arguing that our construction would allow agencies to "easily circumvent" congressional disapprovals). Such a prediction does not overcome the Act's plain text. Even if it were material to our disposition, it is unfounded. Congress can resolve this concern by passing resolutions with specific language. The CRA gives Congress ample opportunity to identify specific rules in its disapproval resolutions. See 5 U.S.C. § 802(a). As the FCC notes, moreover, Petitioners offer a far more anomalous construction of the CRA. Under their view of the Act, the FCC would be prohibited from promulgating an entire compendium of rules contained within the 2016 Order, or any other disapproved-of omnibus order. Such a prohibition could encompass the narrowest, most anodyne "agency statement[s] of general or particular applicability and future effect," including functional provisions such as definitions. Id. § 551(4). We cannot accept this atextual and anomalous construction of the CRA.
Accordingly, under the CRA's plain text, we must compare the 2024 Order to the entire 2016 Order and determine whether they are substantially the same. Id. § 801(b). The term "substantially" means "[f]ully, amply; to a great extent or degree; considerably, significantly, much." Substantially, Oxford English Dictionary (2012 ed. Oxford Univ. Press). The 2024 Order is far from "fully," "considerably," or "significantly" the same as the 2016 Order. The 2016 Order was far more expansive, imposing a broad array of privacy rules on broadband Internet access services. The data breach notification requirements were a mere subset of the broader compendium of privacy rules in that Order. The 2024 Order, by contrast, addresses only data breach reporting requirements. The two rules are not substantially the same.
Finally, even if we were to adopt Petitioners' construction and directly compare the 2016 reporting requirements with the 2024 reporting requirements, we still would conclude that the two rules are not substantially the same. There are notable differences between the two sets of reporting requirements. For example, unlike the 2016 Order, the 2024 Order extends its reporting requirements to TRS providers. Data Breach Reporting Requirements, 89 Fed. Reg. at 9981-89. There are also small but meaningful differences between the substantive obligations imposed by the two sets of requirements. As the FCC notes, the 2024 requirements are materially less prescriptive regarding the content and manner of customer notice. Granting leeway to effectively provide notice, the 2024 Order requires only "sufficient information so as to make a reasonable customer aware that a breach occurred on a certain date, or within a certain estimated timeframe, and that such a breach affected or may have affected that customer's data." Id. at 9980.
The 2016 Order requirements, in contrast, included written or electronic notification of a breach, a description of the data exposed and the date range of the breach, information the customer could use to contact the telecommunications carrier to inquire about the breach, and instructions for notifying federal authorities and law enforcement. Protecting Priv. of Customers of Broadband, 31 FCC Rcd. at 14085. The two Orders also define the term "breach" differently—only the 2024 Order includes an exception exempting "good-faith acquisition[s] of covered data by an employee or agent of a carrier where such information is not used improperly or further disclosed." Data Breach Reporting Requirements, 89 Fed. Reg. at 9971. Even under Petitioners' conception of the CRA, the regulations are not "substantially the same." See Safari Club Int'l v. Haaland, 31 F.4th 1157, 1170 (9th Cir. 2022) (rejecting the contention that two rules were substantially the same in part because the rules were not "substantively identical").
We therefore conclude that the FCC's issuance of the 2024 Order did not violate the CRA.
From Judge Griffin's dissent:
At issue is whether the 2017 disapproval forecloses the 2024 data-breach-reporting rule. All agree that, after the 2017 disapproval, Congress did not "specifically authorize[]" the 2024 rule by later-enacted legislation. 5 U.S.C. § 801(b)(2). Thus, the disapproval's effect depends on whether the 2024 rule is "substantially the same as" the earlier, disapproved one. Id.
Start with the many similarities between the 2016 and 2024 data-breach-reporting rules. A table from petitioners' brief (at 44) helps to visualize just how similar these rules are, particularly when compared to the predecessor 2007 rule concerning breach reporting for CPNI. [The table is on pages 38-39 of the dissent.]
In response, the majority points to minor, technical differences between the 2016 and 2024 data-breach-reporting rules, such as differences in what information must be included in breach notifications and how many customers must be affected to trigger reporting requirements. But such differences are inconsequential: The rules, adopting nearly identical regimes for reporting breaches of customer PII, are "substantially the same." 5 U.S.C. § 801(b)(2). To hold otherwise is to give administrative agencies an obvious way to circumvent the CRA—just make minor, technical changes to a previously disapproved rule.
Because the 2024 data-breach-reporting rule is "substantially the same" as the one Congress disapproved in 2017, the CRA blocks the new rule
But the majority directs our attention elsewhere. It asserts that, instead of focusing on the similarities between the specific breach-reporting rules, we should instead compare the entirety of the FCC's 2016 and 2024 orders, which included the breach-reporting rules and many other discrete rules.
That argument brings us to the heart of the CRA issue: When evaluating whether the new rule is "substantially the same as" the earlier, disapproved one, id., do we focus on the "the part" (the discrete breach-reporting rules) or "the whole" (the orders that included the breachreporting rules, as well as many others)? To put the question another way: At what level of generality do we evaluate whether "the rule" is being "reissued in substantially the same form"? Id.
As the majority notes, there is little precedent to guide our interpretation of the CRA. CRA disapprovals, by their nature, are enacted in historically rare circumstances—"when there has been a recent change in partisan control of the White House, the new President's party has majorities in both chambers of Congress, and there are rules from the previous administration for which the sixty-legislative-day clock has not yet run out." Jody Freeman & Matthew C. Stephenson, The Untapped Potential of the Congressional Review Act, 59 Harv. J. on Legis. 279, 286 (2022). For this reason, there have been only a handful of CRA disapprovals since its 1996 enactment, id. at 286–87 & nn.32–34, and no on-point cases to guide our decision.
Thus, this interpretative challenge begins with the text of the 2017 disapproval: "Congress disapproves the rule submitted by the Federal Communications Commission relating to 'Protecting the Privacy of Customers of Broadband and Other Telecommunications Services' (81 Fed. Reg. 87274) (December 2, 2016), and such rule shall have no force or effect." 131 Stat. at 88. By the resolution's plain terms, it cited to the entire 2016 order (i.e., the whole). So, at first blush, this text favors the majority's view.
But by disapproving the whole 2016 order, Congress disapproved of each of its constituent parts. After all, the CRA defines a "rule" as "[t]he whole or a part of an agency statement of general . . . applicability and future effect designed to implement, interpret, or prescribe law or policy." 5 U.S.C. § 551(4) (emphasis added); see id. § 804(3). Therefore, the effect of congressional disapproval of the rule is also disapproval of its parts. Although the majority asserts that Congress could have made line-by-line disapprovals of the specific rules it wished to reject, the CRA neither requires such specificity nor allows a line-item veto. There is no reason to subject congressional disapprovals of agency action to a clear-statement rule.
Quite to the contrary, our interpretation of the CRA ought to elevate the will of Congress over that of an administrative agency. It is our elected representatives, not unelected commissioners, whom the Constitution vests with legislative power. See Consumers' Rsch., 145 S. Ct. at 2496. True, Congress can "seek assistance" from agencies by making limited delegations of rulemaking authority, id. at 2496–97 (citation modified), but as the CRA makes clear, Congress can and does rein in that authority when it disagrees with what an agency has done. We should ensure that legislative power remains where the Constitution put it—with Congress. And thus we must "avoid rendering what Congress has plainly done"—here, disapproving rules—"devoid of reason and effect." Great-W. Life & Annuity Ins. Co. v. Knudson, 534 U.S. 204, 217–18 (2002).
The majority's exclusive focus on the entire order would allow administrative agencies to easily circumvent Congress's disapproval. For instance, if the FCC issued an order adopting four discrete rules (Rules A, B, C, and D) and Congress disapproved it, then, under the majority's logic, the FCC could skirt the disapproval by readopting Rules A and B in one order and Rules C and D in another. Neither of those new orders, under the majority's interpretation of the CRA, would be "substantially the same" as the one that Congress disapproved. That interpretation, rather than giving effect to congressional intent, merely encourages creative ways to flaunt it.
The majority responds that it would be an "anomalous construction of the CRA" if a disapproval prevented an agency from re-promulgating any "rule" in a disapproved order, which could include "the narrowest, most anodyne" of agency statements like "definitions." But that argument has several flaws. First, depending on the circumstances, it is far from a clear that something like a definition qualifies as a "rule"—a "statement of general . . . applicability and future effect designed to implement, interpret, or prescribe law or policy." 5 U.S.C. § 551(4); see id. § 804(3). Second, the CRA includes an exception for inconsequential, procedural language or rules—it excepts any "rule of agency organization, procedure, or practice that does not substantially affect the rights or obligations of non-agency parties." Id. § 804(3)(C). Third, and most importantly, we ought not usurp legislative power from Congress and give it to an administrative agency on grounds of a purportedly "anomalous" reading of a statute. If Congress disapproved an order but later wants to restore the agency's authority to enact rules within that order, it is Congress's prerogative to confer that power through later-enacted legislation. See id. § 801(b)(2). There is nothing "anomalous" about such a reading—it correctly assumes that the legislative power, and the authority to delegate that legislative power, rests with Congress. See U.S. Const. art. I, § 1.
To hold that Congress's 2017 disapproval does not bar this rule is to render that disapproval meaningless and to shift legislative power from Congress to an administrative agency. Cf. Loper Bright, 603 U.S. at 411–13 (correcting Chevron's improper shift of judicial power to administrative agencies). I interpret the CRA and the 2017 disapproval in a way that preserves Congress's ability to give agencies only those powers it wishes to confer. Thus, in my view, Congress's disapproval of the FCC's 2016 rule bars the FCC's 2024 data-breach-reporting rule because the two rules are "substantially the same."