1118 December 12, 2023 The Honorable Jessica Rosenworcel Chairwoman Federal Communications Commission 45 L Street, N.E. Washington, DC 20554 Dear Chairwoman Rosenworcel: We write to express our concern that the Federal Communications Commission (FCC) intends to adopt a Report and Order in the Data Breach Reporting Requirements1 proceeding that includes rules that would violate the Congressional Review Act (CRA).2 These rules are substantially the same as those Congress disapproved of in the Protecting the Privacy of Customers of Broadband and Other Telecommunications Services proceeding (2016 Privacy Order) in 2017.3 Therefore, it would be unlawful for the FCC to adopt these new rules. Congress enacted the CRA as part of its Article I authority to exercise oversight of federal agencies. Specifically, the CRA provides Congress with the power to disapprove agency rules. If Congress exercises its authority and passes a Resolution of Disapproval vitiating a rule, that rule “does not take effect,” and that rule “may not be reissued in substantially the same form, and a new rule that is substantially the same as such a rule may not be issued.”4 In many ways, the proposed Data Breach Reporting Requirements rules are substantially the same as the rules in the 2016 Privacy Order. For example, requirements for notification, content of customer notification, and recordkeeping largely mirror each other. Given these similarities, we are shocked that the FCC is attempting to revive these rules after Congress explicitly rejected them. The FCC’s justification for circumventing the CRA is absurd. The FCC claims that the 2017 Resolution of Disapproval “had the effect of nullifying each and every provision of the 2016 Privacy Order,” but that it nevertheless does not limit the FCC’s ability to adopt a rule that is “merely substantially similar to [or the same as] a limited portion of the disapproved rule.” 1 Data Breach Reporting Requirements, WC Docket No. 22-21, Draft FCC Fact Sheet and Report and Order, FCCCIRC2312-06 (rel. Nov. 22, 2023). 2 5 U.S.C. § 801. 3 Pub. L. 115-22. 4 5 U.S.C. § 801(b)(2). This unlawful interpretation has no basis in the law and would violate the CRA and the APA’s prohibition against arbitrary and capricious actions. To assert that an agency can ignore the CRA by re-adopting requirements nullified by Congress simply by doing so in a piecemeal fashion strains credulity. Under this interpretation, the FCC could readopt the entire 2016 Privacy Order so long as it does not try to do so all at once. That completely undermines the purpose of the CRA. Moreover, Congress is working to address data privacy and security. Last year, the House Committee on Energy and Commerce approved the bipartisan American Data Privacy and Protection Act with a 53-2 vote.5 This legislation forecloses the FCC’s authority over this issue in favor of the Federal Trade Commission. As a result, voting on this Report and Order would conflict with Congressional action and waste FCC time and resources. When Congress overrules an agency, that action is final; no agency has the power to ignore the plain meaning of a Congressional statute. Here, Congress has already spoken: rules like those in the 2016 Privacy Order are not to be adopted. Therefore, we urge you not to move forward with the Data Breach Reporting Requirements Report and Order. Thank you for your attention to this important matter. Sincerely, ____________________ ____________________ Kat Cammack Neal P. Dunn, M.D. Member of Congress Member of Congress ____________________ ____________________ Gus M. Bilirakis H. Morgan Griffith Member of Congress Member of Congress ____________________ ____________________ Randy Weber Larry Bucshon, M.D. Member of Congress Member of Congress 5 American Data Privacy and Protection Act. H.R.8152, 117th Cong. (2022); see also H.R. Rep. No. 117-669 (2022), https://www.congress.gov/117/crpt/hrpt669/CRPT-117hrpt669.pdf. ____________________ ____________________ Richard Hudson Jeff Duncan Member of Congress Member of Congress ____________________ ____________________ Rick W. Allen Greg Pence Member of Congress Member of Congress