Federal Communications Commission FCC 14-173 DISSENTING STATEMENT OF COMMISSIONER AJIT PAI Re: TerraCom, Inc. and YourTel America, Inc., Apparent Liability for Forfeiture, File No. EB-TCD- 13-00009175 A core principle of the American legal system is due process. The government cannot sanction you for violating the law unless it has told you what the law is. 1 In the regulatory context, due process is protected, in part, through the fair warning rule. Specifically, the D.C. Circuit has stated that “[i]n the absence of notice—for example, where the regulation is not sufficiently clear to warn a party about what is expected of it—an agency may not deprive a party of property.” 2 Thus, an agency cannot at once invent and enforce a legal obligation. Yet this is precisely what has happened here. In this case, there is no pre-existing legal obligation to protect personally identifiable information (also known as PII) or notify customers of a PII data breach to enforce. The Commission has never interpreted the Communications Act to impose an enforceable duty on carriers to “employ reasonable data security practices to protect” PII. 3 The Commission has never expounded a duty that carriers notify all consumers of a data breach of PII. The Commission has never adopted rules regarding the misappropriation, breach, or unlawful disclosure of PII. 4 The Commission never identifies in the entire Notice of Apparent Liability a single rule that has been violated. 5 Nevertheless, the Commission asserts that these companies violated novel legal interpretations and never-adopted rules. And it seeks to impose a substantial financial penalty. In so doing, the Commission runs afoul of the fair warning rule. I cannot support such “sentence first, verdict afterward” decision-making. 1 Mullane v. Central Hanover Tr. Co., 336 U.S. 306, 313 (1950) (“Many controversies have raged about the cryptic and abstract words of the Due Process Clause but there can be no doubt that at a minimum they require that deprivation of life, liberty or property by adjudication be preceded by notice and opportunity for hearing appropriate to the nature of the case.”); Calder v. Bull, 3 U.S. 386, 390 (1798) (describing an ex post facto law as one that “that makes an action, done before the passing of the law, and which was innocent when done, criminal; and punishes such action”); see also Bouie v. City of Columbia, 378 U.S. 347, 350–54 (1964) (“There can be no doubt that a deprivation of the right of fair warning can result not only from vague statutory language but also from an unforeseeable and retroactive judicial expansion of narrow and precise statutory language.”). 2 General Electric Co. v. U.S. Environmental Protection Agency, 53 F.3d 1324, 1328 (D.C. Cir. 1995); see also United States v. Chrysler, 158 F.3d 1350, 1354–55 (D.C. Cir. 1998) (discussing the “well-established rule in administrative law that the application of a rule may be successfully challenged if it does not give fair warning that the allegedly violative conduct was prohibited”); Satellite Broad. Co. v. FCC, 824 F.2d 1, 3 (D.C. Cir.1987) (“Traditional concepts of due process incorporated into administrative law preclude an agency from penalizing a private party for violating a rule without first providing adequate notice of the substance of the rule.”); Gates & Fox Co. v. OSHRC, 790 F.2d 154, 156 (D.C.Cir.1986) (“[T]he due process clause prevents . . . the application of a regulation that fails to give fair warning of the conduct it prohibits or requires.”). 3 TerraCom Order at para. 2. 4 The closest we’ve come was seven years ago when we adopted protections for another type of confidential information, customer proprietary network information (CPNI). Implementation of the Telecommunications Act of 1996: Telecommunications Carriers’ Use of Customer Proprietary Network Information and Other Customer Information, Report and Order and Further Notice of Proposed Rulemaking, 22 FCC Rcd 6927 (2007). Nobody thinks those rules extend to PII. 5 None of this should be surprising given the lead role the Federal Trade Commission has taken in recent years regarding the misappropriation, breach, and unlawful disclosure of PII. Federal Communications Commission FCC 14-173 To the extent that the circumstances giving rise to today’s item merited the Commission’s attention, there was a better (and lawful) path forward. We could have opened a notice-and-comment rulemaking. 6 This process would have given the public an opportunity to speak. And in turn, the agency would have had a chance to formulate clear, well-considered rules—rules we then could have enforced against anyone who violated them. Instead, the Commission proposes a forfeiture today that, if actually imposed, has little chance of surviving judicial review. One more thing. The Commission asserts that the base forfeiture for these violations is nine billion dollars—that’s $9,000,000,000—which is by far the biggest in our history. 7 It strains credulity to think that Congress intended such massive potential liability for “telecommunications carriers” but not retailers or banks or insurance companies or tech companies or cable operators or any of the myriad other businesses that possess consumers’ PII. Nor can I understand how such liability can be squared with the Enforcement Bureau’s recent consent decrees with these companies. Under those consent decrees, the companies paid the Treasury $440,000 and $160,000 for flouting our actual rules and draining the Universal Service Fund by seeking Lifeline support multiple times for the same customer. Consumer protection is a critical component of the agency’s charge to promote the public interest. But any enforcement action we take in that regard must comport with the law. For the reasons stated above, I dissent. 6 5 U.S.C. § 553. 7 TerraCom Order at para. 52. Although the FCC decides in its grace that a lower figure is “sufficient” in these particular circumstances, id., it also notes that the figure could actually be billions more. Id. at note 111.