	Federal Communications Commission	FCC 23-111


DISSENTING STATEMENT OF
COMMISSIONER BRENDAN CARR

Re: 	Data Breach Reporting Requirements, Report and Order, WC Docket No. 22-21.  

	In 2016, the FCC adopted a data breach notification rule in a partisan, 3-2 decision.  In 2017, the House, the Senate, and the President all came together and nullified that rule by passing a joint resolution of disapproval under the Congressional Review Act (CRA).  It was a rare rebuke of an agency rule.  Indeed, in the 27 years since Congress enacted the CRA, the law has only been used 20 times.  It is strong medicine, too.  When a President signs a CRA into a law, it not only prohibits an agency from readopting the relevant rule, it also prohibits the agency from enacting a substantially similar rule in the future without specific legislative authorization from Congress.  In other words, when an agency earns the distinction of having a rule nullified by the CRA, the Legislative Branch and Executive Branch are joining together to take back the agency’s rulemaking authority in the relevant area and, going forward, future regulation, if any, must come from Congress itself.  As a constitutional matter, administrative agencies have an obligation to abide by these decisions.  

	Yet today, the Commission makes no real attempt to explain how the data breach rule we adopt today is not the same or substantially similar to the one nullified by the House, the Senate, and the President in the 2017 CRA. Through a set of late-round edits, the Order suggests that there are a couple of ways that this data breach rule may be different from the 2016 data breach rule.  But the changes highlighted by the Order in this respect are not of the type or substance that would be necessary for this 2023 rule to fall outside the reach of the 2017 CRA.

  This plainly violates the law. 

The FCC’s only real defense is one that reads the CRA out of the United States Code altogether.  The Order notes that the 2016 FCC decision adopted several rules—all of which were nullified by the 2017 CRA.  But in the Order’s view, the CRA does not prohibit the FCC from putting any one of those rules (or even some combination of them) back in place here provided that the FCC does not put all of those 2016 rules back in place in this one decision.  This creates an exception that swallows the CRA whole.  Indeed, if the FCC’s theory were correct, then agencies could insulate any one of their rules from the CRA (no matter how strongly the House, the Senate, and the President felt about the rule) simply by packaging that one rule together with other rules in a single document.  Then, under the FCC’s theory, the agency could always put that one rule back in place, provided it did not reenact those other rules that the agency packaged along with it.  This is a sweeping theory that far exceeds the limits that the Legislative Branch and the Executive Branch have placed on agency decision making.  Indeed, in a letter to the FCC this week, leaders in the Senate warned that the Commission’s interpretation “would eviscerate the CRA”. Letter from Sen. Ted Cruz, Ranking Member, Senate Committee on Commerce, Science, and Technology, et al., to Hon. Jessica Rosenworcel, Chair, FCC (Dec. 12, 2023) (stating the FCC “is defying clear and specific direction not to issue requirements that are substantially similar to parts of a rule disapproved by Congress.” on behalf of 4 U.S. Senators).


But the FCC’s decision today violates more than the CRA.  It also violates the APA.  In the Notice of Proposed Rulemaking (NPRM) that launched this proceeding, the Commission expressly stated, in negotiated language, that the agency was not seeking comment on putting back in place or otherwise issuing a new rule that is the same as or substantially similar to the rule disapproved by Congress in 2017.  Yet that is exactly what the FCC chooses to do with this data breach rule.  Thus, while some have argued that any FCC violation of the CRA is unreviewable by the courts, an FCC violation of the APA is always reviewable.  
The Order’s problems only compound from there.  Indeed, even if the CRA never passed, the FCC’s decision would exceed the Commission’s authority.  For instance, instead of limiting the FCC’s rule to the set of customer proprietary network information (CPNI) over which the agency has jurisdiction, the Order purports to expand the agency’s CPNI framework to an expansive set of personally identifiable information (PII)—even though Congress never gave us authority to regulate PII in this manner and the Commission never sought comment on doing so.

	In the end, the agency could have proceeded with a set of rules based on the NPRM that would have made progress on data breach issues while staying within the clear bounds Congress set on FCC action.  However, I cannot support this expansive interpretation of the Commission’s authority—especially in light of the clear constraints that the House, the Senate, and the President imposed on the agency through the 2017 CRA.  Accordingly, I dissent.
	


2