Federal Communications Commission (FCC) data breach reporting requirements under § 222 of the Telecommunications Act (47 USC § 222); “Customer proprietary network information” & “personally identifiable information” (PII); Whether the FCC’s 2024 Order exceeded its statutory authority; § 201(b); “Practice”; Global Crossing Telecomms, Inc v Metrophones Telecomms, Inc; Whether the FCC had the authority under §§ 225(a)(3) & (d)(1)(A) to impose the reporting requirements on “telecommunications relay services” (TRS) providers; Whether the 2024 Order violated the Congressional Review Act (CRA)

The court denied consolidated petitions for review, holding that the FCC had the authority to issue its 2024 Order “imposing reporting requirements on telecommunications carriers in the event of data breaches involving customers’ personally identifiable information.” Petitioners argued the 2024 Order exceeded the FCC’s statutory authority and violated the CRA where it was substantially the same as a 2016 Order that Congress had rejected. The court reviewed the statutes on which the FCC based its authority. It first concluded “that the FCC does not have the authority under § 222(a) to impose data breach reporting requirements regarding customer PII.” However, it held, “based on the statutory text, context, and structure, that § 201(b) gives the FCC the authority to impose reporting requirements in the event of a data breach of customer PII.” It rejected petitioners’ argument that the FCC’s historical interpretation and implementation of § 201(b) undermined this conclusion. It noted that it had “been over a decade since the FCC invoked § 201(b) as part of its statutory authority to protect customer data. That invocation is properly supported by the statute’s plain text, context, and structure.” The court also held that § 225 gave the FCC authority to apply the 2024 data breach reporting requirements to TRS providers. Given that it “determined that the FCC has the statutory authority to impose the 2024 data breach reporting rule on telecommunications carriers . . . . [§] 225’s functional equivalency requirement, in turn, gives the Commission authority to extend the same data privacy protections to the TRS context.” As to petitioners’ CRA argument, the court noted that “under the CRA’s plain text, we must compare the 2024 Order to the entire 2016 Order and determine whether they are substantially the same.” It found that the 2024 Order was “far from ‘fully,’ ‘considerably,’ or ‘significantly’ the same as the 2016 Order. The 2016 Order was far more expansive, imposing a broad array of privacy rules on broadband Internet access services. The data breach notification requirements were a mere subset of the broader compendium of privacy rules in that Order. The 2024 Order, by contrast, addresses only data breach reporting requirements. The two rules are not substantially the same.”