Net Neutrality Ruling Foreshadows an FCC Defeat on Privacy Rule

The Sixth Circuit decision to strike down the Federal Communications Commission’s net neutrality rules creates a potential roadmap for another challenge in the same court targeting the agency’s data breach reporting rule.

A three-judge panel Jan. 2 shot down the FCC’s rules preventing broadband providers from unfairly throttling internet speeds.

The US Court of Appeals for the Sixth Circuit cited the US Supreme Court’s decision in Loper Bright Enters. v. Raimondo, which threw out a decades-old doctrine under which judges deferred to agencies’ reasonable interpretations of ambiguous statutes. The Sixth Circuit concluded the agency lacked authority to classify broadband internet service as a telecommunications service subject to more stringent regulations, rather than an information service.

The ruling demonstrates the court’s willingness to lean into its new powers of interpretation and may preface a potentially similar strike against the agency’s data breach rules.

Former Republican FCC Commissioner Robert M. McDowell characterized both rules as improper expansions of the FCC’s powers under the Communications Act.

“What the FCC tried to do in net neutrality was to look at older pieces of the statute to then justify a new outcome that had never been attempted before—and the same is true with data breach and privacy protection,” McDowell, who chairs Cooley LLP’s global communications practice group, said. “That’s the sort of expansion that the courts are going to question at a minimum and overturn at a maximum.”

Challenges against the breach reporting rule—also citing Loper Bright—have been consolidated at the Sixth Circuit in a case brought by the same trade group that led the net neutrality suit: Ohio Telecom Ass’n v. FCC.

The FCC didn’t immediately respond to requests for comment.

Loper Bright

The invocation of Loper Bright to strike down net neutrality previews the scrutiny the data breach rule will face. The appeals court rejected the FCC’s interpretation of the Communications Act’s text, finding it was “inconsistent” with the judges’ reading of the statute.

“It’s probably not good news for the FCC, the way the Sixth Circuit deals with Loper Bright,” said Michael T. Borgia, partner at Davis Wright Tremaine LLP representing telecom and technology companies.

The FCC’s December 2023 final rule requires companies to notify the FCC of incidents involving the exposure of more than 500 individuals’ information “as soon as practicable,” with customer notification depending on the risk of harm. It also expanded coverage to “inadvertent” breaches and broadened the definition of “data” covered to include all personally identifying information.

The FCC’s expansion of its privacy jurisdiction leaned heavily into Section 222—which establishes requirements to protect customer proprietary network information—for both growing data breach notification requirements and hefty enforcement actions in recent years. It also relied on Section 201(b), which requires carriers’ practices to be “just and reasonable,” including for practices related to cybersecurity and privacy.

However, Section 222 was “never supposed to have been a general privacy mandate for the FCC,” McDowell said.

That argument may have a sympathetic ear on the bench. Judge Richard Allen Griffin, who authored the net neutrality decision, is also sitting on the panel hearing the breach notification challenge. The George W. Bush appointee was joined in the earlier decision by fellow Bush appointment Raymond M. Kethledge and John K. Bush, who was nominated in President-elect Donald Trump’s first administration.

The panel considering the data breach rule could be friendlier to the Democratic-led FCC’s efforts, as Griffin is joined by judges Jane Branstetter Stranch, appointed by Barack Obama, and Andre B. Mathis, named by Joe Biden.

Another Avenue

Still, the Sixth Circuit panel could sidestep the Loper Bright question, as the telecom trade group’s challenge also pointed to the Congressional Review Act.

Congress undid the FCC’s 2016 broadband privacy rule, which included data breach notification requirements, with a resolution of disapproval under the CRA in 2017. The law prohibits agencies from readopting disapproved rules—or “substantially similar” ones—without specific authorization from Congress.

The Ohio Telecom Association argued the commission made “no attempt” to explain how its 2023 reporting rule “is not the same or substantially similar to the one nullified” in 2017. Both Republican commissioners on the five-member panel voted against adopting the rules at the time, raising CRA concerns.

A ruling on the act’s applicability to the FCC’s rulemaking abilities after a CRA disapproval would be notable, as the congressional tool hasn’t been heavily tested in courts, said Chris Frascella, counsel at the Electronic Privacy Information Center, which filed a friend-of-the-court brief supporting the FCC data breach rule.

The FCC argued its 2016 order included myriad items beyond data breach notification. “If someone orders a large pizza and receives a single slice, they have not gotten ‘substantially the same’ thing,” the commission told the Sixth Circuit.

With the CRA challenge, the judges have a “menu of options” to void the FCC’s rule, said Cobun Zweifel-Keegan, managing director of the International Association of Privacy Professionals.

The agency’s recent focus on data privacy may ultimately be more limited going forward—even if the breach rule survives the Sixth Circuit—as Trump’s pick to lead the agency, current Republican Commissioner Brendan Carr, will likely favor deregulation.

“You’re probably seeing an incoming administration that, even if the FCC were to win this case, is going to be less inclined to use 222 and 201(b) broadly to address kind of privacy and security harms in the consumer protection standpoint,” Borgia said.