Broad Authority Confirmed: Sixth Circuit Affirms FCC Power under § 201(b) to Mandate Data-Breach Reporting of PII

Introduction

Texas Association of Business v. FCC consolidates three petitions for review challenging the Federal Communications Commission’s (FCC) 2024 Data-Breach Reporting Order. The petitioners—several trade associations representing wireline, wireless, broadband, and relay-service providers—argued that the Order exceeds the FCC’s statutory authority and violates the Congressional Review Act (CRA). A divided Sixth Circuit (Judge Stranch, joined by Judge Mathis; Judge Griffin dissenting) denied the petitions, thereby establishing two significant precedents:

1. Section 201(b) of the Communications Act empowers the FCC to regulate personally identifiable information (PII)-related breach-notification practices, even though Section 222—the privacy-specific provision—does not mention PII.
2. The CRA’s “substantially the same” prohibition applies to the entire previously disapproved rule identified in Congress’s resolution, rather than to each individual sub-provision; thus the 2024 Order was not barred even though it revives a component (breach reporting) of the disapproved 2016 Broadband Privacy Order.

Summary of the Judgment

The majority held:

• All petitions were timely; the relevant “entry” date for § 2344 petitions is the rule’s Federal Register publication date.
• Section 222(a) does not authorize PII breach rules, but Section 201(b) does. The court read “practices … in connection with communication service” broadly enough to cover carriers’ failure to notify customers and authorities of PII breaches.
• Section 225 allows extending the same obligations to Telecommunications Relay Service (TRS) providers by virtue of the “functional equivalency” mandate.
• The CRA did not bar the 2024 rule because Congress’s 2017 resolution disapproved the whole 2016 Order; the new Order is not “substantially the same” in toto.
• Petitions were therefore denied and the rule stands.

Judge Griffin dissented, concluding both that the CRA blocks the rule and that § 201(b) cannot reach PII-breach reporting, which sits far outside the “traditional, historical subject matter” of rate-related practices.

Analysis

Precedents Cited and Their Influence

• Global Crossing Telecommunications, Inc. v. Metrophones (2007) – Supreme Court precedent interpreting § 201(b). The majority relied on Global Crossing’s broad reading of “practice” to anchor its conclusion; the dissent argued that Global Crossing limited § 201(b) to matters resembling “rate setting and rate divisions.”
• Wisconsin Central Ltd. v. United States (2018), RadLAX Gateway Hotel v. Amalgamated Bank (2012), and other canons cases – referenced for textual canons (noscitur a sociis, general/specific canon).
• Loper Bright Enterprises v. Raimondo (2024) – confirmed that courts independently decide statutory meaning without Chevron deference; shaped the majority’s and dissent’s methodologies.
• California Independent System Operator Corp. v. FERC (D.C. Cir. 2004) – invoked by the dissent to illustrate constrained reading of “practice” in a sister statute; majority distinguished it on textual grounds.
• FTC Act § 5 jurisprudence (e.g., Wyndham Worldwide) – used by the majority to show a symmetrical federal privacy scheme, with FCC covering carriers exempted from FTC jurisdiction.
• Earlier FCC orders: 1998, 2007 (CPNI rules); 2013 TRS CPNI extension; 2014 TerraCom NAL (first PII citation); 2016 Broadband Privacy Order; 2017 CRA rescission. The history demonstrated FCC’s evolving approach.

Legal Reasoning of the Court

1. Statutory Authority

1. Section 222(a) – Majority: phrase “proprietary information of … customers” read in context does not extend to PII because sub-sections focus tightly on CPNI, subscriber lists, etc. Therefore § 222 is not the hook.
2. Section 201(b) – Text “practices … in connection with” intentionally broad. Majority imposed a “direct connection” gloss and found that breach-reporting practices are integrally tied to offering the service (carriers collect PII as part of providing service; notifications protect customers’ use). Canons invoked: surplusage (avoid rendering § 201(b) meaningless alongside § 222), but the general/specific canon did not defeat FCC because PII falls outside § 222’s specific coverage.
3. Section 225 – Functional equivalence for TRS lets FCC mirror carrier rules.

2. Congressional Review Act

1. The court had jurisdiction because § 805’s bar covers only “actions under” the CRA, not a substantive FCC rule.
2. Defining “the rule that does not take effect” – must look to the whole rule named in Congress’s resolution (here, the expansive 2016 Order). Thus a subsequent narrower rule focusing solely on breach-reporting is not “substantially the same.”
3. Even if compared provision-to-provision, the 2024 rule materially differs (added TRS coverage, good-faith exception, flexible notice content), defeating “substantially the same” test.

Impact of the Decision

• Regulatory Scope – Confirms that § 201(b) can reach modern privacy harms beyond traditional rate regulation. Other novel telecommunications practices may now be reachable under § 201(b) if a “direct connection” exists.
• CRA Litigation – Provides the first appellate roadmap on how to read “substantially the same.” Agencies may feel freer to re-promulgate isolated pieces of disapproved omnibus rules, provided the whole package meaningfully differs.
• Carrier Compliance – Telecom and broadband providers (including TRS) must implement breach-response programs that cover PII as defined by the Order; state regimes now sit atop a federal floor.
• Future Privacy Law – The ruling could spur Congress either to expand § 222 expressly to PII or to create a unified federal privacy statute; otherwise the FCC may gradually fill gaps via § 201(b).
• Chevron Aftermath – Shows how courts will scrutinize statutory text post-Loper Bright; despite no Chevron deference, agencies can still prevail where statutes are genuinely broad.

Complex Concepts Simplified

• CPNI vs. PII – CPNI is service-usage metadata (e.g., numbers called, duration). PII is any info that identifies a person (name + SSN, biometrics, log-in credentials). The former is expressly regulated in § 222; the latter now falls under § 201(b) per this case.
• Congressional Review Act “Substantially the Same” – If Congress strikes down a rule, an agency cannot bring back a new rule that largely mirrors the entire disapproved rule—but, per this court, it may revive distinct pieces if the new package differs significantly overall.
• “Practice … in connection with” (Section 201(b)) – Encompasses a carrier’s routine or customary actions (or failures to act) that have a direct nexus to providing its communication service. Think of it as covering behavior that, if left unchecked, would materially undermine the fairness or reasonableness of the service environment.
• Functional Equivalency (Section 225) – TRS for individuals with hearing/speech disabilities must be as useful as ordinary voice services. Therefore privacy protections given to regular carriers must parallel those offered to relay-service customers.

Conclusion

Texas Association of Business v. FCC is a landmark privacy and administrative-law decision. It stretches the Communications Act’s keystone § 201(b) into the digital-privacy era, confirms agency flexibility post-Chevron, and clarifies the outer bounds of the CRA’s reissuance bar. Going forward, telecommunications carriers must treat PII breaches with the same urgency as CPNI incidents, and agencies may cautiously resurrect portions of previously vetoed rules—so long as the overall regulatory scheme meaningfully evolves. Whether Congress will accept this judicial expansion or respond with new legislation remains an open question, but for now the FCC possesses broad power to police privacy breaches in the communications sector.