The court in Ohio Telecom read the Communications Act to grant the FCC sweeping authority to regulate "unjust" and "unreasonable" telecom carrier practices—for data privacy, data security, and beyond
The U.S. Court of Appeals for the Sixth Circuit recently upheld data breach reporting requirements issued by the Federal Communications Commission (FCC or Commission) in 2023 (Data Breach Order) in its August 13, 2025 2-1 decision in Ohio Telecom Ass'n v. FCC. Over a vigorous dissent, the court took an expansive view of FCC authority under Section 201(b) of the Communications Act, holding that the plain language of 201(b) permits the FCC to regulate any broadly construed "practice" that a provider undertakes "in connection with [a] communications service"—including the practice of notifying the Commission and affected customers of a breach of personal data. The decision could have significant implications for telecom carriers, as it could pave the way for aggressive FCC regulatory and enforcement activity on data privacy and cybersecurity—and on numerous other practices deemed "unjust" or "unreasonable" by the Commission under Section 201(b).
The court's decision, again over a vigorous dissent, also turned on a narrow reading of the Congressional Review Act (CRA). Congress invoked the CRA in 2017 to reject data breach notification requirements that were part of a larger set of data privacy and security rules issued by the FCC in 2016 (the 2016 Order). The panel in Ohio Telecom held that Congress's rejection of the entire 2016 Order did not bar the FCC from issuing the Data Breach Order, as the Data Breach Order's requirements were comparable only to one part of the 2016 Order. The court thus determined that the Data Breach Order was not barred by the CRA's prohibition on agencies issuing rules that are "substantially the same" as rules previously voided Congress.
Ohio Telecom is the first appellate decision interpreting this "substantially the same" language in the CRA. The court's narrow reading of the CRA could significantly limit the law's usefulness as a congressional check on agency rulemaking authority. Following Ohio Telecom, agencies could respond to congressional rejections of their regulations simply by issuing modestly revised versions or smaller parts of the same regulations.
We discuss the court's decision and its implications for the telecommunications industry below.
Background on the FCC's 2023 Data Breach Order
The 2016 Order
The FCC's 2016 Order, titled Protecting the Privacy of Customers of Broadband and Other Telecommunications Services, sought to impose an array of data privacy and security requirements—including for data breach notification—on telecommunications providers, interconnected Voice over Internet Protocol (VoIP) providers, and Telecommunications Relay Service (TRS) providers. Many of the 2016 Order's requirements applied to "customer proprietary information" or "customer PI." The 2016 Order broadly defined customer PI to include any personally identifiable information of customers. Use of this broad term "customer PI" significantly expanded the FCC's existing data breach notification rules, which applied only to the comparatively narrow and statutorily defined term "customer proprietary network information," or CPNI.
The FCC cited sections 222(a) and 201(b) of the Communications Act (as amended by the Telecommunications Act of 1996) as its primary sources of authority to establish these broad new requirements in the 2016 Order, including the greatly expanded data breach notification requirements. Yet, the term "customer PI" appears nowhere in either of those sections or in any other relevant statutory provision. In contrast, CPNI and other more limited types of customer data are defined expressly in section 222(h). Just two years prior to issuing the 2016 Order, the FCC had for the first time publicly asserted that 222(a) and 201(b) authorize the Commission to regulate PI—including data breach notification—when it issued a 2014 Notice of Apparent Liability (NAL) against telecom providers TerraCom and YourTel following a third-party's unauthorized access to Social Security numbers, tax returns, benefits statements, and other PI and documents submitted to the providers by Lifeline service program applicants. The FCC asserted in that NAL that the carriers violated 222(a) and 201(b) by failing to adequately secure applicants' PI and by failing to notify all individuals affected by the breach. The two carriers settled with the FCC.
Congress subsequently reviewed the 2016 Order and passed a joint resolution disapproving of the entire order pursuant to the CRA. Pub. L. No. 115-22, 131 Stat. 88, 88 (2017). President Trump signed the joint resolution in 2017. The 2016 Order thereby was voided under the CRA, and the FCC was prohibited from reissuing new rules "in substantially the same form" as the disapproved rule. See 5 U.S.C. § 801(b)(2). As noted by the dissent, the CRA defines a "rule" as "the whole or a part of an agency statement of general . . . applicability and future effect designed to implement, interpret, or prescribe law or policy." 5 U.S.C. §§ 804(3) and 551(4) (emphasis added).
The 2023 Data Breach Order
The FCC issued the Data Breach Order, titled "Data Breach Reporting Requirements" in December 2023. Similar to the 2016 Order's breach notification requirements, the Data Breach Order applied to broadly defined customer "personally identifiable information" or "PII" that included personal information beyond CPNI or other statutorily defined categories. As with the 2016 Order, the FCC cited 222(a) and 201(b) as its primary sources of authority to issue data breach rules for PII. Now-FCC Chairman (then Commissioner) Brendan Carr dissented, arguing that the FCC lacked authority to regulate PII, and that the Data Breach Order was barred by the CRA by virtue of Congress's rejection of the 2016 Order. (Commissioner Nathan Simington also dissented on similar grounds.)
Ohio Telecom Association v. FCC—The Sixth Circuit's Decision
The Ohio Telecom Association and several other industry groups filed petitions for review in three circuit courts of appeals challenging the Data Breach Order. Those challenges were consolidated for briefing and argument in the Sixth Circuit. Petitioners argued that neither sections 201(b) nor 222(a) gave the FCC authority to issue data breach notification rules pertaining to PII, and that in any event the Data Breach Order was barred by virtue of the CRA's rejection of the 2016 Order.
The Sixth Circuit agreed with petitioners that the FCC could not issue the Data Breach Order under 222(a), holding that 222(a) does not reach customer personal information beyond CPNI. However, the court ultimately upheld the Data Breach Order on the grounds that 201(b) broadly authorizes the FCC to prohibit "unjust or unreasonable" "practices … in connection with [a] communication service,"—including by issuing rules penalizing a carrier's failure to notify customers and the FCC of a data breach. The court held further that the CRA did not bar the Data Breach Order, as that order was not "substantially the same" as the 2016 Order rejected by Congress. The court also held that section 225 of the Communications Act authorized the FCC to extend data breach notification requirements to Telecommunications Relay Services (TRS).
- Section 222(a)
Section 222(a) provides that "[e]very telecommunications carrier has a duty to protect the confidentiality of proprietary information of, and relating to, other telecommunication carriers, equipment manufacturers, and customers, including telecommunication carriers reselling telecommunications services provided by a telecommunications carrier." The FCC argued that "proprietary information of, and relating to…customers" includes all PII. Applying the Supreme Court's decision in Loper Bright, the court found this statutory language ambiguous and therefore turned to the context and structure of section 222. The court held that the FCC's reading of 222(a) to cover undefined PII conflicted with the rest of section 222, as sections 222(c)-(g) set forth detailed requirements, exceptions, and definitions pertaining to specifically defined types of customer personal data, including CPNI. The court explained that the FCC's reading of 222(a) would result in "anomalies" wherein 222(a) would require protection of both CPNI and PII, but the enumerated requirements, exceptions, and definitions of 222(c)-(g) would only apply to CPNI. The court also found it notable that section 222 makes no reference to PII, but other portions of the Communications Act—in particular, provisions introduced by the Cable Communications Policy Act—reference "personally identifiable information." The court explained that these other preferences to similar terms showed that "Congress knows how to expressly reference PII when it so desires."
- Section 201(b)
Section 201(b) provides that "[a]ll charges, practices, classifications, and regulations for and in connection with [a] communication service, shall be just and reasonable." According to the FCC, section 201(b) authorized the Data Breach Order because failure to provide notice of a data breach is an unjust or unreasonable practice in connection with a communication service within the meaning of that section. Petitioners argued that the FCC's reading was too broad, and that 201(b) is best understood as applying to practices that are "inherent or necessary" to providing communications services to customers, such as setting rates and classifying services. Here, the court agreed with the FCC.
Focusing on the plain language of section 201(b), the court determined that "practice" refers to a "usual mode of operating, which can encompass both positive acts and the refusal to act." Analogizing to the Supreme Court's decision in Global Crossing Telecommunications v. Metrophones Telecommunications, 550 U.S. 45 (2006), regarding a carrier's failure to pay compensation, the Sixth Circuit held that the refusal or failure to provide notice of a data breach constitutes a "practice" under 201(b).
Next, looking at the context and structure of 201(b), the court held that section 201(b)'s language "in connection with [a] communication service" reaches a broad range of practices that have a "close, direct connection" to the provision of communications services. Citing the FCC's findings that carriers collect and hold significant amounts of customer PII in the course of providing their services, and that data breach notification helps protect customer PII from misuse, the court held that "there is a direct connection between a carrier's failure to disclose breaches of customer PII and its role in providing communications services." To further support its ruling, the court held that a broad reading of 201(b) was necessary to avoid a "regulatory gap" wherein "there is little to no federal protection against carriers' mishandling of customer PII."
The dissent sharply criticized the court's interpretation of 201(b) on numerous grounds. Among other things, the dissent argued that the FCC's and the majority's reading permitted the FCC to use 201(b) "to regulate virtually anything a carrier does in its business" with no apparent limiting principle. The dissent further argued that the majority's broad reading of 201(b) rendered 222's "meticulous framework" on the privacy and security of customer information "superfluous" by construing 201(b) to "open the floodgates to all kinds of other rules related to carriers' 'practices' concerning the same" on the same topic. The dissent also rejected the majority's argument that a narrower reading of 201(b) would create an impermissible regulatory gap in protection for telecom carriers' personal information, arguing both that no such gap exists due to various federal and state data breach and cybersecurity incident reporting laws applicable to telecom carriers, and that any such gap (if it existed) is for Congress to resolve.
- Congressional Review Act
The CRA prohibits agencies from issuing any "rule" that is "substantially the same" as a rule that was voided by Congress through CRA review. 5 U.S.C. § 801(b)(2). Petitioners argued that the Data Breach Order violated the CRA by reissuing data breach notification requirements that were substantially the same as those included in the 2016 Order rejected by Congress. The FCC countered that the Data Breach Order was not barred by the CRA because it bore numerous differences from the 2016 Order—including because the 2016 Order dealt with numerous topics beyond data breach notification. Here, the court again agreed with the FCC.
First, the court held that the Data Breach Order was not "substantially the same" as the 2016 Order because the latter included numerous requirements related to customer data privacy and security beyond data breach notification, including requirements on customer notices, permissible uses of customer PI, and data security measures. In contrast, the Data Breach Order only dealt with data breach notification. The court noted that when Congress rejected the 2016 Order, it rejected that order as a whole and did not reject any specific portions of the order. The court explained that Congress could have chosen specifically to reject the data breach notification requirements of the 2016 Order but did not do so. Narrowly reading the CRA's term "rule," the court explained that the "rule" rejected by Congress was the entire 2016 Order, and that that order was substantially different from the Data Breach Order.
Second, the court held that the two orders were not "substantially the same" because of "small but meaningful differences" between the two orders' substantive obligations. The majority highlighted two such differences: The 2016 Order was more prescriptive in its requirements for the contents and manner of the customer notice, and the Data Breach Order provides a "good-faith" exception to the definition of "breach" not included in the 2016 Order. One notable difference not highlighted by the court is the 2016 Order's definition of customer PI and the Data Breach Order's definition of PII. The former is broader, including "any information that is linked or reasonably linkable to an individual or device." The latter, while still significantly broader than CPNI, generally reaches only specific categories of data, such as name, government identifiers, and biometric information.
The dissent vehemently disagreed with the majority's application of the CRA. Using a chart taken from the petitioners' brief, the dissent highlighted numerous similarities between the data breach notification requirements in the 2016 Order and the Data Breach Order, including the definition of a "breach," the scope of covered data, the agencies to be notified, and the 30-day deadline for notification. The dissent stated that the court's holding provided agencies with easy ways to circumvent the CRA, including by simply reissuing as its own rule each constituent part of a rejected rule, or by making "minor, technical changes" to a rejected rule. Finally, the dissent quoted the CRA and its reference to the APA's definition of "rule" to note that the disapproved rule included "[t]he whole or a part of" the disapproved rule. According to the dissent, the majority's narrow reading of the CRA renders CRA review "meaningless" and "shift[s] legislative power from Congress to an administrative agency."
Takeaways & Implications
The Sixth Circuit's decision in Ohio Telecom has potentially broad implications for telecom carriers and the FCC's regulatory and enforcement authority:
- Another Breach Reporting Requirement: The most immediate implication is the introduction of yet another requirement to notify individuals and authorities of data breaches and other cybersecurity incidents. As the dissent noted, telecom carriers are subject to multiple cyber incident reporting requirements at the federal level, including those under the Cyber Incident Reporting for Critical Infrastructure Act and the Securities and Exchange Commission's rule for reporting "material" cybersecurity incidents, as well as data breach reporting requirements under the laws of all U.S. states and several other jurisdictions. The Data Breach Order covers a broader range of personal data than many state laws, requires notification to yet another government authority—the FCC—and requires notification within 30 days—a timeline shorter than under most state laws. Data breaches can be complex events, and the Data Breach Order adds yet another layer of complexity by adding to the numerous notification requirements that telecom carriers must analyze and follow.
- Broad § 201(b) Authority: The court's decision takes a broad reading of 201(b), holding that that section permits the FCC to regulate any unfair or unjust "practice" that has "a close, direct connection" to the provision of communications services. Such practices may include both carriers' affirmative acts and their omissions. As the dissent points out, the court's broad reading of 201(b) could justify aggressive FCC activity on data privacy, security, and many other practices without a clear limiting principle.
- Weakened CRA Oversight: By narrowly interpreting the CRA, Ohio Telecom may encourage agencies to reissue rules previously nullified by Congress, provided they make relatively modest amendments or re-issue only components of rejected rules. If agencies are able to reissue rules under those circumstances, Congress's ability to check agencies' rulemaking authority under the CRA may be severely limited.
How the FCC will proceed remains to be seen. Now-Chairman Carr dissented from the issuance of the Data Breach Order, arguing that the FCC could not regulate PII under 222(a) or 201(b), and that the CRA barred the order. Chairman Carr also dissented from a series of forfeiture orders against telecoms related to the sharing of customer location data, again arguing that section 222(a) does not reach PII beyond CPNI. (These forfeiture orders did not cite 201(b).) And in general, the FCC under Chairman Carr has pursued a significant deregulatory agenda, including by seeking to cancel or delete numerous existing rules.
The FCC has several options: It could move forward with the existing Data Breach Order, or it could revise the order to address Chairman Carr's criticisms and industry concerns. Should the FCC move forward with the existing requirements, the Commission could decline to enforce them. The FCC could even rescind the Data Breach Order altogether.
Next steps in the Ohio Telecom case are also unclear. Petitioners could move for panel rehearing or rehearing en banc by the full Sixth Circuit. Instead of, or after rehearing, petitioners could seek Supreme Court review.
[View source.]
