CTIA and Chamber Support AT&T Challenge of FCC Data Fine
CTIA and the U.S. Chamber of Commerce backed AT&T’s challenge of the FCC's fine for data violations, filing amicus briefs in the 5th U.S. Circuit Court of Appeals. On a 3-2 vote in April, commissioners imposed fines against the three major wireless carriers for allegedly not safeguarding data on customers' real-time locations years earlier (see 2404290044).
Sign up for a free preview to unlock the rest of this article
If your job depends on informed compliance, you need International Trade Today. Delivered every business day and available any time online, only International Trade Today helps you stay current on the increasingly complex international trade regulatory environment.
The FCC fined T-Mobile more than $91 million, plus $12 million for Sprint's violations. T-Mobile acquired Sprint. AT&T was hit with more than $57 million in fines and Verizon fines north of $47 million. Republican Commissioners Brendan Carr and Nathan Simington dissented even though former Chairman Ajit Pai, a Republican, originally proposed the fines in 2020.
AT&T challenged the order in the 5th Circuit (see 2405130030), considered one of the most industry-friendly of the judicial circuits (docket 24-60223).
For years, wireless carriers enabled “beneficial, legitimate uses of customer location data with their customers’ consent,” CTIA said in an amicus brief filed Monday. Uses included “the provision of emergency assistance, fraud detection, and more” and for years the FCC never raised questions, CTIA said: “But after a third party not before this Court misused a location service, the Commission changed its mind and, in the Order under review, declared AT&T’s location-based services unlawful.”
The FCC also sought to “apply its surprise interpretation in an administrative-enforcement posture that deprives AT&T of its Seventh Amendment right to a jury trial,” CTIA said. The wireless association argued that the FCC wasn’t addressing an ongoing threat and, instead, is forcing carriers “out of the location-based services industry, ‘effectively chok[ing] off one of the only ways that valid and legal users of consent-based location data services had to access location data.’”
CTIA questioned whether data covered in the order is customer proprietary network information (CPNI) as defined in Section 222 of the Communications Act. The act's history “shows that the word ‘location’ in the definition of CPNI refers to location at the time a call is made,” CTIA said: “The Commission’s prior precedent reinforces the conclusion that this is the best reading of the statute.”
The Chamber said the FCC fine should be rejected under recent U.S. Supreme Court decisions in Loper Bright Enterprises v. Raimondo (see 2406280043) and SEC v. Jarkesy (see 2406270063). Jarkesy “vindicated important limits on federal agency action, including the right of citizens to have access to Article III courts and juries to adjudicate claims for civil penalties.” Loper defined “the proper role of courts in determining the meaning of statutes and the scope of agency authority.”
In the proceeding that prompted the fine, the FCC “abused its investigative and enforcement authority to violate the company's Seventh Amendment right to a jury,” the Chamber said: The agency also “announced and applied novel legal interpretations of the Communications Act to calculate and impose staggering forfeitures for activities that were not at the time of conduct a violation of any agency rule or law.”
In a second case, from the 6th Circuit, three public interest groups filed in support of the FCC’s updated data breach notification rules in a case the Ohio Telecom Association (OTA) brought. OTA argued the agency's order “exceeds the FCC’s statutory authority” and is “arbitrary, capricious, and an abuse of discretion” as described in the Administrative Procedure Act (see 2402210026). The FCC approved the rules last year, and they took effect March 13.
Petitioners “argue that the broad statutory authority Congress granted the Commission is not sufficient to permit this modification to the data breach notification rules,” the groups said: “This is nothing more than a cynical attempt at regulatory arbitrage to avoid liability for weak cybersecurity practices and for inadequate responses when the sensitive data of millions of their customers has been mishandled.” The Electronic Privacy Information Center, Privacy Rights Clearinghouse and Public Knowledge filed the brief.