Sixth Circuit Allows Congressional Review Act Challenge, But Rejects It on the Merits

Case Name and Number

Ohio Telecom Ass’n v. FCC, No. 24-3133 (6th Cir.)

Introduction

On August 13, 2025, a divided panel of the US Court of Appeals for the Sixth Circuit upheld a 2024 Federal Communications Commission (FCC) order imposing data breach reporting requirements on telecommunications carriers, despite Congress’s rejection of similar FCC efforts during the Obama administration utilizing the Congressional Review Act (CRA). The court determined that it had jurisdiction to review whether the agency complied with the CRA prohibition against an agency adopting rules that are “substantially the same” as rules rejected by Congress. But the panel majority concluded that the CRA does not preclude the FCC from issuing an order overlapping only with part of what Congress had rejected. The court also opined on whether the new rules promulgated by the FCC were substantially the same as the regulations vitiated by the CRA resolution of disapproval.

Background

In 2016, the FCC issued an omnibus privacy order to apply privacy requirements in the Communications Act of 1934 to broadband Internet service providers and telecommunications carriers. Among other things, the 2016 order imposed a broad obligation to report any data breaches of personally identifiable information, such as individuals’ names, email addresses, birthdates, and Social Security numbers. But before that order could take effect, the FCC had to submit it to Congress for review under the CRA, which gives Congress the opportunity to review an agency rule and, if it chooses, pass a resolution of disapproval that vitiates the rule.¹ Congress ultimately disapproved the 2016 order, passing a resolution stating that “such rule shall have no force or effect.”²

In 2023, the FCC started the rulemaking process for a new data breach reporting rule. And in 2024, the FCC issued an order that, like its 2016 order, required telecommunications carriers to report any data breaches of personally identifiable information. Then-FCC Commissioner (and now Chairman) Brendan Carr dissented from the 2024 order and explained the flaws in the FCC’s rationale for why it could adopt a portion of the 2016 order without running afoul of the CRA:

The Order notes that the 2016 FCC decision adopted several rules—all of which were nullified by the 2017 CRA. But in the Order’s view, the CRA does not prohibit the FCC from putting any one of those rules (or even some combination of them) back in place here provided that the FCC does not put all of those 2016 rules back in place in this one decision. This creates an exception that swallows the CRA whole.³

Ohio Telecom petitioned for review in the Sixth Circuit. Several other challengers filed suits in courts of appeals around the country. Through multidistrict litigation orders and venue transfers, eventually everything came to rest in the Sixth Circuit. Petitioners argued in relevant part that the FCC’s 2024 order cannot take effect because the CRA prohibits an agency from reissuing a rule that is “substantially the same” as a rule Congress disapproved⁴ and that the FCC’s 2016 and 2024 orders are substantially the same.

Analysis of Court’s Decision

In a 2-1 decision, a panel of the Sixth Circuit upheld the FCC’s 2024 order. Given the paucity of cases examining the CRA, that decision could have a significant impact on similar agency challenges going forward, unless it is overturned or conflicts with rulings from other U.S. courts of appeal. There are two principal takeaways from the court’s holding, and they operate somewhat at odds with each other. On the one hand, in its treatment of the threshold jurisdictional question, the court opened the door for challengers to invoke the CRA to challenge agency action touching upon matters that Congress had previously disapproved under the CRA. But on the other, when it reached the merits, the panel majority reached a conclusion that could enable many subsequent agency actions to survive a challenge under the CRA. We briefly address these two parts of the court’s holding below.

As an initial matter, the court’s decision provides for much greater judicial review of agency actions that Congress has nullified via a CRA resolution of disapproval than any earlier opinions on the subject. The CRA precludes judicial review of any agency “determination, finding, action, or omission under this chapter.”⁵ But the court took a narrow reading of that language. According to the court, the plain text of “the phrase ‘under this chapter’ limits the provision’s preclusive effect to actions taken ‘under’ the CRA, which imposes various obligations and requirements on Congress and federal agencies.”⁶ Under that interpretation, courts are free to review substantive actions taken by agencies outside of their obligations “under” the CRA.⁷ The upshot is that it is much easier for those challenging agency actions to invoke the CRA.

At the same time, however, the panel majority’s merits decision makes it difficult for those challenging agency actions under the CRA to actually win those challenges. The panel majority (Judges Stranch and Mathis) concluded that the CRA’s prohibition against an agency adopting a new rule that is “substantially the same” as a previous rule vitiated by Congress⁸ does not apply when an agency merely adopts a part of that vitiated rule.⁹ According to the majority, the relevant comparison here was between the 2024 order and the disapproved 2016 order in its entirety.¹⁰ According to the majority, the 2024 order “addresses only data breach reporting requirements.”¹¹ The 2016 order, by contrast, was “far more expansive,” “imposing a broad array of privacy rules” of which “data breach notification requirements were a mere subset.” Id. At that level of comparison, the majority held that the “two rules are not substantially the same.”¹²

The majority brushed aside concerns that its analysis would make it easy for agencies to circumvent congressional resolutions of disapproval simply by adopting the old proposed rule in piecemeal fashion.¹³ Going forward, the majority said, Congress could specify its intent to prohibit an agency from issuing a new rule “substantially the same as any part of a prior rule nullified by a disapproval resolution” if it wants to do so.¹⁴ But absent explicit language from Congress, the majority asserted that a sum-includes-its-parts view of congressional disapproval of an agency rule would amount to an “atextual and anomalous construction of the CRA” that could prohibit agencies from reissuing rules overlapping even in the “narrowest, more anodyne” ways with earlier failed omnibus rulemaking efforts.¹⁵

At the end of its opinion, the majority added that, although it rejected comparing the 2024 order only to the data-breach-reporting-requirements part of the 2016 order, in its view petitioners would still lose even under that comparison.¹⁶ The majority pointed to what it called “small but meaningful differences between the substantive obligations imposed by the two sets of requirements.”¹⁷

Judge Griffin dissented. He would have compared the 2024 order only to the part of the disapproved 2016 order addressing the same topic (data breach requirements) and held that the CRA barred the 2024 order for being “substantially the same”¹⁸ as the FCC’s earlier failed effort.¹⁹ In his view, when Congress disapproved of “the whole 2016 order, Congress disapproved of each of its constituent parts.”²⁰ This follows, he said, from the CRA’s definition of a “rule,” which encompasses the “whole or part of an agency statement of general . . . applicability and future effect designed to implement, interpret, or prescribe law or policy.”²¹ In addition, when comparing the 2024 order to the relevant part of the 2016 order, he found them to be nearly identical in scope, definitions, state of mind, and reporting requirements,²² with only “minor technical differences” between them.²³ He believed that the majority’s entire-order focus rendered Congress’s earlier disapproval “meaningless” and feared that it would encourage agencies to adopt “creative ways” to “easily circumvent” any future congressional disapprovals.²⁴

Judge Griffin also took issue with the opinion’s novel interpretation of the CRA: “Although the majority asserts that Congress could have made line-by-line disapprovals of the specific rules it wished to reject, the CRA neither requires such specificity nor allows a line-item veto.”²⁵ He reasoned that the court should have adhered to clear statutory language rather than allow the FCC to prevail on a reading of the CRA that is not grounded in the statute: “our interpretation of the CRA ought to elevate the will of Congress over that of an administrative agency.”²⁶

In all likelihood, petitioners will seek to have the entire Sixth Circuit weigh in en banc. And this issue may eventually be decided by the Supreme Court. For now, though, regulated parties have a court of appeals decision that is both helpful and unhelpful. It blesses invoking the CRA to challenge subsequent agency action following congressional disapproval, but gives agencies wide latitude to circumvent the CRA by taking a piecemeal approach to re-adopting previously vitiated rules.

Read the opinion.

¹ 5 U.S.C. § 802(a).

² Pub. L. 115-22, 131 Stat. 88, 88 (2017).

³ FCC, Data Breach Reporting Requirements, WC Docket No. 22-21, Report and Order (Dec. 13, 2023) (dissenting statement of Comm’r Carr)

⁴ 8 U.S.C. § 801(b)(2).

⁵ 5 U.S.C. § 805.

⁶ Op. 31.

⁷ Id.

⁸ 8 U.S.C. § 801(b)(2).

⁹ Op. 33-34.

¹⁰ Id.

¹¹ Id. at 34.

¹² Id.

¹³ Id.

¹⁴ Id.

¹⁵ Id.

¹⁶ Id. at 35.

¹⁷ Id.

¹⁸ 8 U.S.C. § 801(b)(2)

¹⁹ Op. 36-42 (Griffin, J., dissenting).

²⁰ Id. at 41.

²¹ Id. (quoting 5 U.S.C. §§ 551(4), 804(3)) (emphasis added)

²² Id. at 38-39

²³ Id. at 40

²⁴ Id. at 41-42.

²⁵ Id. at 41.

²⁶ Id.