A recent pivotal Supreme Court decision marks a significant shift in the authority of federal agencies to interpret regulations related to data privacy and security as well as the influence of judicial review over ambiguities in the same. This shift poses new challenges and uncertainties for agencies’ ability to regulate and meaningfully govern purported insufficiencies in privacy and data security programs.
1984 Chevron Decision
In its landmark 1984 decision, Chevron v. Natural Resources Defense Council, 467 U.S. 837, the Supreme Court established a framework for judicial review of federal agency interpretations of statutes. This framework, known as “Chevron deference,” dictated that when a statute is ambiguous, courts should defer to a federal agency’s reasonable interpretation of the law. For the past 40 years, Chevron deference has been applied to thousands of cases, significantly shaping the regulatory landscape.
Recent Decision Overturning Chevron
The U.S. Supreme Court recently issued a ruling (Loper Bright v. Raimondo, together with Relentless v. Dept. of Commerce) overturning the Chevron decision. The Court ruled that, under the Administrative Procedures Act, courts can no longer defer to federal agencies’ interpretations of statutes. Instead, courts must rely on their own interpretation of ambiguous laws. The facts underlying Loper Bright and Relentless involved fishermen challenging the National Marine Fishery Service’s interpretation of the Magnuson-Stevens Fishery Conservation and Management Act of 1976, which required them to pay for monitors onboard their vessels. While the underlying facts concerned fishery management, the implications of this ruling span across all federal agencies, as they will no longer receive deference from courts when their rulemaking is challenged. Consequently, courts will now play a more critical role in interpreting statutes and assessing whether agencies have properly applied the law or exceeded statutory limits.
Impact on Federal Agencies Regulating Data Privacy and Cybersecurity Laws
The full extent of the impact this decision will have on the rulemaking capabilities of federal agencies that have historically held significant authority over the interpretation of laws related to the collection, sharing, and protection of personal information, such as the Federal Trade Commission (FTC) and U.S. Department of Health and Human Services (US DHHS), remains unclear. Indeed, FTC representatives have stated that this change will have little effect on key issues related to data privacy. Further, this change will not impact settlements and consent decrees that are already in place.
Nonetheless, heightened scrutiny of agency actions stemming from interpretations of unclear elements of data protection laws over which they have historically had authority is expected. For example, in its rulemaking on data privacy and cybersecurity, the FTC has relied on Section 5 of the FTC Act, a relatively ambiguous statute authorizing the FTC to address “unfair or deceptive acts or practices.” In these scenarios, the FTC has previously utilized its authority under Section 5 of the FTC Act to allege that data collection and disclosure practices of various companies have been conducted in a manner that could be deemed to be unfair or deceptive. Similarly, the FTC has exercised authority under the Gramm-Leach-Bliley Act (GLBA) and US DHSS has exercised similar authority under the Health Insurance Portability and Accountability Act (HIPAA), each to assess what companies fall within the scope of the two laws given the broad but at times ambiguous nature of the definitions of “financial institutions” and “business associates,” respectively. Another commonly discussed area of ambiguity would be the security components of GLBA, 15 USC 6801, and HIPAA, 45 CFR 164.306, where in-scope entities are mandated to protect the more sensitive personal information within the purview of each of those laws by implementing appropriate technical and security measures.
While the FTC and others argue that the ambiguity under each of these data protection laws are intentionally designed to accommodate evolving technologies and business practices, it is this vagueness and broadly construed language that may now lead to more judicial scrutiny in the absence of Chevron deference. For example, it is likely no longer within the FTC’s authority to definitively assess whether a financial institution subject to GLBA has implemented appropriate or sufficient technical and organizational measures. This would now be a question to be decided by the courts.
The impact of Loper Bright on other aspects of FTC rulemaking and enforcement are less clear. The relatively underutilized Section 18 rulemaking, which empowers the FTC to prescribe rules that define “unfair or deceptive acts or practices” within the purview of Section 5 of the FTC Act, is already subject to more rigorous procedural hurdles, such as public consultation and advance notice to Congress, and arguably has not relied on Chevron deference. One such rule promulgated pursuant to Section 18 of the FTC Act is the Children’s Online Privacy Protection Act (COPPA) Rule, which requires websites and online services to get parental consent before collecting, using, or disclosing personal information from children under 13. It is arguable that both prior to and post-Loper Bright, ambiguity in a rule promulgated under Section 18 would be subject to judicial review and not entitled to Chevron deference, although that point remains unclear. Additionally, FTC enforcement actions resolved by settlements (generally in the form of consent orders) were never reliant on Chevron deference as courts have historically considered these actions to “lack the force of law,” making them ineligible for such deference. However, while the overturning of Chevron deference may not directly impact the FTC’s ability to enter into consent decrees, it could diminish the agency’s leverage in persuading companies to agree to such orders, as the lack of judicial deference may weaken the agency’s perceived authority.
Conclusion
The strategic approach a company takes as it develops a comprehensive privacy program often requires the company to assess the risks associated with the development of each component of the program. This includes interpretating applicable data protection and security laws that are high-level in nature and generally less prescriptive to assess what that company has to do to achieve better compliance hygiene. This recent Supreme Court ruling should undoubtedly be taken into consideration when assessing those risks.
If you have any questions or want to learn more about how the recent Supreme Court rulings may impact your business or the development of your privacy program, please contact a member of Varnum’s Data Privacy and Cybersecurity Team. Our team can leverage our years of practical experience in operationalizing privacy programs to help you find pragmatic approaches on the path to compliance.