U.S. Major Questions Doctrine Could Affect Privacy and Cybersecurity Rulemakings at the FTC and SEC

West Virginia’s Major Questions Doctrine Framework

As noted, the majority drew on what it described as “an identifiable body of law that has developed over a series of significant cases.” Under those cases, a court first asks whether the “‘history and the breadth of the authority that [the agency] has asserted,’ and the ‘economic and political significance’ of that assertion, provide a ‘reason to hesitate before concluding that Congress’ meant to confer such authority.”⁴ If so, the agency must point to “clear congressional authorization” for the power it claims — that is, “something more than a merely plausible textual basis.”⁵ In other words, once a court has established that the agency’s regulation concerns a “major question,” the government must show that Congress clearly authorized the agency to regulate in that manner.

The majority identified a number of factors that informed its conclusion that EPA’s action presented “major questions”: (1) the history of interpretation for the statutory basis of the power; (2) the degree of change the interpretation would impose on the statutory scheme, particularly if the agency “located [its] newfound power in the vague language of an ancillary provision” of the statute; (3) the breadth of the regulation, particularly if it spans “a significant portion of the American economy”; (4) the agency’s “comparative expertise” in making the policy judgments required for the regulation; and (5) the political importance of the regulatory question, particularly if “the [a]gency’s discovery allowed it to adopt a regulatory program that Congress had conspicuously and repeatedly declined to enact itself.”⁶

Potentially Affected Rulemakings

The Supreme Court’s formalization of the major questions doctrine could affect a wide range of regulatory initiatives. Here we address the potential impact on the FTC’s recent contemplated rulemakings in commercial surveillance and data security and in artificial intelligence (AI) as well as the SEC’s recent rulemakings relating to cybersecurity requirements.

1. FTC’s Contemplated Rulemaking on Commercial Surveillance and Data Security

The FTC recently issued an Advance Notice of Proposed Rulemaking (ANPR) on a “Trade Regulation Rule on Commercial Surveillance and Data Security,” seeking public comment on “the prevalence of commercial surveillance and data security practices that harm consumers” and “whether it should implement new trade regulations or other regulatory alternatives concerning the ways in which companies (1) collect, aggregate, protect, use, analyze, and retain consumer data, as well as (2) transfer, share, sell, or otherwise monetize that data in ways that are unfair or deceptive.” The ANPR includes 95 questions on a wide range of topics, including topics such as discrimination based on algorithmic decision-making and notice and disclosure requirements.

A number of elements related to the new ANPR suggest that the invigorated major questions doctrine could pose a significant challenge to the potential rulemaking. Given the breadth of the topics the ANPR addresses, focusing on data security, the topic of this rulemaking almost certainly implicates a question of economic and political significance, and it would span “a significant portion of the American economy.”⁷

Moreover, the timing of the introduction of the ANPR at a time when there is a serious push for federal legislation on the very same issues — the proposed American Data Privacy and Protection Act — may also lead a court to conclude that the regulatory question addressed by the ANPR is an important political issue, and one that would lead to the FTC “to adopt a regulatory program that Congress had conspicuously and repeatedly declined to enact itself.”⁸ Notably, Chair Lina Khan’s statement accompanying the ANPR describes the FTC as “the country’s de facto law enforcer in this domain” and apparently concedes that the FTC is not the de jure enforcer, supporting the view that clear congressional mandate in this context is lacking. Indeed, the dissenting statements from Commissioners Noah Wilson and Christine Phillips foreshadowed major questions concerns about the rulemaking. Commissioner Wilson’s statement explicitly cited the West Virginia decision in warning that “regulatory and enforcement overreach increasingly has drawn sharp criticism from courts” and that “[r]ecent Supreme Court decisions indicate FTC rulemaking overreach likely will not fare well when subjected to judicial review.” Commissioner Phillips’ statement echoed a similar criticism, calling the ANPR “the first step in a plan to go beyond the Commission’s remit and outside its experience to issue rules that fundamentally alter the internet economy without a clear congressional mandate.”

Moreover, the major questions doctrine could present a particular obstacle with respect to the parts of the ANPR addressing algorithmic decision-making. Interpreting the FTC’s authority over “unfair or deceptive acts or practices”⁹ to cover algorithmic decision-making is fairly new expansion of its power, one not clearly authorized by the language of the statute, and the FTC would likely be hard pressed to find any clear congressional mandate for it to expand into such a role. The regulation of AI is a question of major economic and political significance that could have far-reaching consequences in the American economy. It may also be difficult for the FTC to claim to have “comparative expertise” in making the necessary policy judgments for AI regulation given the technical and scientific aspects of the issue.

2. The SEC’s Rulemaking on Cybersecurity Disclosures

The major questions doctrine could also have implications for the SEC’s ongoing rulemaking initiative to require public companies to disclose information about cybersecurity risks, strategy, and incidents to investors.¹⁰ Cybersecurity is a question of great political and economic significance, and the application of the SEC’s rules is likely to have effects over a significant portion of the economy. Although the SEC lists a number of statutory provisions for the rulemaking, it is not clear that it can point to any clear authorization from Congress to extend its rulemaking powers into the cybersecurity arena.¹¹

However, the SEC may have a better claim to a mandate in this context, as compared to the FTC rulemakings discussed above, because it can point to its extensive expertise as a guardian of securities markets and investors. While lacking in comparative expertise on the subject matter of cybersecurity, the requirement arises in the context of financial disclosures, which is more clearly within the SEC’s traditional purview.

We also note that similarly, the SEC’s proposed rule on ESG disclosures could face challenges under the major questions doctrine. Similar to the rulemaking regarding the disclosure of cybersecurity risks, one possible weakness of a major questions argument with respect to this rulemaking is that the SEC has long required disclosure of material risks of all types and for decades has made clear that environmental risks are potentially among such material risks. As with the cybersecurity rule, the fact that the SEC would not be regulating primary conduct, but rather only the disclosure of that conflict, will likely weaken any major questions argument.

Sidley is also reviewing the impact of the Supreme Court’s decision on other major industries, including the telecommunications and energy industries, and the authority of other government agencies to regulate climate change under the relevant statutory schemes.

Future Considerations

The major questions doctrine is likely to affect many rulemakings where various agencies are attempting to extend their reach into the data privacy and cybersecurity sphere. Overall, the doctrine is likely to create increased regulatory uncertainty with respect to rulemakings outside of an agency’s traditional lane — as is the case with many privacy and cybersecurity issues — and we can expect further litigation challenging rules on this basis.

In ongoing and upcoming rulemakings, regulated parties can seek to incorporate the doctrine into their comments whenever an agency is expanding the scope of its authority via rule. 

¹ West Virginia v. EPA, 142 S. Ct. 2587, 2609 (2022); see id. at 2608-09 (citing Util. Air Regul. Grp. v. EPA, 573 U.S. 302 (2014); FDA v. Brown & Williamson Tobacco Corp., 529 U.S. 120 (2000); Gonzales v. Oregon, 546 U.S. 243 (2006); King v. Burwell, 576 U.S. 473, 485 (2015); Ala. Ass’n of Realtors v. HHS, 141 S. Ct. 2485 (2021) (per curiam); NFIB v. OSHA, 142 S. Ct. 661 (2022) (per curiam); and Whitman v. Am. Trucking Ass’n, 531 U.S. 457 (2001))

² West Virginia, 142 S. Ct. at 2609.

³ Id. (internal quotations and citation omitted).

⁴ Id. at 2595 (internal citation omitted).

⁵ Id. at 2609.

⁶ Id. at 2610, 2612-13 (internal quotation marks and citations omitted).

⁷ Id. at 2610.

⁸ Id. at 2612.

⁹ Under Section 18 of the FTC Act, the FTC “may prescribe rules which define with specificity acts or practices which are unfair or deceptive acts or practices in or affecting commerce” within the meaning of Section 5(a)(1) of the FTC Act, including “[r]ules ... prescribed for the purpose of preventing such acts or practices,” so long as the Commission has “reason to believe that the unfair or deceptive acts or practices which are the subject of the proposed rulemaking are prevalent.” 15 U.S.C. § 57a. Unfair or deceptive acts or practice “includes such acts or practices involving foreign commerce that — (i) cause or are likely to cause reasonably foreseeable injury within the United States; or (ii) involve material conduct occurring within the United States.” 15 U.S.C. § 45(a)(4)(A).

¹⁰ Specifically, the rules would require that a public company disclose, among other things, (1) information about a “material” cybersecurity incident within four business days; (2) its policies and procedures, if any, for identifying and managing cybersecurity risks; (3) its cybersecurity governance structure; (4) management’s role and relevant expertise in assessing cybersecurity risks and implementing the relevant policies and procedures; and (5) whether a member of its board of directors has any cybersecurity expertise.

¹¹ Per the Notice of Proposed Rulemaking, the SEC finds the authority for the rulemaking in a wide swath of statutory provisions: “Sections 7 and 19(a) of the Securities Act and Sections 3(b), 12, 13, 14, 15, and 23(a) of the Exchange Act.”