The below excerpts were originally published in an article for the IAPP and are reprinted here with permission of same.
Privacy professionals in the U.S. increasingly have to account for the national security implications of how their companies handle personal data. A striking number of recent U.S. legal initiatives have begun treating personal data as a dual-use technology, meaning it has both military and civilian applications. This article draws on a new, detailed law review article that is now available online. It provides an introduction to the new developments and suggests tips for privacy compliance teams responding to the new national security requirements.
The recent legal developments include two 2024 laws passed by Congress: the TikTok ban and the Protecting Americans Data from Foreign Adversaries Act. The Department of Justice’s Bulk Data Regulation is entering into compliance this fall. In addition, there have been expanded actions by the Committee on Foreign Investment in the United States, as well as other sectoral rules, such as exporting data from connected cars.
…
Tips for privacy professionals
The full law review article provides extensive discussion of the new dual-use laws for personal data, including analysis of the arguments supporting and critiquing the entire initiative to apply privacy rules for national security reasons. The focus here, however, is on steps privacy professionals might consider as national security issues become so much more prominent in the governance of personal data.
- Consider how to bring national security expertise to the team that has led the company’s privacy compliance. For the many privacy professionals who have not specialized in national security issues, it is becoming increasingly important to have in-house or outside assistance from people with national security insight. For instance, national security experts quite possibly have insights about what is considered especially risky from a national security perspective.
- Benefit from synergies in complying for privacy and national security purposes. Fortunately, the components of a privacy compliance program overlap considerably with the new tasks required to comply with the dual-use requirements. Notably, data mapping has long been a crucial first step for privacy compliance. Accurate data mapping becomes even more important because the dual-use restrictions require careful attention as to whether any sensitive data of Americans is becoming available to a country of concern.
- Coordinate compliance with the cybersecurity team. The DOJ Bulk Data Rule continues to permit defined vendor, employment, and investment agreements with countries of concern. Any such agreements, however, have to meet the comprehensive security standards defined by CISA.
- Monitor how the new definitions are interpreted. For example, PADFA’s definition of sensitive data appears to include first-party web data, in contrast to the focus of U.S. state privacy laws on third-party data. Under the DOJ Bulk Data Rule, data flows to a country of concern are covered “regardless of whether the data is anonymized, pseudonymized, de-identified, or encrypted.” These and other novel definitions make it difficult to assess the risk of enforcement under the new laws. Guidance and early enforcement actions by DOJ and the FTC will provide important clues.
- Finally, consider how these national security issues fit into your company’s overall data governance structure. To comply with the new laws, the traditional privacy compliance function will have greater overlap both with cybersecurity and national security experts. Consider what evolution may be needed in your company to meet both privacy and these overlapping goals.
To read the full article available at IAPP, click here.
* * *
These statements are attributable only to the author, and their publication here does not necessarily reflect the view of the Cross-Border Data Forum or any participating individuals or organizations.
