Personal data as a dual-use technology: Privacy professionals face new export controls

Privacy professionals in the U.S. increasingly have to account for the national security implications of how their companies handle personal data. A striking number of recent U.S. legal initiatives have begun treating personal data as a dual-use technology, meaning it has both military and civilian applications. This article draws on a new, detailed law review article that is now available online. It provides an introduction to the new developments and suggests tips for privacy compliance teams responding to the new national security requirements.

The recent legal developments include two 2024 laws passed by Congress: the TikTok ban and the Protecting Americans from Foreign Adversary Controlled Applications Act. The Department of Justice’s Bulk Data Regulation is entering into compliance this fall. In addition, there have been expanded actions by the Committee on Foreign Investment in the United States, as well as other sectoral rules, such as exporting data from connected cars.

Introducing the U.S. export control regime

Until recently, most privacy professionals never had to focus on the complex U.S. legal regime for export controls. Export control laws expanded after World War II, notably as a way to keep nuclear and other military-relevant technologies out of the hands of Communist nations such as the Soviet Union and China. The U.S. created dual-use rules under the Coordinating Committee for Multilateral Export Controls and its current iteration, the Wassenaar Arrangement. After the collapse of the Soviet Union, controls of dual-use technology became less strict, although presidents continued to invoke emergency powers under the International Emergency Economic Powers Act.