U.S. policymakers are increasingly viewing personal data as a dual-use asset, where data retention can create economic benefits while leaving the potential for exploitation by foreign adversaries. With wider access to troves of consumer personal information, regulators have raised concerns about the potential processing of military members' sensitive personal data, including geolocation information.
On a recent IAPP webinar, Crowell Global Advisors Director Nigel Cory noted personal data being treated as a dual-use asset is not "only about consumer harm or baseline privacy anymore." He added, "It is about the national security externalities, but what exactly that looks like and what that means in practice, continues to emerge."
National security concerns are indeed putting a premium on protections for cross-border data transfers. The U.S. has taken steps toward safeguards through the Protecting Americans' Data from Foreign Adversaries Act of 2024 and the Department of Justice's Data Security Program.
The two regimes have their differences, but ultimately share the same goals to protect sensitive data from access or misuse by designated foreign adversaries and countries of concern. The combination of sweeping policies and broad restrictions creates various complexities for organizations working to comply.
"Companies are adapting rapidly, but many are doing so in a fog. At this stage, there is a lot of guesswork, and that's a shaky foundation for major potential restructuring in governance and compliance changes," Cory said.
Noncompliance under both U.S. regulatory instruments are already being addressed.
The Federal Trade Commission recently drafted and published its PADFAA noncompliance letter, signaling intentions to begin enforcement. Meanwhile, Bloomberg Law reported a federal class-action lawsuit was filed against Lenovo claiming its third-party tracking tools violated the DOJ's DSP.
The task at hand
Alston and Bird Senior Counsel and Georgia Tech Professor Peter Swire, CIPP/US, noted companies within the countries of concern may face additional challenges due to potential targeted enforcement. Swire said the issue with broad and "apparently strict laws" is "they can be used against people when the enforcers want to use it that way."
"So that is one reason to be somewhat more concerned about these laws, even if they haven't been enforced yet, because if you ignore them, then you set yourself up for a possible selective prosecution," he added.
One novel compliance consideration is integrating national security expertise into compliance teams. That added knowledge would lend support and relevant perspective to assessments of cybersecurity functions and data governance structures.
"This is a cross-functional, cross-team, cross-business issue with privacy, cybersecurity, procurement and vendor management, and obviously national security and export controls," Cory said. "There's obviously still considerable uncertainty around it, but you need to start putting these pieces together and get the compliance processes in place now."
Lexie White is a staff writer for the IAPP.