One week ago, a declaration appeared in the Federal Register, the daily chronicle of U.S. regulatory policy. It was a "determination" signed by Secretary of State Marco Rubio, describing his broad interpretation of the scope of the "foreign affairs functions of the United States."
The directive gave procedural cover to a wide array of possible future government actions, purporting to exempt them from the delays and frictions imposed by the Administrative Procedures Act. The APA is a 1946 law that serves as the cornerstone of U.S. administrative law, establishing the framework for federal agencies to propose and review regulations while safeguarding public participation and procedural fairness.
From its earliest form, reflecting existing limits on congressional authority over certain executive functions, the APA recognized an exemption from the law's procedural requirements for all "foreign affairs functions." Matters of foreign affairs are not subject to the notice-and-comment requirements of the APA for several reasons, including the usual exigency of such policy changes, their frequent reliance on confidential information, and constitutional limits on the justiciability of diplomatic and national security matters.
The core work of the Department of State, the cabinet-level agency that Rubio leads, has generally been understood to be completely exempt under the foreign affairs exception throughout the history of the APA. But the new policy does not just relate to the State Department. It concludes with a pronouncement that "all efforts, conducted by any agency of the federal government, to control the status, entry, and exit of people, and the transfer of goods, services, data, technology, and other items across the borders of the United States, constitute a foreign affairs function of the United States under the APA."
By its terms, this determination on the scope of foreign affairs has much more to do with matters of immigration and the Administration's incipient trade wars than it does with privacy or other digital policy matters.
Nevertheless, the language also signals potential implications for digital trade. After all, removing the extraneous words, the directive claims that cross-border data policy falls within the foreign affairs exemption and thus could be changed by the executive branch without public notice and comment. That is, "all efforts, conducted by any agency of the federal government, to control … the transfer of … data … across the borders of the United States, constitute a foreign affairs function of the United States under the APA."
This interpretation is untested in court, not least because the U.S. government has generally avoided any attempt to control or limit the transfer of data across borders, by administrative rule or otherwise.
Of course, there is one recent glaring exception to the U.S.'s hands-off approach to the flow of data across borders, and it illustrates that the State Department's interpretation is not entirely new.
The final rule from the Department of Justice's National Security Division known by most as the data security rule is set to go into effect on 8 April. The rule was instigated by President Joe Biden's executive order 14117, Preventing Access to Americans' Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern, which has not been rescinded by the Trump administration.
As it happens, despite conforming to a three-step notice-and-comment process, the DOJ's implementation of the rule did not take place under the APA. As explained in footnote 25 of the final rule, the DOJ asserted the foreign affairs function exception, but engaged in the comment process because it was explicitly instructed to do so in the executive order.
The DOJ includes some reasoning for relying on this exception:
"As described in the Order, this threat to the national security and foreign policy of the United States has its source in whole or substantial part outside the United States. Accordingly, the rule has a direct impact on foreign affairs concerns, which include the protection of national security against external threats (for example, prohibiting or restricting transactions that pose an unacceptable risk of giving countries of concern or covered persons access to bulk U.S. sensitive personal data)."
But how do these executive assertions comport with the legal understanding of the APA's exceptions?
Luckily for our interpretive efforts, the exemption for foreign affairs functions has frequently been the subject of litigation in the past. Unluckily, the process of applying the exemption is a matter of significant debate and various U.S. circuit courts have applied differing tests in determining what counts as foreign affairs.
In an illuminating law review analysis of the “lost history” of the foreign affairs exception, Stephen Migala, who at the time of the 2023 publication was an attorney advisor at the State Department, reviewed the various legal tests courts have used when determining whether agencies have properly relied on the foreign affairs exception in their regulatory activities.
He explains the two major legal tests deployed by judges in the split between circuit courts.
"The split, comprised of different and competing tests, is well acknowledged by courts but has grown even more pronounced in recent years. In some circuits, the test is whether following the public rulemaking provisions would provoke definitely undesirable international consequences. … In others, the test is more like a tautology, asking whether the excepted subject matter clearly and directly involved a foreign affairs function."
Migala uses his article and its detailed analysis of the historical record to propose a more refined and granular approach to applying the foreign affairs exception. But for now, courts seem to use some combination of the "undesirable consequences test" and the "clearly and directly involved" test.
There is evidence of DOJ's awareness of both tests in its brief justification for claiming the exception, even when voluntarily embracing a notice-and-comment process. There, the analysis is meant as a defensive posture in case the final rule is challenged on administrative procedural grounds.
If both administrations are correct, however, no lengthy comment period is required for future changes in restrictions on cross-border data rules, though the new administration's posture appears broader than the national security nexus identified in the DOJ rule.
It is unclear what such future restrictions could look like in the U.S. context, but the new DOJ program provides one roadmap. The data security rule restricts access to various volumes of bulk sensitive personal data by countries of concern or other covered persons. But the definitions of "countries of concern" and "covered persons" are both subject to change at any time.
As stated in the final rule, the list of countries of concern was determined by the attorney general "with the concurrence of the Secretaries of State and Commerce" because they "engaged in a long-term pattern or serious instances of conduct significantly adverse to the national security of the United States or security and safety of U.S. persons and pose a significant risk of exploiting government-related data or bulk U.S. sensitive personal data to the detriment of the national security of the United States or security and safety of U.S. persons."
And, though limited under the current terms to listed criteria for persons with some nexus to the identified countries of concern, the rule permits the attorney general to "designate any person as a covered person for purposes of this part" after consultation with the Department of State and any "other agencies as the Attorney General deems appropriate."
Future court battles would determine the full scope of flexibility, but a broad understanding of executive powers around data opens the door to uncertainty for data flows.
Please send feedback, updates and undesirable consequences to cobun@iapp.org.
Cobun Zweifel-Keegan, CIPP/US, CIPM, is the managing director, Washington, D.C., for the IAPP.
