Privacy professionals in the U.S. increasingly have to account for the national security implications of how their companies handle personal data. A striking number of recent U.S. legal initiatives have begun treating personal data as a dual-use technology, meaning it has both military and civilian applications. This article draws on a new, detailed law review article that is now available online. It provides an introduction to the new developments and suggests tips for privacy compliance teams responding to the new national security requirements.
The recent legal developments include two 2024 laws passed by Congress: the TikTok ban and the Protecting Americans from Foreign Adversary Controlled Applications Act. The Department of Justice’s Bulk Data Regulation is entering into compliance this fall. In addition, there have been expanded actions by the Committee on Foreign Investment in the United States, as well as other sectoral rules, such as exporting data from connected cars.
Introducing the U.S. export control regime
Until recently, most privacy professionals never had to focus on the complex U.S. legal regime for export controls. Export control laws expanded after World War II, notably as a way to keep nuclear and other military-relevant technologies out of the hands of Communist nations such as the Soviet Union and China. The U.S. created dual-use rules under the Coordinating Committee for Multilateral Export Controls and its current iteration, the Wassenaar Arrangement. After the collapse of the Soviet Union, controls of dual-use technology became less strict, although presidents continued to invoke emergency powers under the International Emergency Economic Powers Act.
Export controls have expanded considerably once again, with Peter Harrell stating that “the last decade has been the golden age of sanctions.” Multiple federal agencies help administer the system. The U.S. Department of State regulates defense articles and services under its International Traffic in Arms Regulations. The U.S. Department of the Treasury manages the U.S. government’s sanctions and embargo programs through its Office of Foreign Assets Control. And the Bureau of Industry and Security in the Commerce Department maintains the Commerce Control List for what items are subject to export controls.
Regulatory actions by the CFIUS
Since 1988, the CFIUS has had the power to ban proposed or pending “mergers, acquisitions, or takeovers” by foreign persons that “threaten to impair the national security.” In 2018, Congress expanded the CFIUS mandate in the Foreign Investment Risk Review Modernization Act. The law directed the CFIUS to examine the extent to which a covered transaction may “expose, either directly or indirectly, personally identifiable information, genetic information, or other sensitive data of United States citizens to access by a foreign government or foreign person that may exploit that information in a manner that threatens national security.”
Consider four actions involving personal data and CFIUS. First, in 2018, the Chinese electronic payments company Ant Financial terminated its proposed acquisition of MoneyGram, a money transfer company, after it became clear the CFIUS would not approve it. Press coverage stated that China’s government could gain access to sensitive financial data and financial flows, potentially allowing China to identify members of the U.S. military having financial difficulties to subsequently target for blackmail.
In a second action, a Chinese company sold off its control over the dating app Grindr. Sen. Ron Wyden, D-Ore., criticized the acquisition, stating “[I]t is high time for the administration and CFIUS to consider the national security impact of foreign companies acquiring large, sensitive troves of Americans’ private data.”
In 2020, President Donald Trump blocked the acquisition of the hotel management software company StayNTouch by a Chinese firm. The company handled sensitive, travel-related personal information and used facial recognition to authenticate guest identities.
Also in 2020, CFIUS investigated the acquisition of the social media company Musical.ly by ByteDance, the parent company of TikTok. The same year, Trump ordered TikTok divest both the assets it uses to support U.S. operations and the data obtained or derived from users in the U.S. The divestiture did not happen at that time, however, as ByteDance challenged the order in court. The Biden-Harris administration then asked the court to hold the suit while it negotiated with ByteDance.
2024 Legislation: TikTok ban and PADFA
In the spring of 2024, as part of a legislative package supporting Ukraine and Israel, Congress included two new laws treating personal data as a dual-use technology.
The Protecting Americans from Foreign Adversary Controlled Applications Act required a nationwide ban on TikTok unless its Chinese parent, ByteDance, divests its interest in the company. This act sought to address concerns about the national security risks associated with Beijing’s access to Americans’ sensitive personal data, as well as concerns about content manipulation. Trump has issued executive orders pausing enforcement of the law to allow for negotiations concerning the divestiture. At the time of this writing, the divestiture has not been finalized.
The second law was the Protecting Americans’ Data from Foreign Adversaries Act. The core prohibition of PADFA is that it is illegal for a data broker to sell or otherwise make available personally identifiable sensitive data of a U.S. individual to an individual or entity controlled by a foreign adversary nation. The listed foreign adversary nations are China, Iran, North Korea and Russia. The U.S. Federal Trade Commission enforces PADFA, and at least one FTC commissioner has stated that enforcement of PADFA will be a priority.
Privacy professionals should note apparently broad definitions in PADFA, as previously analyzed. For instance, in contrast to state privacy laws, PADFA’s definition of sensitive information appears to include “first party” information — information collected from individuals by the websites the individual chose to visit. Under this definition, an ad tech company that passes along websites’ bids for ads, which contain information such as the users’ websites visited, to a covered entity might fall within the scope of PADFA.
The DOJ bulk data rule
The most sweeping example of U.S. dual-use regulation of personal data is the DOJ’s Bulk Data Rule, which became final in January 2025. In April, the Trump administration confirmed that enforcement would begin on 6 Oct. 2025. The final rule is quite complex, and some points that are most relevant to privacy professionals are highlighted below. For the first time, enforcement of a privacy law governing the private sector will be performed by the DOJ, which can seek both civil and criminal penalties.
Definitions
The rule prohibits “any transaction that involves any access by a country of concern or covered person to any government-related data or bulk U.S. sensitive personal data and that involves” data brokerage. Covered countries include the countries covered by PADFA, including China, Iran, North Korea, and Russia plus Cuba and Venezuela.
The term covered person is defined broadly under the rule. Although the term excludes U.S. persons, a “covered person” includes essentially any company operating in a covered country as well as any one individual that is a “primarily resident in a country of concern.” “Data brokerage” is also defined broadly as “the sale of data, licensing of access to data, or similar commercial transactions...involving the transfer of data from any person (the provider) to any other person (the recipient), where the recipient did not collect or process the data directly from the individuals linked or linkable to the collected or processed data.”
Thresholds
Given the definition of data brokerage as any activity where the recipient did not receive the data directly from individuals, the thresholds for bulk data are important. For instance, the prohibition applies for precise geolocation data for 1,000 devices or personal health data for 10,000 persons. These thresholds in practice may be met considerably more often than one might think because the prohibition applies “regardless of whether the data is anonymized, pseudonymized, de-identified, or encrypted.” That is, because the goal of the regulation is to prevent access by the most advanced persistent threats, such as China and Russia, even data that is de-identified under other standards, like the Health Insurance Portability and Accountability Act, will still trigger the prohibitions on access by covered persons.
Online advertising practices
The rule’s prohibitions apply to a seemingly important range of online advertising practices. One of the examples for the definition of data brokerage discusses a U.S. company that owns or operates a mobile app or website for U.S. users: “That mobile app or website contains one or more tracking pixels or software development kits that were knowingly installed or approved for incorporation into the app or website by the U.S. company.” The rule’s prohibitions apply if the pixels or SDKs “transfer or otherwise provide access to...a country of concern or covered person-owned social media app for targeted advertising.”
Restricted transactions
Along with these significant prohibitions, enhanced security requirements apply to restricted transactions, which are vendor, employment, or investor agreements. In contrast to the ban on actual brokerage of data, the rule here appears to contemplate continued routine business operations, so long as entities comply with the Security Requirements for Restricted Transactions, issued in January 2025 by the Cybersecurity and Infrastructure Security Agency.
Tips for privacy professionals
The full law review article provides extensive discussion of the new dual-use laws for personal data, including analysis of the arguments supporting and critiquing the entire initiative to apply privacy rules for national security reasons. The focus here, however, is on steps privacy professionals might consider as national security issues become so much more prominent in the governance of personal data.
- Consider how to bring national security expertise to the team that has led the company’s privacy compliance. For the many privacy professionals who have not specialized in national security issues, it is becoming increasingly important to have in-house or outside assistance from people with national security insight. For instance, national security experts quite possibly have insights about what is considered especially risky from a national security perspective.
- Benefit from synergies in complying for privacy and national security purposes. Fortunately, the components of a privacy compliance program overlap considerably with the new tasks required to comply with the dual-use requirements. Notably, data mapping has long been a crucial first step for privacy compliance. Accurate data mapping becomes even more important because the dual-use restrictions require careful attention as to whether any sensitive data of Americans is becoming available to a country of concern.
- Coordinate compliance with the cybersecurity team. The DOJ Bulk Data Rule continues to permit defined vendor, employment, and investment agreements with countries of concern. Any such agreements, however, have to meet the comprehensive security standards defined by CISA.
- Monitor how the new definitions are interpreted. For example, PADFA’s definition of sensitive data appears to include first-party web data, in contrast to the focus of U.S. state privacy laws on third-party data. Under the DOJ Bulk Data Rule, data flows to a country of concern are covered “regardless of whether the data is anonymized, pseudonymized, de-identified, or encrypted.” These and other novel definitions make it difficult to assess the risk of enforcement under the new laws. Guidance and early enforcement actions by DOJ and the FTC will provide important clues.
- Finally, consider how these national security issues fit into your company’s overall data governance structure. To comply with the new laws, the traditional privacy compliance function will have greater overlap both with cybersecurity and national security experts. Consider what evolution may be needed in your company to meet both privacy and these overlapping goals.
