After months of uncertainty from a tight presidential and congressional election, Tuesday's results now help begin to paint a clearer picture of what we can expect with digital policy in 2025 and beyond. Though many questions remain, a Republican mandate in the White House and Senate — and potentially the House of Representatives — could bring a sea change in executive policy and regulation in the digital space.
It is expected that the Republican-led federal government will take a deregulatory approach, particularly with regard to artificial intelligence, putting safety guardrails and risk mitigation obligations aside for a more pro-innovation focus, particularly against countries like China, according to Axios.
AI executive order
President-elect Donald Trump has said on more than one occasion that he plans to overhaul the Biden administration's AI executive order from "day one." The executive order, which just celebrated its one-year anniversary, is well underway, but components of it may receive blow back from the incoming administration, which could overturn specific aspects of it.
As part of the order, companies building dual-use foundation models have reporting requirements related to how they are being trained and secured. The order also directs the National Institute for Standards and Technology to create guidance on helping companies identify and mitigate bias and discrimination flaws.
"Trump has promised to repeal the order," IAPP Managing Director, DC, Cobun Zwiefel-Keegan, CIPP/US, CIPM, said, "but maybe not right away. It seems like most of the opposition is related to anti-bias and discrimination in AI."
Trump allies, including U.S. Rep. Nancy Mace, R-S.C., argue that the executive order also tamps down innovation and "could scare away would-be innovators and impede more ChatGPT-type breakthroughs."
R-Street Institute’s Brandon Pugh, CIPP/US, CIPM, FIP, said, "Overall, I believe there will be a general sense of technological optimism —especially for AI — rather than concerns that it might lead to widespread harm and therefore, be used to justify prescriptive regulation."
Digital trade and trans-border data flows
Though the EU-U.S. Data Protection Framework was created under the previous Trump administration after Privacy Shield was invalidated by the Court of Justice of the EU, the Biden administration did issue an executive order and implementing regulations to operationalize the DPF. While the incoming administration could overturn or modify those, Zwiefel-Keegan does not expect that to change. Instead, if anything, the DPF will eventually be challenged, once again, in the CJEU.
Digital trade policy, however, could see changes. "There is reason to think the new administration will push back on existing trade policy, which changed under Biden away from the unencumbered free flow of data," Zwiefel-Keegan said. "The new administration will likely provide a reset in digital policy."
The security of critical infrastructure and trans-border data flows "have become infused with national security concerns in recent years," IAPP Cybersecurity Law Center Managing Director Jim Dempsey said. "China is seen as a major adversary, and Trump in his first term was quite suspicious of China, so that would suggest a more regulatory approach."
Cybersecurity law and critical infrastructure
In looking ahead, Dempsey said future regulation will be hard to predict. "A lot will turn on the personnel Trump chooses for key roles. One would normally assume that a Republican victory would mean a less regulatory, more pro-business approach on consumer protection, so to the extent that cybersecurity is a consumer issue, you would assume a less regulatory approach. But Trump is not what a normal Republican used to be," he said.
A cyber agenda driven by national security would mean a continuation of initiatives pursued by President Joe Biden, who was advancing various controls that began with executive orders issued by Trump in his first term, Dempsey noted.
He also pointed to the Republican party platform, which promised to "use all tools of national power to protect our nation's critical infrastructure and industrial base from malicious cyber actors" and "to raise the security standards for our critical systems and networks."
"That sounds pretty regulatory," Dempsey said, "although party platforms might not mean that much, especially for Mr. Trump."
R-Street’s Pugh said, "Cybersecurity has largely been a bipartisan issue and both parties want to see it improved, but they have different ways to accomplish that goal. For instance, the Biden administration has leaned into mechanisms for legal liability and new regulations to advance cybersecurity. I anticipate a Trump administration will be very skeptical of those approaches and instead look to see how we can better harmonize and streamline what we currently have now."
Dempsey predicts that the Defense Department's Cybersecurity Maturity Model Certification program for defense contractors "will not be derailed. Ditto for the initiative addressing the cybersecurity of China-made cranes at U.S. ports."
He also said the Justice Department "will issue a final rule on exports of American's sensitive data before January 20, and it will not be revoked by the new administration (but ... may face a court challenge).
For cybersecurity in the health care sector, "don't expect the Trump administration to support final changes that the Biden administration made this year to the HIPAA Privacy Rule aimed at enhancing the privacy of reproductive health information," Healthcare Info Security reports.
"While it takes meaningful effort to reverse an existing regulation," Wilmer Hale Partner Kirk Nahra, CIPP/US, said, "I expect the Trump administration to downplay any compliance obligations stemming from the recent Dobbs-related changes to the Privacy Rule."
Federal Trade Commission
There will likely be significant changes to the makeup of the top consumer protection cop in the U.S. FTC Chairwoman Lina Khan's term is expiring, and it is unlikely she will be renominated. Though it is not yet clear who will be chosen to lead the agency, there are two existing Republican commissioners, Melissa Holyoak and Andrew Ferguson. Trump could point to one of them as acting chair, as happened in 2017 with Maureen Ohlhausen.
The other two Democratic commissioners, Alvaro Bedoya and Rebecca Slaughter, will likely remain. Bedoya's term ends in 2026 and Slaughter's in 2029.
"It's also an open question as to whether the FTC will push through its proposed rulemaking for commercial surveillance before the end of the year," Zwiefel-Keegan said. Though he does not expect the agency to complete the rulemaking, they could publish their report "to show their work." This could lead, he suggested, to a framework that could be used down the line.
Federal privacy law
Another open question relates to how Congress will approach a federal privacy law. The American Privacy Rights Act made headway in 2024, but lost steam as the election ramped up. There's also an open question about who will control the House of Representatives, though at this stage, it looks like Republicans will control both houses and the executive.
Zwiefel-Keegen is skeptical that privacy and AI governance will be at the top of the Republican agenda, but it is clear that state preemption will be top of mind when the time comes. Sen. Ted Cruz, R-Texas, won his reelection and has been ranking member on the Senate Commerce Committee, which handled the APRA. Cruz has been clear he wants a federal privacy to law to preempt other state laws, such as California's.
Though it's not final, Sen. John Thune, R-S.D., could become the next majority leader in the Senate, as well, and he has experience with data privacy policy as having formerly served on the Senate Commerce Committee when it worked on the APRA's predecessor, the American Data Privacy and Protection Act.
On the House side, with the retirement of Rep. Cathy McMorris Rodgers, R-Wash., who previously led the House Commerce Committee's work on the APRA, "there will be a full reset around the dialogue involving comprehensive privacy law," Zwiefel-Keegan said.
"Although we are still waiting to see which party controls the House, it’s likely that the status quo remains, and the states will continue to pass privacy and AI laws. Neither party has prioritized passing a federal law when in power," Husch Blackwell Partner David Stauss said.
"Some may argue that a Republican-controlled federal government will make it more likely for a weak federal law to pass," Stauss continued, "but the Republican party's relationship with Big Tech is a lot more nuanced than that. Republican states have passed strong (often unconstitutional) social media laws. Texas has emerged as a significant player in privacy enforcement, and one of Trump's biggest supporters — Elon Musk — supported California's SB 1047, which sought to regulate AI."
"For both artificial intelligence and data privacy, preemption of state laws will continue to be highly important for both a Republican Senate and administration," R-Street's Pugh said.
What will this mean for state privacy laws?
In the absence of comprehensive federal privacy law, the states will once again be active in the upcoming year.
"When the dust settles, we need to dig into what happened at the state level," Stauss said. "Come January, states like Colorado, Connecticut, Vermont, and Maine will once again be top of mind but other states will also be relevant with privacy and AI bills. We need to analyze gains and losses in state chambers and think about what that means for bills moving forward."
Stauss added, "We need to be mindful of how Democratic-controlled states may react. The Supreme Court overturning Roe vs. Wade was a jolt that resulted in Washington state passing the My Health My Data Act. Could we see something similar occur based on this election?"
Jedidiah Bracy is the editorial director for the IAPP.