We have recently written on whether protecting personal data should be regulated using a property model instead of a privacy model (and concluded, probably not).  Another framework for regulating personal data that is getting increased attention is a national security model, which looks at securing personal data as a means of protecting the country from unfriendly government actors or agents who might use that data to harm the national interest.

At the “Washington Comes to Silicon Valley” conference on October 22, John Demers, the Assistant Attorney General of the DOJ’s National Security Division, said that the U.S. government is concerned about national security risks posed by foreign companies acquiring personal data of U.S. citizens through corporate acquisitions.  One concern with such acquisitions is that if sensitive personal data of American officials falls into the hands of foreign governments, that information could be used to extort or blackmail individuals with access to classified information.

Government authorities have already taken steps to mitigate these risks.  Earlier this year, the Committee on Foreign Investment in the United States (“CFIUS”)—the federal body responsible for reviewing investments in U.S. businesses by foreign persons that present national security risks—mandated divestments in two cases that seem to follow this framework.  In both cases, observers speculated that CFIUS was concerned that the investment afforded a foreign entity access to sensitive personal data of U.S. persons that could be used to gain improper influence.  In addition to blackmail, private data could be exploited by foreign governments to track the locations of military and government personnel, or to gain unauthorized access to their computers or phones and steal intellectual property or other sensitive information.

Congress has also taken some action in this area, passing a law in August 2018 that expanded CFIUS’s jurisdiction to review foreign investments in which the U.S. business collects or maintains “sensitive personal data.”  Just last month, the Treasury Department issued proposed regulations to define “sensitive personal data” for these purposes, regulations which appear to have been influenced by more conventional privacy frameworks like the General Data Protection Regulation (“GDPR”) and the California Consumer Privacy Act (“CCPA”).

The increased focus on potential national security risks associated with personal data could further incentivize Congress to regulate the collection, use, and disclosure of sensitive personal data of all U.S. businesses, not just those with foreign investors.  There are at least two implications of a national security framework for personal data.

The first is that framing data protection as a national security interest highlights the need for more private-public sector cooperation in addressing cybersecurity and corporate espionage risks.  In a separate interview last week, Assistant Attorney General Demers explained that a key point of emphasis in the DOJ’s National Security Division is outreach to companies to demonstrate the benefits of early notification to the government when a cyber intrusion or IP theft is identified.  He noted that U.S. companies face not only the threat of government-sponsored external hacks, but also insider malfeasance by employees who have been co-opted by foreign intelligence services.  Because companies often lack the resources and the experience to combat a nation state’s full intelligence apparatus on their own, Demers argued, partnership between business and government to protect IP and personal data is essential.  In short, viewing data protection as a national security matter (rather than a purely commercial or privacy matter) encourages the private and public sectors to coordinate from the outset when responding to a data breach, and to work more closely on cyber issues generally.

The second implication of viewing data security through a national interest lens is that it bolsters the argument for federal data protection standards.  Indeed, the objectives of a national privacy law – requiring companies to (1) only collect personal information with good reason, (2) secure personal data from hacking, (3) provide notice or obtain consent before selling personal data, and (4) delete personal data when they no longer need it – are all consistent with and would reinforce the U.S. government’s national security objectives.

Opponents of a federal privacy law (or at least a law with broad preemption) have argued that the states should serve as “laboratories of democracy” by implementing their own privacy laws instead of (or on top of) a new federal law.  So far, they have gotten their wish, with dozens of state laws either passed or currently under consideration, and no federal proposal currently on the horizon that is likely to become law.  But if protecting personal data of Americans from hackers and untrustworthy purchasers (which may include agents of foreign government) is viewed increasingly as, at least in part, a national security issue, the federal interest in exclusively regulating this space is clearly strengthened.

We will continue to monitor these issues and report on important developments here at the Davis Polk Cyber Blog.

This article has also been posted at the Compliance & Enforcement blog sponsored by NYU Law’s Program on Corporate Compliance and Enforcement.