Privacy & Information Security Law Blog

On December 6, 2024, the U.S. Court of Appeals for the D.C. Circuit upheld the Protecting Americans from Foreign Adversary Controlled Applications Act, which is set to take effect on January 19, 2025, and make the distribution of TikTok illegal in the U.S. if parent company ByteDance has not divested. The D.C. Circuit is now considering a request for emergency injunction pending Supreme Court review. 

In November 2024, the Department of Commerce’s Artificial Intelligence Safety Institute established a new taskforce to research and test AI models in areas critical to national security and public safety, while ODNI released guidance on the acquisition and use of foundation AI models, both part of the national security community’s response to the directives of the recent White House AI Memo and Executive Order 14110.

On November 27, 2024, the Centre for Information Policy Leadership at Hunton Andrews Kurth filed a response to the Department of Justice’s Notice of Proposed Rulemaking, which implements Executive Order 14117 of February 28, 2024.

On October 24, 2024, the White House released a memorandum implementing Executive Order 14110 on national security and responsible AI.

On October 21, 2024, the U.S. Department of Justice National Security Division issued a Notice of Proposed Rulemaking implementing Executive Order 14117 that will restrict certain transactions with high-risk countries.

On August 14, 2024, the Committee on Foreign Investment in the United States disclosed that it had assessed a $60 million penalty against T-Mobile US, Inc. in connection with unauthorized data access incidents following T-Mobile’s 2020 merger with Sprint Corporation.

Hunton Andrews Kurth released a client alert on the U.S. Department of the Treasury’s Office of Foreign Assets Control (“OFAC”) settlement with EFG International AG. On March 14, 2024, OFAC announced a settlement (the “Settlement”) with EFG International AG, a global private banking group based in Switzerland with many global subsidiaries (collectively, the “Manager”) regarding violations of OFAC rules alleged to have occurred as a result of the Manager’s buying, selling and, in many cases, merely holding, U.S. securities on behalf of persons sanctioned by OFAC. 

On March 20, 2024, the U.S. House of Representatives passed legislation that will prohibit data brokers from transferring U.S. residents’ sensitive personal data to foreign adversaries, including China and Russia. The House bill HR 7520 (the “Bill”), also known as the Protecting Americans’ Data from Foreign Adversaries Act of 2024, marks a significant development in executive and legislative action related to foreign access to U.S. data. The Bill follows a similarly groundbreaking Executive Order and Department of Justice Notice of Proposed Rulemaking issued at the end of February that will establish strict protective measures against data exploitation by countries considered national security threats for U.S. sensitive personal data and U.S. government-related data. The Bill also comes after the House overwhelmingly passed HR 7521, (the Protecting Americans from Foreign Adversary Controlled Applications Act) resulting from concerns that the Chinese government would compel TikTok (or other foreign adversary-controlled apps) to turn over U.S. data. HR 7521 would effectively require TikTok to divest from parent company ByteDance in order to avoid a ban in the U.S.

On February 28, 2024, President Biden released an Executive Order (“EO”) “addressing the extraordinary and unusual national security threat posed by the continued effort of certain countries of concern to access Americans’ bulk sensitive personal data and certain U.S. Government-related data.” In tandem with the EO, the Department of Justice’s (“DOJ’s”) National Security Division is set to issue an advance notice of proposed rulemaking (“ANPRM”) pursuant to the EO, which directs the DOJ to “establish, implement and administer new and targeted national security programming” to address the threat. The DOJ regulations will identify specific categories of “data transactions” that are prohibited or restricted due to their “unacceptable risk to national security.”