New FTC, DOJ Rules Bring Data Governance Under the Export-Control Banner

Companies that collect, analyze, or share U.S. personal data, especially FinTech, health, mobility, and ad tech companies, must now evaluate whether routine data flows trigger prohibitions normally associated with arms-transfer controls.

The shift began with the Committee on Foreign Investment in the United States (CFIUS), which for years has blocked foreign acquisitions involving large datasets on U.S. citizens, such as Ant Financial’s failed bid for MoneyGram, the forced divestiture of Grindr, and the government-ordered sale of StayNTouch. All were premised on the view that foreign ownership of sensitive financial, geolocation or biometric data could enable espionage, blackmail or influence operations.

Two 2024 statutes formally brought personal data into the export-control framework. The Protecting Americans from Foreign Adversary Controlled Applications Act that banned TikTok unless divested from Chinese ownership, and the Protecting Americans’ Data from Foreign Adversaries Act (PADFA), which prohibits data brokers from selling any sensitive personal data of U.S. individuals to entities tied to China, Russia, Iran, or North Korea.

PADFA’s defines sensitive data to include first-party data, such as web-browsing information collected by a site itself, rather than just data shared with third parties, making it broader in scope than many state privacy laws. The Federal Trade Commission is charged with enforcement and has already signaled it will prioritize PADFA cases, per Swire.

The strongest signal of the shift, however, is the implementation of Justice Department’s Bulk Data Rule, which became effective in October. It bans data-brokerage transactions involving “bulk sensitive personal data” if the recipient is located in, or controlled by, a “country of concern,” meaning China, Russia, Iran, North Korea, Cuba or Venezuela.

The rule applies regardless of whether the data have been pseudonymized, de-identified or encrypted, due to the re-identification capabilities of state-level actors. It also sets low thresholds for datasets to qualify as bulk data, such as just 1,000 precise-location records or 10,000 health records, meaning ordinary datasets can qualify.

Even common online advertising models are covered by the rule, including pixels and SDKs that transmit data to foreign-owned platforms.

Unlike consumer-focused privacy laws, the DOJ rule carries civil and criminal penalties and is enforced by national-security prosecutors, not consumer-protection bureaus.

For compliance teams, the new rules mean CFIUS, sanctions, and export-control expertise are no longer optional for companies handling high-volume U.S. personal data, according to Swire.

Data inventories must also now track destination jurisdictions, corporate control, and data flows via embedded code such as pixels and analytics tools.  “Restricted transactions” under the DOJ rule may continue only if vendors meet security requirements defined by the Information Systems Audit and Control Association (ISACA)

Swire warns that key terms like “sensitive data,” “data brokerage,” “bulk” are intentionally expansive and will evolve as DOJ and FTC enforcement actions proceed.

The net effect of the shift, per Swire, is that personal-data governance with geopolitical risk are now aligned in the eyes of the federal government. Any company that treats data transfers as a privacy-only issue risks inadvertent violations of national-security law.