Holyoak: FTC Is a Partner to DOJ in Blocking Foreign Access to US Data
The FTC will serve as a partner to DOJ as the department works to enforce its new Data Security Program (DSP), Commissioner Melissa Holyoak said at the IAPP Global Privacy Summit on Tuesday evening.
Sign up for a free preview to unlock the rest of this article
Holyoak cited the authority that Congress granted the FTC in the Protecting Americans' Data From Foreign Adversaries Act (PADFAA). Congress passed PADFAA to block data brokers from selling Americans’ personally identifiable sensitive data to foreign adversaries like China.
Enforcing PADFAA is going to be a priority for the FTC, and the commission will partner with DOJ where possible on its new rule, Holyoak said. Data brokers selling sensitive data, like geolocation information, poses an “unacceptable risk to national security.”
The FTC declined comment Wednesday on whether it possesses any authority under the DOJ rule. DOJ didn’t comment. DOJ’s Federal Register notice on the final rule details the FTC’s authority under PADFAA, while suggesting the new data transfer rule helps fill gaps in blocking foreign adversaries.
PADFAA didn’t “create a comprehensive regulatory scheme that adequately and categorically addresses these national security risks,” the department said, while also noting the limitations of similar authorities for the Committee on Foreign Investment in the U.S.
An IAPP panel Wednesday discussed the overlapping authorities of DOJ and the FTC. Jeewon Serrato, an attorney with Pillsbury Winthrop, said PADFAA applies to a much broader dataset than the DOJ rule, which includes photos, videos, audio recordings and information about minors. She recommended that companies and compliance teams fully understand the scope of both. In order to comply with the DOJ rule, companies are mostly engaging IT and security teams, but the scope of the rule does call for the expertise of privacy professionals, she said.
John Carlin, an attorney with Paul Weiss, said DOJ’s National Security Division is still adjusting to its new, additional role as regulator. It has traditionally been in a law enforcement role, so the office is still working through these new regulatory complexities, he said.
The Trump administration’s decision not to rescind the Biden administration executive order initiating the DOJ rule wasn’t an “oversight,” said Alexander Joel, a privacy attorney and adjunct law professor at American University. The rule is “alive and well.” This administration has put a lot of work into launching it, and it’s going to be an enforcement priority, he said.
Serrato said the department seems to understand that complying with the rule is a complex undertaking for many companies. She said it wasn’t possible to have “perfect” compliance programs for the EU’s General Data Protection Regulation and the California Consumer Privacy Act when those regulations came into effect, and the same is true for the DOJ rule. Companies understanding the regulation and making a “good-faith effort” to comply is what’s important, she said.