When GDPR Compliance is not Enough - U.S. Restrictions on Access to Foreign Data

PrivacyLaw
Written By Jack Cianfrani

Article by John A Cianfrani

Businesses operating across borders are accustomed to analyzing international transfers of personal data under the European Union’s General Data Protection Regulation (GDPR). Such transfers from the European Economic Area to a third country are commonly analyzed for support by an adequacy decision, Standard Contractual Clauses, Binding Corporate Rules, or another lawful transfer mechanism.

That analysis remains essential. But it may no longer be sufficient.

Two U.S. measures, the Protecting Americans’ Data from Foreign Adversaries Act of 2024 (PADFAA) and the Department of Justice’s Data Security Program (DSP) (codified at 28 C.F.R. Part 202), now impose separate restrictions on certain foreign access to sensitive data relating to U.S. persons or U.S. government-related activities. Unlike a comprehensive privacy law such as GDPR , these measures are not comprehensive privacy laws. They are national-security-oriented restrictions aimed at preventing accessibility of sensitive U.S.-linked data to foreign adversary countries, countries of concern, or certain persons connected to those countries.

For multinational businesses - A data transfer that is compliant under the GDPR may nevertheless be prohibited or restricted under applicable U.S. law.

1. A GDPR-Compliant Transfer Mechanism Is Not a U.S. Safe Harbor

The GDPR regulates the processing of personal data and, under Chapter V, international transfers of covered personal data to third countries or international organizations. Article 44 requires that transfers, including “onward transfers” from the European Economic Area, occur only in compliance with the GDPR’s international-transfer requirements.

PADFAA and the DSP regulation.

PADFAA prohibits a covered data broker from selling, licensing, transferring, disclosing, providing access to, or otherwise making available personally identifiable sensitive data of a United States individual to a foreign adversary country or to an entity controlled by a foreign adversary. The Federal Trade Commission is the enforcement agency.

The DSP is broader and covers transactions involving access by a country of concern or covered person to U.S. government-related data or bulk U.S. sensitive personal data. Data brokerage, vendor, employment, and investment agreements are covered. Some transactions are prohibited while others are restricted and may proceed only if the required security and compliance measures are satisfied.

Because a  dataset in a cross-border transfer may contain both EU personal data and sensitive data relating to U.S. persons (e.g., healthcare analytics datasets, biometric identity systems, location-data products, or advertising technologies), the compliance analysis therefore becomes a two-gate inquiry:

1st - GDPR analysis: Is GDPR covered EU personal data being processed and transferred internationally, including any applicable onward-transfer requirements?

2nd - U.S. sensitive-data analysis: Does PADFAA or the DSP prohibit or restrict the recipient organization, transaction type, destination, onward-access arrangement, or any sensitive U.S.-linked data involved in the transaction?

Answering only the first question overlooks a possible separate U.S. prohibition.

2. Onward Transfers – The Most Risk

The DSP expressly addresses this situation. Under 28 C.F.R. § 202.302, a U.S. entity engaging in covered data brokerage with a foreign entity that is not itself a covered entity must contractually require that foreign entity to not subsequently engage in a covered data brokerage involving the same data with an entity in a country of concern. The U.S. entity must also report known or suspected violations of that contractual obligation.

The regulation provides a direct example: a U.S. business knowingly sells bulk human genomic data to a European business that is not a covered person. Even though the European purchaser is not itself a prohibited recipient, the U.S. business must restrict the European business from later reselling or otherwise engaging in covered data brokerage of that data with a country of concern or covered person. Without that restriction, the original U.S.-to-European agreement is prohibited. The exposure can arise early in the contracting chain and is not limited to a direct sale of sensitive data to a company in China, Russia, Iran, or another designated jurisdiction. Additional transaction examples include:

  • sublicenses access to a covered person;

  • uses personnel, subcontractors, or infrastructure connected to a country of concern;

  • grants remote access to an affiliate or technical-support team;

  • incorporates data into a product that makes sensitive information accessible to prohibited recipients; or

  • participates in data brokerage or onward commercialization inconsistent with DSP restrictions.

The DOJ rule also includes recent technology-oriented examples. It addresses circumstances in which tracking pixels or software development kits provide access to sensitive data for targeted advertising, and an AI chatbot trained on bulk U.S. sensitive personal data may disclose that data to covered recipients through licensed access and prompting. These scenarios are applicable to  businesses handling international data flows that do not look like traditional “data sales.” A cloud environment, ad-tech integration, offshore developer relationship, AI-model deployment, or shared corporate database may create access risks even though the transaction is not normally described as a sale of personal information.

 3. Implications for Contracts and Data Governance

To address additional U.S. restrictions, organizations will need to examine and update  their existing agreements and diligence processes for:

  • recipients who are, become, or are controlled by a covered person or prohibited entity;

  • sensitive U.S. data that may be accessed through foreign personnel, subcontractors, affiliates, cloud operations, analytics tools, or AI systems;

  • onward data brokerage to a country of concern or covered person is expressly prohibited;

  • recipients that must provide notice of ownership changes, subcontractor changes, prohibited access, or suspected onward-transfer violations;

  • required technical controls, audit rights, certifications, recordkeeping, and reporting obligations; and

  • data mapping to distinguish EU personal data from U.S. sensitive personal data and government-related data.

Beyond mere contract-drafting issues, the above depends on understanding the actual architecture of the data flow: what information is involved, who can access it, where access occurs, how vendors and affiliates are structured, and whether data may be reproduced or disclosed through technologies such as software development kits, analytics platforms, or AI tools.

4. Additional Issues Requiring Further Attention

The interaction between the GDPR and U.S. sensitive-data restrictions raises secondary questions beyond the two issues discussed above.

First, the protected populations do not align exactly. The GDPR protects natural persons governed by its territorial scope; PADFAA focuses on U.S. individuals; and the DSP uses its own U.S.-person framework. A single multinational data environment may therefore include different categories of protected persons.

Second, anonymization and de-identification require caution. Genuinely anonymous data falls outside the GDPR, while pseudonymized data may remain personal data. Under the DSP, qualifying bulk U.S. sensitive personal data may remain within scope even if anonymized, pseudonymized, de-identified, or encrypted.

Third, the DSP commonly depends on volume thresholds for bulk sensitive data, while the GDPR does not generally depend on bulk volume. At the same time, certain government-related data may be covered by the DSP regardless of volume.

Finally, organizations should consider how government request or disclosure obligations interact with GDPR restrictions on third-country governmental demands for personal data, including Article 48 of the GDPR.

Conclusion

The GDPR, PADFAA, and the DOJ Data Security Program do not perform the same function, but these regimes can converge in the same commercial transaction, technology licensing deal, or AI system. For organizations managing cross-border data flows, GDPR transfer compliance should no longer be treated as the end of the international data-transfer review. It may now be only the first step in a broader analysis of who can access sensitive data, where that access may occur, and whether onward transfers create exposure under U.S. law.

                                                      __________________________________

Principal Authorities

  • Regulation (EU) 2016/679 (General Data Protection Regulation), particularly Articles 44–49.

  • Protecting Americans’ Data from Foreign Adversaries Act of 2024, Pub. L. No. 118-50; FTC statutory materials.

  • Access to U.S. Sensitive Personal Data and Government-Related Data by Countries of Concern or Covered Persons, 28 C.F.R. Part 202, particularly §§ 202.210, 202.301–.304.

________________________________

Disclaimer: This blog post is provided for informational purposes only and does not constitute legal advice. The linked article is the work of its respective author(s) and publication, with full attribution provided. BAYPOINT LAW is not affiliated with the author(s) or publication; it is shared solely as a matter of professional interest.

Jack Cianfrani
Next

Foreign Litigation Finance: A Tax Problem - and Possibly Something More!