In recent years, foreign bulk data collection of US citizens’ personal data has emerged as a new and increasing national security threat. The ability of foreign adversaries to collect—and in some cases, buy outright—US person data is officially governed by IEEPA and CFIUS. Bernard Horowitz and Terence Check argue that these regulatory frameworks are ill-suited for the particular issues raised by present-day data processing technology.

The authors examine both IEEPA and CFIUS in turn—how these regulations function in practice, and how they apply to bulk adversarial data collection. The authors focus particularly on the recent decision in TikTok v. Trump and how it may undermine the ability of the United States to restrict data trade on national security grounds.

Bernard Horowitz is Law Clerk for Senior Judge Mary Ellen Coster Williams of the United States Court of Federal Claims. This article does not reflect the views of the Court of Federal Claims or Judge Williams, and was written solely in the author’s personal capacity and not as part of his court-related duties.

Terence Check is Senior Counsel, Cybersecurity and Infrastructure Security Agency, Department of Homeland Security; LL.M in Law & Government, specializing in National Security Law & Policy, American University Washington College of Law (2015); J.D., magna cum laude, Cleveland State University, Cleveland-Marshall College of Law (2014); Editor-in-Chief, Cleveland State Law Review (2013-2014). This article does not reflect the official position of the US government, DHS, or CISA and all opinions expressed are solely those of the authors. He is the author of “Turning US Vetting Capabilities and International Information-sharing to Counter Foreign White Supremacist Terror Threats” in the JNSLP Online Supplement.