USA LAW AND PRACTICE Contributed by: Nancy Libin, David Rice, Spencer Persson, Michael Borgia, Robert Stankey, Kara Trowell and Alexander Sisto, Davis Wright Tremaine LLP
example, for identifying and marketing to poten - tial or former customers). Before a merger, acquisition or other corporate transaction is closed, the acquiring entity will typically engage in due diligence of the target (or selling) entity’s data privacy and security prac - tices. This typically involves a review of the tar - get entity’s policies and procedures, and obtain - ing information from the target’s subject matter experts. As part of the transaction, the acquiring entity will typically receive representations and warranties from the target or selling entity related to data privacy and security. State data privacy laws permit a target entity to transfer personal data to an acquiring entity as part of a proposed or actual merger, acquisition or other transaction without triggering a “sale” of personal data under those laws. Companies therefore need not offer consumers a right to opt out. The CCPA, however, expressly prohib - its the acquiring entity from using or disclosing this personal data in a manner that is materi - ally inconsistent with the commitments made to consumers by the target entity unless the acquiring entity provides adequate notice of the change in practices. 5. International Considerations 5.1 Restrictions on International Data Transfers While US laws generally do not impose restric - tions on the transfer of personal information outside the USA, restrictions have recently been imposed for national security reasons on trans - fers of certain US personal data, with a particular focus on transfers to China. While these restric - tions are aimed at data brokers selling personal information to foreign governments and affiliated
companies, international data transfers to gov - ernments or state-controlled entities in politically sensitive countries will need to be evaluated giv - en the potential scope of these new measures. For instance, the Protecting Americans’ Data from Foreign Adversaries Act of 2024 (PADFA) prohibits data brokers from selling, licensing, renting, trading, transferring, releasing, disclos - ing, providing access to or otherwise making available personally identifiable sensitive data of a US individual (ie, a person residing in the USA) to any foreign adversary country or any entity controlled by a foreign adversary. Sensitive data includes government-issued identifiers, biomet - ric information, genetic information and precise geolocation information. Such data is consid - ered personally identifiable if it identifies or is reasonably linkable to (alone or in combination with other data) an individual or their device. For - eign adversary countries are currently defined as China, Iran, North Korea and Russia. Most recently, the US Supreme Court upheld the Protecting Americans from Foreign Adver - sary Controlled Applications Act, which banned TikTok from operating in the USA, requiring that it go dark or have its controlling interest severed from Chinese control, based on national security considerations. The law was also upheld based on preventing China’s control over a communi - cations platform that allowed it to collect sensi - tive personal data associated with 170 million US TikTok users. Separately, new DOJ regulations that cover a wide range of transactions restrict foreign access to sensitive US data by “countries of concern” and other “covered entities”, includ - ing private persons and entities that are sub - ject to the control or jurisdiction of “countries of concern”. The regulations implement the Biden
542 CHAMBERS.COM
Powered by FlippingBook