The New Administration’s Privacy and Security Updates

Two weeks into a new presidential administration, action from the White House and new leadership at federal agencies is starting to have an impact on privacy and security issues. It is not uncommon for new administrations to pause ongoing federal rulemakings or reverse executive orders released by the prior administration. Below are a few areas in which changes have been made and more activity can be expected.

White House/Executive Orders

President Donald Trump revoked President Joe Biden’s October 2023 Executive Order on the Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence (AI), which prompted government agencies to take action on exploring AI’s impact on the industries they oversee. President Trump signed another executive order seeking to both stop any action on the Biden AI executive order and set a 180-day timeline for the new administration to develop an AI plan.

Federal Trade Commission (FTC)

FTC Chairman Andrew Ferguson assumed his position last week. Among the last items approved in the Biden administration were updates to the Children’s Online Protection Rule, which will take effect in the next few months, and Ferguson, then a FTC commissioner, was supportive of these updates. However, Ferguson was opposed to the Commercial Surveillance and Data Security Rulemaking, initiated by the FTC in 2022 and ongoing. This rulemaking could potentially result in more authority for the FTC to oversee data collection and retention practices of the industries it oversees. It is unclear what Ferguson will do with this rulemaking.

Consumer Protection Financial Bureau (CFPB)

The CFPB finalized the Personal Financial Data Rights Rule (Rule) in October 2024, which creates new requirements around the protection of consumer data collected and processed by financial entities. The Rule is currently being challenged in court and the government could choose not to defend it. Additionally, Congress may be able to “disapprove the rule,” essentially making it null through a joint resolution of disapproval, which is permissible under the Congressional Review Act. Both congressional bodies have 60 legislative days, starting on January 15, 2025, to approve such a joint resolution. It is currently unclear what the new administration or Congress will do regarding the Rule. President Trump designated Treasury Secretary Scott Bessent as the acting director of CFPB after former director, Rohit Chopra, resigned over the weekend.

Privacy and Civil Liberties Oversight Board (PCLOB)

Last week, President Trump removed members of the PCLOB who were appointed by the Biden administration. The PCLOB previously assisted with negotiations that resulted in the Trans-Atlantic Data Privacy Framework (TADPF), permitting transfers of personal data from the European Union to the United States. A new composition of the board could affect future negotiations around changes to the TADPF, especially if challenged in the Court of Justice of the European Union, as prior EU-U.S. data transfer frameworks have been challenged.