From Tallahassee to Phoenix: States Move to Enforce National Security Limits on Access to Americans’ Sensitive Personal Data
State attorneys general increasingly are asserting authority in an area once viewed as the exclusive province of federal national security regulators — scrutinizing who can access sensitive personal data of U.S. persons, where that data flows, and whether foreign governments have legal rights or practical means to control or obtain the data. Recent actions by Florida, Texas, and Arizona Attorneys General illustrate a clear and accelerating trend — national security concerns are no longer abstract policy considerations in the data privacy space; they are becoming a basis for hands-on investigative and enforcement activity at the state level, increasingly aligned with parallel developments at the federal level.
Congress Considers Right to Repair Bill for Vehicle Owners
Last week, the House Energy and Commerce Committee voted to send the Right to Equitable and Professional Auto Industry Repair (REPAIR) Act to the full U.S. House of Representatives for consideration. This legislation, if enacted, would give car owners access to their vehicle-generated data and repair data and tools from vehicle manufacturers. It would also grant owners certain rights over the use of that data, including the right to delete it, and would prevent recipients of vehicle-generated data from selling, transferring, or licensing that data absent certain exceptions. As indicated by its name, the REPAIR Act is reflective of the so-called “right to repair” movement to allow consumers and independent repair shops access to the same data for repair and maintenance that manufacturers make available to themselves or franchised dealers. It also has important implications for data privacy in modern vehicles, which generate increasingly large volumes of information.
EU Court of Justice Issues Landmark Judgment on Concept of “Personal Data”
On 4 September 2025, the EU Court of Justice (the “CJEU”) issued a landmark ruling in SRB v. EDPS confirming that pseudonymous data is not automatically personal data in all cases (the “SRB Case”). Instead, the key question is whether the controller can realistically re-identify the individual. This judgment is expected to have a significant impact on instances where effective technical and/or organisational measures prevent re-identification by the controller. Importantly, although the ruling arose under EU Regulation 2019/1725 – i.e., the EU data protection law applicable to EU Institutions (such as the Commission) – the CJEU confirmed that the same interpretation applies under the General Data Protection Regulation (the “GDPR”).
