On February 28, 2024, President Biden signed an Executive Order (the “E.O.”), taking a further step toward protecting U.S. government data and bulk sensitive personal data about Americans from access by foreign actors. The White House released an accompanying fact sheet describing the actions directed by the E.O.
The E.O. is one in a series of orders over the last five years that have attempted to restrict how foreign entities access U.S. data. In 2019, the Trump Administration issued Executive Order 13873 entitled “Securing the Information and Communications Technology and Services Supply Chain.” Executive Order 13873 declared a national emergency asserting vast amounts of sensitive data are handled through commercial activity and can be targets for exploitation by U.S. adversaries, and specifically China. Then, in 2020, the Trump Administration issued Executive Order 13942 and Executive Order 13943, which were intended to effectively ban TikTok and WeChat, respectively, by prohibiting transactions such as hosting the apps on mobile app stores. In 2021, President Biden rescinded the TikTok and WeChat orders, while issuing new, broader restrictions under Executive Order 14034 (“Protecting Americans’ Sensitive Data From Foreign Adversaries”). Executive Order 14034 addressed the ongoing threat of foreign adversaries targeting sensitive personal data and business proprietary data and broadened the list of adversarial foreign countries (not just China). The new E.O. should be viewed in light of these earlier presidential actions, each of which has attempted to expand restrictions on data transfers outside the United States.
To be clear, the E.O. specifies that it is not intended to broadly prohibit Americans from conducting commercial transactions, including financial transactions or sharing of data, with those located outside of the United States or in countries of concern. The E.O. also is not designed to broadly impact trade or other relationships that the U.S. has with foreign countries, emphasizing that nothing in the E.O. should be read to undermine the Biden Administration’s commitment to the free flow of data that is necessary for economic, scientific, and trade relationships around the world.
Rather, the E.O. is focused on three core problems: (1) the potential that “bulk sensitive data,” such as health and location information, can be used to harm individual Americans; (2) the risks that artificial intelligence and advanced processing technologies can pose to Americans’ bulk sensitive data; (3) the potential that data about certain Americans, particularly members of the military, can lead to direct national security harms. The individual harms identified in the E.O. include the invasion of privacy, blackmail, and the threat of transnational repression, where foreign governments target their citizens (often journalists, dissidents, or political opponents) who are living in the United States. The national security risks include both espionage targeting individuals and the ability to identify or monitor sensitive locations such as military bases.
Central to the E.O. is the definition of “sensitive personal data.” Here, as elsewhere in the E.O., the definition is left broad, with direction for the Department of Justice (“DOJ”) to more specifically define the term in upcoming rulemaking proceedings. As it stands, the E.O. defines the term to include “covered personal identifiers, geolocation and related sensor data, biometric identifiers, human ‘omic data, personal health data, personal financial data, or any combination thereof,” excluding any data that is a matter of public record and is generally available to the public.
Similarly, the E.O. only loosely defines “country of concern,” to mean any nation that is (1) “engaged in a long-term pattern or serious instances of conduct significantly adverse to the national security of the United States or the security and safety of United States persons,” and (2) “poses a significant risk of exploiting bulk sensitive personal data or United States Government-related data.” Beyond that, it is left for rulemakings to identify specific countries. The other recent executive orders have been interpreted to apply to China, Cuba, Iran, North Korea, Russian, and Venezuela, and a similar if not identical list is likely here.
The E.O. will result in a series of regulatory proceedings over the next four to six months, led by DOJ, the Department of Homeland Security (“DHS”), the Department of State, and other executive agencies. DOJ has already published a press release, an unofficial draft of the Advanced Notice of Proposed Rulemaking, and a fact sheet.
In particular, the E.O.:
- Requires DOJ to issue regulations that prohibit “large-scale” transfers of sensitive data to countries of concern. These regulations will include prohibitions and restrictions of U.S. persons from engaging in a transaction that involves the transfer of bulk sensitive personal data to countries of concern.
- Requires DOJ to issue regulations that create a class of prohibited transactions that involve the transfer of bulk sensitive personal data to countries of concern.
- Requires DOJ to issue regulations that create enhanced prohibitions around “government-related” data, including geolocation information around sensitive government sites and the locations of members of the military.
- Requires DOJ and DHS to partner in setting new standards based on the Cyber Privacy Framework and NIST standards to prevent entities in countries of concern from procuring sensitive personal data through commercial means (e.g., investments, vendor purchases).
- Grants authority to DOJ and DHS, along with the Department of State and Department of Commerce, to update the country of concern list.
- Directs the Committee for the Assessment of Foreign Participation in the United States Telecommunications Services Sector (also known as “Team Telecom”) to take the transfer of sensitive personal data into account when reviewing submarine cable license applications or renewals. This includes a review of existing licenses and license applications.
- Directs federal departments and agencies to prevent any federal grant money from being used to facilitate access to Americans’ health data by entities in countries of concern.
- Authorizes the Consumer Financial Protection Bureau to undertaking rulemaking to ensure data brokers and similar entities comply with the new prohibitions.
- Directs DOJ, DHS, and the Director of National Intelligence to initiate a review of prior bulk sensitive data transfers to assess national security risks and provide recommendations.
Accordingly, if you collect, use, or disclose “bulk sensitive data” related to Americans, this E.O. may affect how—and to whom—you can share or sell that data. If your business fits this category, you should be sure to monitor the several upcoming rulemaking proceedings to see how these terms are defined and how broadly the federal government will intend to enforce these restrictions.