On February 28, 2024, President Biden signed Executive Order 14117 on "Preventing Access to Americans' Bulk Sensitive Data and United States Government-Related Data by Countries of Concern" (the EO).1 The EO calls for the Department of Justice (DOJ) to promulgate regulations to prevent the large-scale transfer of sensitive personal data and US Government-related data to "countries of concern."
The White House called the new executive order "the most significant executive action any President has ever taken to protect Americans' data security."2 There will be two opportunities for public comment before final regulations are issued with which parties will have to comply.3
Overview
The EO seeks to restrict access by "countries of concern" to Americans' bulk sensitive personal data and US Government-related data when such access would pose "an unacceptable risk to the national security of the United States." The Fact Sheet accompanying the EO notes that the "sale of Americans' data raises significant privacy, counterintelligence, blackmail risks and other national security risks—especially for those in the military or national security community."4
The EO states that data brokerages, third-party vendor agreements, employment agreements, investment agreements, and other such arrangements can provide direct and unfettered access to Americans' bulk sensitive data and thus pose unacceptable risks to US national security. The EO therefore authorizes the Attorney General to prevent the large-scale transfer of Americans' personal data to "countries of concern." The EO further directs multiple other federal departments and agencies to take actions, including promulgating new rules and regulations, to curb the flow of "sensitive personal data" to "countries of concern."
Sensitive personal data is broadly defined by the EO and includes personal identifiers, geolocation and related sensor data, biometric identifiers, human 'omic data (i.e., data generated from humans that characterizes or quantifies human biological molecules or metabolic data), personal health data, personal financial data, or any combination thereof. What types of data specifically are captured by these categories, however, is not fixed by the EO and will be established in the regulations implementing the EO. We expect the regulatory definition likely will expand over time with advancements in emerging technologies like artificial intelligence (AI), which allows greater personal insights to be gained from diverse, seemingly unconnected data.
Consistent with the countries identified in the regulations implementing Executive Order 13873, Securing the Information and Communications Technology and Services Supply Chain,5 the Advance Notice of Proposed Rulemaking (ANPRM) released by the DOJ in connection with the EO states that the DOJ is considering identifying China (including Hong Kong and Macau), Russia, Cuba, Iran, Venezuela, and North Korea as "countries of concern."6
The DOJ is contemplating a two-tiered approach to its implementation of the EO, whereby certain categories of "highly sensitive data transactions" will be prohibited, while other categories of transactions will be restricted, and may proceed on the condition that they comply with certain predefined security requirements to mitigate access to the data by "countries of concern."7 The DOJ is considering identifying two classes of prohibited data transactions: (1) data-brokerage transactions, and (2) transactions involving the transfer of bulk human genomic data or human biospecimens from which human genomic data can be derived.8 The DOJ is also considering three classes of restricted data transactions: (1) vendor agreements (including agreements for technology services and cloud-service agreements); (2) employment agreements; and (3) investment agreements.9 The security requirements applicable to these restricted transactions will be established by the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency.10
The White House characterized the policy objectives of the EO as "specific, carefully calibrated actions" to minimize the stated risk posed by access of "countries of concern" to bulk sensitive personal data and US Government-related data. President Biden continued to stress the importance of federal comprehensive privacy legislation, again urging Congress to pass a federal privacy bill, especially focused on children.
Importantly, the EO does not impose any generalized data-localization requirements and emphasizes that the US remains committed to promoting an open, global Internet and supports cross-border data flows and facilitating open investment. The EO's focus on prospective restrictions of outbound flows of data contrasts with both the narrower case-by-case actions relating to specific transactions through processes like the Committee on Foreign Investment in the United States (CFIUS) and the Committee for the Assessment of Foreign Participation in the US Telecommunications Services Sector (Team Telecom) reviews, and the focus on risks from foreign technologies and services used within the United States under the Bureau of Industry and Security's (BIS) Information and Communications Technology and Services (ICTS) regulations, filling a hole that the administration believes these previous authorities had left open.
Key Takeaways
- Prohibitions and Restrictions on Certain Data Transactions: Companies engaged in transactions that include bulk sensitive personal data or US Government-related data (e.g., the sale or licensing of access to such data) can expect new regulations under the EO. Specifically, transactions that involve data brokerages or human genomic data may be prohibited if they involve "countries of concern" or "covered persons" (i.e., persons with relationships to "countries of concern" as will be defined in DOJ rulemaking). Other transactions involving vendor agreements, employment agreements, or investment agreements may be restricted if they involve "countries of concern" or "covered persons."
- Focus on "Countries of Concern": The EO's restrictions focus on national security and are aimed at transfers of sensitive personal data to "countries of concern," which the DOJ is considering identifying as China (including Hong Kong and Macau), Russia, Cuba, Iran, Venezuela, and North Korea. However, DOJ is considering a broad definition of "covered persons" that would include persons and companies subject to the jurisdiction of a "country of concern" and include foreign employees and contractors of those persons or entities.11 In addition, to address the risk of "re-export" of sensitive data to countries of concern, DOJ is considering requiring that foreign persons who are not covered persons agree not to resell or give access to prohibited or restricted data to a "country of concern" or a "covered person."12
- Growing Attention on Network Infrastructure: The EO identifies submarine cables and overseas data centers as focal points of the risk to bulk sensitive personal data or US Government-related data. Companies can expect new rulemaking aimed at such infrastructure.
- Six Categories of Sensitive Personal Data: The ANPRM indicates the six categories of sensitive personal data will cover: (1) US persons' covered personal identifiers; (2) personal financial data; (3) personal health data; (4) precise geolocation data; (5) biometric identifiers; and (6) human genomic data. These broad categories of sensitive personal data captured by the ANPRM are fairly generic, and do not capture many types of personal data considered sensitive under other US state and federal laws. This adds to what is already a complex data protection framework in the US and requires companies to be vigilant in understanding the multiple obligations and restrictions that may arise with any given category of sensitive personal data.
- Scope of Covered Data Will Likely Expand Over Time: Companies can expect the types of covered data (i.e., what constitutes sensitive personal data) to be a subject of significant debate in the two rounds of public comment that the Department of Justice has said will occur before it issues final rules. Regardless of the initial definitions adopted, the broad language used to establish the eligible categories in the EO mean the scope of the covered data can, and likely will, increase over time, especially as AI models utilizing such data improve and allow increased identification of individuals from data that at present are less sensitive on their face.
- Increased Focus on AI: Concerns over the misuse or malicious use of AI pervade the EO and drive its objectives. The EO notes the development of AI capabilities and algorithms exacerbates the risks associated with collection of bulk sensitive data by "countries of concern" such as recognizing patterns across multiple unrelated datasets and potentially de-anonymizing data. The EO adds to the Biden administration's ongoing efforts to manage and mitigate the risks associated with AI.13
Clear Calls to Action for Federal Departments and Agencies
The EO is a call to action for the federal government with a broad mandate to numerous departments and agencies to undertake new rulemaking and enforcement to develop data transfer and security guidance to address potential risks associated with the accumulation, storage, transmission, and sale of sensitive personal data by and to "countries of concern."
Prohibited and Restricted Transactions
Section 2 of the EO directs the Attorney General, in coordination with the Secretary of Homeland Security and in consultation with the heads of other relevant agencies, to issue proposed regulations within 180 days to prohibit or to restrict covered transactions involving bulk sensitive data or US Government-related data where the transaction:
- involves US Government-related data or bulk US sensitive personal data;
- falls within a class of transactions that has been determined by the Attorney General to pose an unacceptable risk to US national security;
- was initiated, is pending, or will be completed after the effective date of the EO: February 28, 2024;
- does not qualify for an exemption provided in, or is not authorized by a license issued pursuant to, the regulations issued by the Attorney General in response to the EO; and
- is not ordinarily incident to the provision of financial services.14
At the same time, the ANPRM states that the new program is not meant to impede all data transactions with "countries of concern" or persons subject to their jurisdiction. Rather, the focus is expected to be on prohibiting or restricting specific types of data transactions between US persons and "countries of concern" (or persons subject to their control or jurisdiction) involving either (1) specific categories of sensitive personal data above the to-be-established bulk-volume thresholds, or (2) specific categories of US Government-related data regardless of volume.15
How the Attorney General ultimately defines certain terms and concepts such as the bulk sensitive data thresholds and "covered persons" and "covered data transactions" will greatly influence the scope of the restrictions on data transactions. A broad scope could encompass more than the traditional data broker, and capture transactions from US established foreign branches that transfer bulk collections of consumer data back to parent entities in countries of concern. As a result, global consumer facing companies with US branches should monitor the ANPRM rulemaking process to determine its reach.
The ANPRM has proposed the following bulk thresholds:16
Human Genomic Data | Biometrics Identifiers | Precise Geolocation Data | Personal Health Data | Personal Financial Data | Covered Personal Identifiers | |
Low | More than 100 US persons | More than 100 US persons | More than 100 US devices | More than 1,000 US persons | More than 10,000 US persons |
|
High | More than 1,000 US persons | More than 10,000 US persons | More than 10,000 US devices | More than 1,000,000 US persons |
More than 1,000,000 US persons |
The term covered person is broadly defined in the EO to include both entities owned or controlled by "countries of concern" and foreign persons who are employees or contractors either of such entities or of "countries of concern." The ANPRM contemplates setting the ownership stake necessary to trigger inclusions as a "covered person" at 50 percent or more ownership, whether direct or indirect.17 Further, the ANPRM also contemplates creating a public list of covered persons similar to sanctions designations lists maintained by the Treasury Department's Office of Foreign Assets Control (OFAC).18
In addition, the ANPRM defines a covered data transaction as "any transaction that involves any bulk U.S. sensitive personal data or government-related data and that involves: (1) data brokerage; (2) a vendor agreement; (3) an employment agreement; or (4) an investment agreement." Where a transaction means "any acquisition, holding, use, transfer, transportation, exportation of, or dealing in any property in which a foreign country or national thereof has an interest."19
Security Requirements for Transactions
In addition to the regulations to be issued by the Attorney General, Section 2 of the EO further directs the Secretary of Homeland Security, acting through the Director of the Cybersecurity and Infrastructure Security Agency (CISA), in coordination with the Attorney General and in consultation with heads of other relevant agencies, to publish security requirements for restricted transactions which, if complied with, would mitigate the risk posed by such transactions. The Secretary of Homeland Security is also responsible for issuing security guidance for such requirements.
The proposed regulations and security requirements are to be established through notice and comment rulemaking to ensure the public has an opportunity to provide input on the measures. The EO also requires the establishment of a process for issuing licenses to authorize transactions that would otherwise be prohibited or restricted.
Protecting Sensitive Personal Data
Section 3 of the EO addresses US national security concerns related to the access of bulk sensitive personal data and US Government-related data by "countries of concern" through network infrastructure (e.g., submarine cables) subject to foreign jurisdiction or control and via data centers located in foreign jurisdictions. Section 3 also takes further steps to protect sensitive personal data in the healthcare market and restrict certain transactions with data brokerages. The EO expands on prior efforts by the Executive Branch to address supply chain20 and connected device21 cybersecurity, to ward off threats to the information and systems of US businesses, the US Government and consumers.
- License Review and Guidance by Team Telecom: Team Telecom is directed to:
- review existing licenses for submarine cable systems that are owned or operated by persons owned by, controlled by, or subject to the jurisdiction or direction of a country of concern, or that terminate in the jurisdiction of a country of concern;
- issue new guidance regarding the review of license applications and existing licenses, including an assessment of third-party risks related to access to data by "countries of concern;" and
- assess national security and law enforcement risks of new licenses related to access by countries of concern to bulk sensitive personal data.
- New Restrictions on Data in the Healthcare Market: According to the EO, technology advancements (e.g., AI) increasingly allow "countries of concern" with access to large data sets to leverage such data to de-anonymize or re-identify data to gain insights into information about US persons. The EO directs the Secretaries of Defense, Health and Human Services, Veterans Affairs, and the Director of the National Science Foundation to consider taking steps, including issuing regulations, to prohibit the provision of assistance that enables access to bulk sensitive personal data by "countries of concern." The implementing agencies must submit a report on the progress of these to the president within one year of the EO.
- New Data Brokerage Restrictions by the CFPB: The EO encourages the Consumer Financial Protection Bureau (CFPB) to consider taking steps to address the national security risk posed by data brokerages and to enhance compliance with Federal consumer protection law. Specifically, the EO suggests that the CFPB continue to pursue the rulemaking proposals that it identified at the September 2023 Small Business Advisory Panel for Consumer Reporting Rulemaking. CFPB Director Rohit Chopra released a statement following the EO announcement stating that the CFPB would be proposing new rules this year "to rein in" data brokers from "assembling and selling extremely sensitive data" to foreign purchasers.22
Targeting a Gap in National Security Rules
The EO is part of a larger ongoing initiative by the White House to protect the sensitive personal data of Americans and improve the security of digital infrastructure. President Biden's message to Congress regarding the EO highlighted these perceived risks, arguing, "[a]ccess to Americans' bulk sensitive personal data or United States Government-related data increases the ability of "countries of concern" to engage in a wide range of malicious activities, including espionage, influence, kinetic, or cyber operations, or to identify other potential strategic advantages over the United States."23 The EO seeks to fill a gap in the national security toolkit the executive branch has assembled in recent years, inching the United States closer to a holistic framework for managing data security risks under existing executive authorities.
The Biden administration argues the EO will allow the United States to provide clear, prospective, industry-wide rules for bulk transactions involving sensitive personal data, with a focus on outbound flows of US data. The EO's role in national security strategy places it alongside the ICTS regulations,24 efforts to promote trusted 5G network equipment suppliers and Open RAN architecture, increased scrutiny of subsea cable connections and landing licenses, CFIUS reviewing inbound investments (with sensitive personal data being a particular focus of both expanded legal authorities under the Foreign Investment Risk Review Modernization Act of 201825 and President Biden's 2022 CFIUS Executive Order26), the activities of Team Telecom, the forthcoming program regulating certain outbound investment,27 and the recent expansions of export controls targeting advanced semiconductors.
Implications for US Cross-border Data Flows Policy
The EO is one of several recent actions that raise questions about the degree to which the United States still supports open cross-border data flows. The United States has strongly backed open cross-border data flows in past free trade agreements and through international fora, with the recent United States – Mexico – Canada Agreement (USMCA) and the United States – Japan Digital Trade Agreement (US-Japan DTA) containing the strongest commitments to protecting cross-border data flows found in any trade agreements.28 Despite that record, in 2023, the Office of the US Trade Representative (USTR) withdrew from advocating for trade agreement provisions that ensure free cross-border data flows, oppose server localization mandates, and protect source code from disclosure. USTR's reversal has prompted fierce debate in Washington, but the extent to which it represents a meaningful change of direction for the United States remains unclear.
The Biden administration has continued to support cross-border data flows initiatives like the G7's Data Free Flow with Trust (DFFT) policy.29 The administration referenced these ongoing initiatives in the EO's announcement, asserting that the EO aligns with the United States' "longstanding support for the trusted free flow of data."30 The DOJ's ANPRM also asserts the action is "carefully calibrated" to maintain the United States' "longstanding support for the concept of 'Data Free Flow with Trust.' In recognition of its importance to the economy and human rights online."
Notably, Section 2(g) of the EO prohibits the regulations from requiring domestic storage and processing of data as part of the EO's implementation, which narrows how the EO may challenge existing norms. Commitments against data server localization mandates in USMCA and the US-Japan DTA do not include a public policy exception like the one found in the cross-border data flows commitments.31 Despite the administration's assurances of a narrow approach, the EO's restrictions—especially when read together with USTR's recent actions—may still raise concerns and risks for industries reliant on digital services.
Implications for Data Flows into the US
Although the EO does not directly impact the EU-US framework for personal data transfers32 or the UK-US Data Bridge,33 organizations transferring data into the US should monitor the development of the EO's implementing regulations. This will be of particular interest to organizations based in (or with exposure to) jurisdictions which impose restrictions on international data transfers (e.g., the EU and UK), as the implementing regulations and developing compliance requirements could impact the compliance status of international data transfer structures that have been adopted to address non-US legal requirements.
Organizations in Europe have been subject to data transfer restrictions for decades and transfers of data to the US have been a particular cause for concern in recent years. This has resulted in the development of a range of strategic options for structuring internal and external international data transfers relevant to organizations with exposure to laws across jurisdictions (including the US).
The adoption of further protections and restrictions in the US regarding transfers of data to jurisdictions which pose a heightened risk of misuse will be seen as a welcomed step by many in jurisdictions (such as Europe) that currently impose transfer restrictions.
Opportunities for Stakeholder Feedback
As the government develops the EO's implementing regulations, there will be multiple opportunities for interested stakeholders to provide feedback on the government's proposals. Companies involved in affected industries, including data brokers and cloud services providers, which are interested in the outcome can provide comment to the DOJ in response to the ANPRM. The ANPRM also specifically seeks technical feedback on key terms and other specific questions. Critical definitions that will guide the rules' implementation include those for "US persons," "covered data transactions," "countries of concern," "covered persons," "data brokerage," "sensitive personal data," and "US Government-related data." The DOJ must address public comments in the final rule, so participating in the public comment process can help shape the final outcome and the DOJ response may inform any potential legal challenges should a final rule be published. The DOJ's ANPRM will be open to public comments for 45 days following its scheduled March 5, 2024 publication in the Federal Register.
1 Full text available at Preventing Access to Americans' Bulk Sensitive Data and United States Government-Related Data by Countries of Concern.
2 The White House, "FACT SHEET: President Biden Issues Executive Order to Protect Americans' Sensitive Personal Data," February 28, 2024.
3 Department of Justice Fact Sheet at 5.
4 See White House Fact Sheet.
5 See 15 CFR 7.4.
6 ANPRM, at 36.
7 Department of Justice Fact Sheet at 3.
8 ANPRM, at 11.
9 ANPRM, at 12.
10 Department of Justice Fact Sheet at 3.
11 Department of Justice Fact Sheet at 2.
12 Department of Justice Fact Sheet at 6.
13 See, e.g., Executive Order 14110 on the "Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence;" see also "Biden Executive Order seeks to govern the ‘promise and peril' of AI" (November 3, 2023).
14 As defined by the regulations to be issued by the Attorney General pursuant to the EO.
15 ANPRM, at 13.
16 ANPRM, at 22.
17 ANPRM, at 37.
18 ANPRM, at 39.
19 ANPRM, at 29.
20 Executive Order 13783 on "Securing the Information and Communications Technology and Services Supply Chain."
21 Executive Order 14034 on "Protecting Americans' Sensitive Data From Foreign Adversaries."
22 CFPB Director Rohit Chopra Releases a Statement in Response to President Biden's Executive Order To Protect Americans' Sensitive Personal Data.
23 Message to the Congress on Preventing Access to Americans' Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern.
24 15 CFR Part 7. Shortly after announcing the EO, BIS also announced the first potential enforcement action under the ICTS regulations, issuing an ANPRM seeking information on the security of connected vehicles using ICTS designed, developed, produced or supplied by entities owned or controlled by, or subject to the jurisdiction of, a foreign adversary as defined in those regulations.
25 See CFIUS Finalizes New FIRRMA Regulations.
26 See Biden Issues First-Ever Presidential Directive Defining National Security Factors for CFIUS to Consider in Evaluating Transactions.
27 See President Biden Orders Establishment of New Program to Restrict US Outbound Investment in Certain Tech Sectors in China.
28 US-Japan DTA Article 11; USMCA Article 19.11.
29 See Facilitation of Cross-Border Data Flows and Data Free Flow with Trust, Ministerial Declaration of the G7 Digital and Tech Ministers' Meeting, April 30, 2023.
30 "FACT SHEET: President Biden Issues Executive Order to Protect Americans' Sensitive Personal Data."
31 US-Japan DTA Article 12; USMCA Article 19.12.
32 See US and EU Approve Framework for Personal Data Transfers.
33 See The UK-US Data Bridge: Practical Considerations for UK Organisations.
White & Case means the international legal practice comprising White & Case LLP, a New York State registered limited liability partnership, White & Case LLP, a limited liability partnership incorporated under English law and all other affiliated partnerships, companies and entities.
This article is prepared for the general information of interested persons. It is not, and does not attempt to be, comprehensive in nature. Due to the general nature of its content, it should not be regarded as legal advice.
© 2024 White & Case LLP