Executive Order on Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern

On February 28, 2024, President Joe Biden issued Executive Order ("EO") 14117, granting the Department of Justice (DOJ) authority to oversee the export of specific consumer data. The purpose is to prevent certain foreign governments from acquiring large quantities of particularly sensitive personal information. The EO, titled "Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern," addresses longstanding worries within the Executive Branch regarding the accumulation of sensitive data by certain foreign governments. This data includes genomic, biometric, health, geolocation, financial, and other personal information, which could be exploited for activities posing threats to national security, such as espionage, hacking, blackmail, transnational repression, and disinformation campaigns.

Initially, the executive order (EO) seeks to shut down the avenue that enables data brokers and other commercial entities to sell extensive collections of sensitive personal data to specific foreign governments by outright banning certain transactions. However, the Department of Justice (DOJ) plans to extend its oversight to encompass a wider range of regulations concerning vendor contracts, employment agreements, and investment deals. These measures aim to prevent foreign companies, particularly those from countries of concern, and consequently their governments, from gaining indirect access to sensitive personal data. Both the White House and DOJ view the anticipated restrictions stemming from the EO as both "groundbreaking" and "comprehensive."

Here's a concise summary of the essential components of the Executive Order (EO) and the Department of Justice's (DOJ) proposed implementation, outlined in an Advance Notice of Proposed Rulemaking (ANPRM) released concurrently. Stakeholders are invited to provide feedback until April 15, 2024, and the EO assigns the DOJ to draft a proposed rule by August 26, 2024. Legal restrictions won't take effect until a Final Rule is officially enacted.

KEY TAKEAWAYS:

• The regulation remains undefined. While the Department of Justice (DOJ) offers a broad outline of its intentions through a fact sheet, the Advance Notice of Proposed Rulemaking (ANPRM) solicits feedback on 114 distinct queries, covering various aspects including the economic implications on the sensitive personal data market and associated costs. Through engagement with the private sector, the Biden Administration emphasizes a significant interest in receiving comprehensive input to craft a rule that mitigates unintended repercussions.
• Primary areas for feedback include evaluating the potential impact of the Advance Notice of Proposed Rulemaking (ANPRM) on companies' transfer of consumer data to countries of concern or entities controlled by covered investors or owners. Specifically, companies may want to focus on the following inquiries:
  • Which personal identifiers should be included (and excluded) from the rule?
  • What data points, use cases, or other information should the Department of Justice consider in determining the bulk thresholds?
  • How do businesses utilize various categories of sensitive personal data, especially regarding its transfer outside the United States, and how would the proposed bulk threshold ranges impact businesses' capacity to conduct transactions with countries of interest or individuals covered by the rule?
  • How would a US entity involved in a data transaction determine if the other party is considered a covered individual according to the ANPRM's definition? What specific due diligence measures would be required for this determination?
  • How would a US entity involved in a data transaction determine if the other party is considered a covered individual according to the ANPRM's definition? What specific due diligence measures would be required for this determination?
  • What, if any, changes should be made to the definition of “covered person”?
  • How feasible is it to negotiate agreements with potential clients to prohibit the passing on, resale, or further transfer of bulk sensitive personal data or government-related data from the US to countries of concern or individuals covered by regulations?
  • Should additional categories of data transactions beyond those currently considered in the ANPRM be granted exemptions?
  • Would general and specific licenses provide value to regulated entities? How about advisory opinions? What factors would enhance or diminish the usefulness of either process?
  • What additional compliance and recordkeeping measures will US individuals expect to implement to adhere to the program outlined in this ANPRM?
• Who’s in charge? DOJ’s Foreign Investment Review Section (FIRS)—the same shop that manages the Department’s work on the Committee on Foreign Investment in the United States (CFIUS) and Team Telecom—will be delegated the authority to implement the EO. FIRS may be significantly guided in its rulemaking approach by insights gained from those processes, and could heavily rely on the principles and precedents established in recent mitigation agreements implemented on a case-by-case basis.
• OFAC is the model. Regulations stemming from this EO will be grounded in IEEPA; breaches could result in civil and criminal consequences. Despite the ANPRM disavowing an all-encompassing, strict accountability stance, firms will be required to establish a risk-focused compliance system akin to those used for adhering to sanctions frameworks. Though not all firms may need to meet due diligence or proactive recordkeeping criteria, those engaging in business with countries of interest should anticipate incorporating the eventual regulations into their established compliance protocols.
• While employment contracts might be deemed as restricted data exchanges, the initiative won't affect foreign nationals from countries of concern who enter the United States on work or educational visas and access sensitive personal data while within the country (unless specified). This is because any individual present in the United States isn't classified as a "covered person" as per the ANPRM.

SUMMARY OF THE EO AND ANPRM

• Covered Transactions: The EO instructs DOJ to pinpoint classes of extremely sensitive data exchanges between US individuals and countries of interest or covered entities that will either be (a) outright banned or (b) prohibited unless they adhere to security measures (defined by DHS/CISA) aimed at mitigating the risk of data access by countries of interest (referred to as "restricted" transactions).

DOJ’s ANPRM identifies two categories of transactions as the likely subject of rulemaking:

Prohibited Data Transactions: (1) Data-broker deals, and (2) genomic-data transactions entailing the transfer of extensive human genomic data or biospecimens capable of generating such data.

Restricted Data Transactions: (1) Vendor contracts for goods and services (including cloud service agreements); (2) employment contracts (e.g., with foreign IT staff of a US company situated in a country of interest, or with a CEO who meets the criteria of a covered individual); and (3) investment contracts (involving ownership interests or rights, granting access to data, similar to those reviewed by CFIUS presently).

Examples of potential security prerequisites encompass data minimization and obfuscation, adoption of privacy-enhancing technologies (e.g., encryption), creation of IT systems to thwart unauthorized disclosure, and enforcement of logical and physical access controls. Nonetheless, the EO prohibits broad data localization mandates.

The ANPRM suggests prohibiting "knowing" participation in restricted transactions (rather than a strict liability approach) to encompass individuals who were aware or should have been aware of the transaction's circumstances given their level of expertise and the sensitivity of the data involved. This approach aims to exclude liability stemming from factors like the unpredictable route data takes over the internet or the employment of covered individuals by a foreign entity not subject to the rule. Additionally, the ANPRM proposes forbidding US individuals from knowingly instructing any restricted transaction (e.g., through their foreign employer) if it would be banned for a US individual to engage in directly.

Covered Data: The ANPRM suggests regulating transactions involving either specific categories of sensitive personal data above certain bulk volume thresholds or specific categories of government-related data regardless of volume. The ANPRM considers regulating the following sensitive personal data categories when linked or linkable to an identifiable US person or group of US persons:

1. Specifically listed categories and combinations of identifiable personal information covered by the regulation (e.g.advertising identifiers, social security numbers).
2. Precise geolocation data.
3. Biometric identifiers.
4. Human genomic data.
5. Personal health data.
6. Personal financial data.

DOJ has suggested different ranges of bulk thresholds depending on the data category, with some thresholds as low as data concerning 101 US persons. However, this threshold won't be applicable to transactions involving certain US Government-related data, such as precise geolocation data linked to military or other sensitive government operations, or sensitive personal data sets explicitly associated with recent former employees, contractors, or officials of the US government.

Countries of Concern:  Russia, China (including Hong Kong and Macau), North Korea, Iran, Venezuela and Cuba.

Covered Persons: The ANPRM outlines five categories of covered individuals:

1. An entity that is majority-owned (50% or more) directly or indirectly by a country of interest, or organized under the laws of, or with its principal place of business in, a country of interest.
2. An entity that is majority-owned (50% or more) directly or indirectly by an entity mentioned in category (1), or by an individual described in categories (3), (4), or (5).
3. A foreign individual employed or contracted by a country of interest or by an entity described in categories (1), (2), and (5).
4. A foreign individual primarily residing in the territorial jurisdiction of a country of interest.
5. Any individual (including a US individual) designated by the Attorney General as being owned or controlled by or under the jurisdiction of a country of interest, or as acting on behalf or purporting to act on behalf of a country of interest or a covered entity, or knowingly facilitating or directing a violation of these regulations.

Unless explicitly identified under category (5), covered individuals exclude US citizens, nationals, or lawful permanent residents; individuals admitted to the United States as refugees or granted asylum; entities formed exclusively under US laws or jurisdiction; and individuals located within the United States. Hence, a Chinese or Russian national situated in the United States or a third country (e.g., an employee) would not fall under coverage unless they are specifically singled out or are employed by either the country of interest or a covered entity.

Exemptions: The EO provides exemptions for certain data transactions within the program, to the extent that they are:

1. Deemed personal communications or involve information or information materials, as defined by IEEPA.
2. Typically part of financial services, payment processing, or regulatory compliance.
3. Typically part of ancillary business operations within multinational US companies (e.g., payroll or human resources functions between a US entity and its subsidiary or affiliate in a country of interest).
4. Official business or authorized activities of the US Government and its contractors, employees, or grantees (e.g., federally funded health or research activities, regulated by funding agencies themselves).
5. Transactions mandated or sanctioned by federal law or international agreements (e.g., the exchange of passenger manifest information, INTERPOL requests, or public health surveillance).

Licensing and Advisory Opinions: The ANPRM explores mechanisms for DOJ to issue both general licenses and specific licenses for particular transactions. Entities holding licenses might need to submit reports and statements as per their licenses, reminiscent of the oversight seen in CFIUS mitigation agreements. Additionally, the ANPRM considers granting regulated entities the option to request advisory opinions regarding the regulations' relevance to specific transactions.

Compliance and Enforcement: While the ANPRM doesn't suggest establishing overall due diligence and recordkeeping mandates, neglecting these in certain cases could worsen any enforcement measures taken. Reporting might be mandated for US individuals involved in restricted or licensed transactions. The EO grants DOJ the authority to probe program violations and pursue civil or criminal penalties under IEEPA.

Other Topics of the EO: In addition to DOJ's forthcoming regulation of sensitive data, the EO mandates or encourages these additional actions by other departments and agencies to address data-security risks:

1. Identifying and mitigating risks stemming from previous transfers of bulk sensitive personal data.
2. Prioritized review by Team Telecom of existing licenses for submarine cable systems linked to countries of concern.
3. Utilizing grantmaking and contracting authority to prevent federal funds from supporting the transfer of sensitive health data and human genomic data to countries of concern.
4. Expanding regulation on data brokers under the Fair Credit Reporting Act, as previously suggested by the Consumer Financial Protection Bureau (CFPB).
5. Conducting a study on the risks and benefits of regulating transactions involving types of human 'omic data other than genomic data (e.g., proteomic, epigenomic, and metabolomic data).