EO directs Attorney General to promulgate regulations to prohibit or otherwise restrict specific U.S. data transfers

On February 28, 2024, President Biden announced that he was issuing an Executive Order (the "EO") directing the promulgation of regulations to limit the dissemination of "bulk sensitive personal data" and "United States Government-related data" directly or indirectly to "countries of concern." The EO posits that access to such data enables those countries "to engage in a wide range of malicious activities," including analyzing the data using artificial intelligence (AI) to "engage in espionage, influence, kinetic, or cyber operations or to identify other potential strategic advantages over the United States." Permitting access to the data would "exacerbat[e] national security and foreign policy threats" from those countries. For this reason, the EO declares the dissemination of the covered information to countries of concern to be a national emergency. Notwithstanding the national emergency and national security focus, the EO also states that in practice its implementation should harmonize national security concerns with continuing to permit legitimate commercial collection and use of personal data.

To address these concerns, the EO directs the Attorney General and others to promulgate regulations to identify classes of both (a) prohibited transactions and also (b) restricted transactions that are permitted only if certain security requirements are met. An Advance Notice of Proposed Rulemaking (ANPRM), issued by the Department of Justice, asking more than a hundred questions, was published in the Federal Register with comments due April 19, 2024.

Also – and while only obliquely referenced in the EO – there may well be First Amendment issues in prohibiting Americans from transmitting information to their chosen recipients, even if those recipients are in "countries of concern." Implicitly addressing this issue, the definition of "sensitive personal data" excludes "personal communications" and "information or informational materials" that are within the scope of 50 U.S.C. §§ 1702(b)(1) and (3). Even so, at least in some circumstances the Supreme Court treats transfers of commercially relevant data as protected by the First Amendment. See Sorrell v. IMS Health, Inc., 564 U.S. 552 (2011). As a result, implementation of the EO may serve to highlight the long-simmering tension between privacy protections that are based on restricting the use and dissemination of specific classes of information on the one hand and First Amendment values on the other.

Below, we highlight some key points of the EO and the ANPRM. Because so much of the implementation of the EO is left to the forthcoming regulations, entities with interests in this space would do well to attend to and participate in the announced and forthcoming rulemaking proceedings.

Key Aspects of the Executive Order and Advance Notice of Proposed Rulemaking

The EO does not directly impose any obligations on any private parties. Instead, it directs the Attorney General (and some others) to promulgate regulations to implement the EO. The contemplated regulations and related terms are summarized at a high level below.

Note that while the EO itself is only 17 pages long, the ANPRM comprises 81 pages and includes 114 separate specific questions for comment and 56 separate illustrative examples of the Department of Justice's thinking about the situations where the regulations would and would not apply. The devil will very much be in the details as this process moves forward.

• Countries of concern. The EO does not list any specific "countries of concern." Instead, those countries are to be identified by the Attorney General, in consultation with the Department of Homeland Security and the Secretaries of State and Commerce. The ANPRM indicates that the initial list of countries of concern would include China, Russia, Iran, North Korea, Cuba, and Venezuela.
• Broad scope of "sensitive personal data." The term "sensitive personal data" is defined to mean "covered personal identifiers," as well as "geolocation and related sensor data, biometric identifiers, human 'omic data, personal health data, personal financial data, or any combination thereof." There are specific carve-outs for publicly available data, data that constitutes a "personal communication" under 50 U.S.C. § 1702(b)(1), and data that constitutes "information or informational materials" under 50 U.S.C. § 1702(b)(3).
• Broad scope of "personal identifiers." The term "covered personal identifiers" is defined as data "reasonably linked to an individual … that could be used to identify an individual from a data set or [to] link data across multiple data sets to an individual" and that makes the personally identifiable data exploitable by a country of concern, while excluding "demographic identifiers" such as name and address, "public account identifiers," and "network-based identifiers" used for the provision of telecommunications or networking services. The ANPRM lists a range of identifiers that would fall under the regulation, including: Social Security Numbers, financial account numbers, device identifiers (such as IMEIs for mobile phones and MAC addresses for computers), demographic or contact data, advertising identifiers such as a Google Advertising ID or an Apple ID for advertisers, usernames and passwords, IP addresses, and call-detail data. On the other hand, covered personal identifiers would not include employment history, educational history, criminal history, organizational memberships, or web-browsing history.
• Broad scope of covered transactions. The EO covers "any acquisition, holding, use, transfer, transportation, or exportation of, or dealing in, any property in which a foreign country or national thereof has any interest" that involves the transfer of personal or government data. The restrictions in the EO apply to transactions in which "covered persons" potentially receive the information addressed by the EO. A "covered person" is defined as "[1] an entity owned by, controlled by, or subject to the jurisdiction or direction of a country of concern; [2] a foreign person who is an employee or contractor of such an entity; [3] a foreign person who is an employee or contractor of a country of concern; [4] a foreign person who is primarily resident in the territorial jurisdiction of a country of concern; or [5] any person designated by the Attorney General as [a] being owned or controlled by or subject to the jurisdiction or direction of a country of concern, [b] as acting on behalf of or purporting to act on behalf of a country of concern or other covered person, or [c] as knowingly causing or directing, directly or indirectly, a violation of" the EO or the implementing regulations.
• Prohibited transactions. The Attorney General (in coordination with other agencies) is also charged with promulgating regulations identifying certain classes of transactions that are to be prohibited – meaning that they cannot occur at all. Prohibited transactions are those that "pose an unacceptable risk" to national security where those risks cannot be mitigated by the implementation of the security requirements to be developed the Secretary of Homeland Security (see below). According to the ANPRM, the Department of Justice "is considering identifying two classes of prohibited data transactions … involving bulk U.S. sensitive personal data or government-related data: (1) data-brokerage transactions; and (2) any transaction that provides a country of concern or covered person with access to bulk human genomic data … or human biospecimens from which that human genomic data can be derived." Fully 33 of the examples in the ANPRM – more than half – and more than a dozen specific questions in the ANPRM relate to the issues of who is and is not a "covered person" and what transactions involving such persons would and would not be affected by the regulations.
• Restricted transactions. Restricted transactions are those that, like prohibited transactions, pose an unacceptable risk to national security but where the risk can be mitigated by the use of security measures. The ANPRM contemplates a licensing regime to permit a United States person to engage in what would otherwise be a prohibited transaction. The Department of Justice is "considering identifying three classes of restricted data transactions: (1) vendor agreements (including, among other types, agreements for technology services and cloud-service agreements); (2) employment agreements; and (3) investment agreements."
• CISA to develop security requirements. The EO directs the Secretary of Homeland Security, through the Director of the Cybersecurity and Infrastructure Security Agency, to establish "security requirements … that adequately mitigate the risk of access by countries of concern" to personal or government data. Where national security risks can be mitigated by such security measures, the relevant transactions will be restricted but not prohibited.
• Permitted transactions. Transactions that are "ordinarily incident to and part of the provision of financial services, including banking, capital markets, and financial insurance services" are specifically exempted from the class of prohibited and restricted transactions, as are transactions that are "required for compliance with any Federal statutory or regulatory requirements."
• No data localization requirements. In keeping with the focus on keeping "bulk sensitive personal data" and "United States Government-related data" ("personal and government data") out of the hands of countries of concern without interfering with legitimate commercial data practices, the EO expressly states that it is not imposing any requirements for storing or processing data in the U.S. (and the ANPRM says the same). In practical terms, this means that companies with data-intensive operations in the United States will still be able transfer Americans' bulk sensitive personal data or United States Government-related data among locations in (for example) Europe.
• Specific focus on potential to eavesdrop on communications infrastructure. The EO notes that countries of concern can obtain access to personal and government data "through the transmission of data via network infrastructure that is subject to the jurisdiction or control of countries of concern." The EO therefore directs the "Committee for the Assessment of Foreign Participation in the United States Telecommunications Services Sector" (informally known as "Team Telecom") to assess foreign ownership of and investment in submarine cable facilities and cable landing stations where the cable is under the jurisdiction of or passes through or terminates in countries of concern.
• Protection of genomic and similar data. The EO notes that health care data, including genomic data,[1] can be extremely sensitive and notes that existing methods of anonymization, pseudonymization, and de-identification may not work considering "advances in technology, combined with access … to large data sets." To address this concern, the EO directs the Secretaries of Defense, Health and Human Services and Veterans Affairs, and the Director of the National Science Foundation to consider ways (including rules and orders) to limit the access of countries of concern to such healthcare-related data.
• Support for CFPB regulation of data brokers. The EO notes that data brokers control vast amounts of information about consumers and that these entities "enable access to [personal and government data] by countries of concern," which "contribute[s] to the national emergency described in this order." The EO thus "encourage[s]" the CFPB to pursue pending rulemaking proposals that would significantly restrict data brokers by treating them as "consumer reporting agencies" within the meaning of the Fair Credit Reporting Act (which would severely restrict the entities to which and the purposes for which data brokers can share information about consumers).
• Reports and recommendations. The EO calls for reports regarding the effectiveness of the regulations promulgated in response to the EO and the "risks and benefits of regulating transactions involving types of human 'omic data other than human genomic data, such as human proteomic data, human epigenomic data, and human metabolomic data, and recommending the extent to which such transactions should be regulated...."

Regulations Contemplated by the Executive Order

The EO directs the Attorney General to promulgate regulations to effectuate the EO; the prompt issuance of the ANPRM with an April 19 comment date on the 114-listed questions makes clear that the Administration seeks to move quickly on these regulations which are to be published for comment within 180 days of the issuance of the EO (that is, by August 25, 2024). The EO requires the regulations to address the following key points, all of which are reflected in the questions presented for comment in the ANPRM:

• Prohibiting or "otherwise restrict[ing] United States persons from engaging in any acquisition, holding, use, transfer, transportation, or exportation of, or dealing in, any property in which a foreign country or national thereof has any interest (transaction)", where the transaction:
  • Involves bulk sensitive personal data or U.S. government-related data (as further defined in the regulations);
  • Entails unacceptable national security risk (as further defined in the regulations);
  • Is not exempt or licensed (as further defined in the regulations); and
  • Is not "ordinarily incident to" financial services and related transactions (as further defined in the regulations);
• Designating classes of transactions that are prohibited;
• Designating classes of transactions that are restricted, based on the existence of adequate "security requirements" to be established by CISA;
• Identifying countries of concern (with the concurrence of the Secretaries of State and Commerce);
• Establishing a process for issuing licenses for transactions that would otherwise be prohibited;
• Enabling coordination among affected government entities, including CFIUS, OFAC, and Team Telecom;
• Establishing necessary recordkeeping and reporting obligations; and
• Addressing the prospect of transactions structured to evade the requirements of the rules and of United States persons knowingly directing that prohibited or restricted transactions occur;

The rules to be promulgated to implement the EO also:

• Shall reflect the nature of the transactions to be classified as prohibited or restricted;
• Shall establish "thresholds and due diligence requirements" that affected entities must use to evaluate whether a transaction is covered by the rules (the ANPRM proposes different volume-based "low-high" ranges of thresholds based on risk-based assessments, from as low as 100 to a high of 1,000,000 for specified identifiers);
• Shall not establish general data localization requirements;
• Shall account for legal obligations regarding public access to publicly funded research, sharing and interoperability of electronic protected health information, and patient access to their own data; and
• Shall not address any type of "human 'omic data" other than genomic data.

In addition, the Secretary of Homeland Security is directed to have CISA promulgate "security requirements" that will "address the unacceptable risk posed by restricted transactions," with the requirements to be "based on the Cybersecurity and Privacy Frameworks" developed by NIST.

Concluding Thoughts

The EO and the ANPRM reflect the start of what will be an intense process, headed by the Attorney General, of developing specific – and, based on the ANPRM, detailed and complex – regulations to restrict the transfer of personal and government data to "countries of concern." These regulations, once effective, will likely affect a wide range of economic activity, including:

• Transfers of information in connection with the normal activities of consumer-focused online entities;
• Potential mergers and acquisitions involving entities that own or control personal information, including healthcare and financial information;
• Ownership of and investment in telecommunications infrastructure; and
• Many aspects of the business of data brokers. Indeed, "data brokerage" transactions involving bulk sensitive personal data and government-related data are one of two identified classes of prohibited transactions in the ANPRM.

Moreover, the specific content of the "security requirements" to be promulgated by CISA have the potential to be extremely significant because being able to comply with those requirements will help determine whether a transaction is prohibited or merely restricted. In this same vein, the process for obtaining a license to engage in a restricted transaction (including whether considerations other than meeting the security requirements are involved) will be of great practical significance to affected entities.

Finally, as noted above, there are potential First Amendment problems inherent in governmental action that is expressly designed to prohibit or restrict the ability of United States persons to transmit information – that is, to speak. Following the Supreme Court's decision in Sorrell v. IMS Health, Inc., 564 U.S. 552 (2011), which held that the transfer of commercially relevant data – not intuitively a form of "speech" – was protected by the First Amendment, there has been a simmering debate – largely in the academic community – as to whether privacy protections based on restricting the dissemination of information (such as contemplated by the EO) can survive First Amendment scrutiny.

Perhaps in anticipation of these concerns, the EO frames the restrictions it imposes as necessary to respond to a national "emergency" involving "espionage, influence, kinetic, or cyber operations" and states that permitting transfers of personal and government data will "exacerbat[e] national security and foreign policy threats." Under long-standing First Amendment jurisprudence, direct, advance restrictions on speech are subject to "strict scrutiny," which requires that the restriction be "narrowly tailored" to advance a "compelling government interest." E.g., Pleasant Grove City v. Summum, 555 U.S. 460, 469 (2009). The government, however, may assert that the First Amendment does not even apply to the types of data transactions addressed by the EO and the ANPRM; that if it does, at most "intermediate scrutiny" applies to assess the constitutionality of the restrictions; and that under that standard and in light of the strong national interest in protecting the United States against foreign adversaries exploiting and misusing the information, the regulations are permissible. Nonetheless, and consistent with the EO recognizing potential First Amendment issues, the ANPRM anticipates excluding "expressive information, like videos and artwork … consistent with the speech-protective purpose of 50 U.S.C. 1702(b)(3)" from the data transfer prohibitions and restrictions.

At a minimum, it seems likely that one or more affected entities will raise First Amendment challenges to restrictions on their ability to transfer information as they see fit.

We will publish additional advisories as the process further unfolds.

[View source.]