White House issues executive order on access to US sensitive personal data by countries of concern

Tim Bergreen, Mark Brennan, Pat Bruny, Brian Curran, W. James Denvil, Ari Fridman, Alyssa Golay, Ajay Kuntamukkala, Scott Loughlin, Anne Salladin, Deborah Wei
Hogan Lovells
Contact
LinkedIn
Facebook
X
Send
Embed

Hogan Lovells[co-author: Lyric Galvin]

The Biden Administration has issued an executive order to curtail access by China, Russia, and other countries of concern to Americans’ sensitive personal data. The Department of Justice and other agencies are tasked to take actions, including promulgating regulations, designed to protect Americans’ data security.

On February 28, 2024, President Biden signed an Executive Order (EO) directing the Department of Justice (DOJ), the Department of Homeland Security (DHS), and other federal agencies to take specific actions to restrict the large-scale transfer of Americans’ sensitive personal data and protect the data from misuse by countries of concern. The EO states that the US is not seeking to suspend legitimate data flows or disengage with these countries. Instead, the EO focuses on activities that may expose Americans’ sensitive personal data to malicious actors in countries of concern, particularly the indiscriminate sharing of personal data that could lead to significant harms. The EO and forthcoming implementing regulations are likely to impact a wide swath of U.S. companies that handle Americans’ personal data and do business in certain foreign jurisdictions, especially in China.

Background

The Biden Administration expresses concerns that Americans’ personal data is often sold and resold via data brokers, and can potentially be accessed and used by foreign intelligence services, militaries, or companies controlled by foreign governments. The Administration asserts such data could be used to:

  • enable intrusive surveillance, espionage, cyber operations, and other national security risks;

  • commit crimes such as scams and blackmail; and

  • gather information on individuals in the U.S. to pry into their lives, intimidate, curb dissent, limit civil liberties, or commit privacy violations.

In response, the Biden Administration issued the EO to address risks associated with “countries of concern” (i.e., those that “have a track record of collecting and misusing data on Americans”). The DOJ subsequently announced that it may identify China (including Hong Kong and Macau), Russia, Iran, North Korea, Cuba, and Venezuela as countries of concern.

Activities of Concern

The EO directs DOJ, in coordination with DHS, to issue regulations that restrict U.S. persons from engaging in certain transactions in which foreign countries or foreign nationals have an interest and involve Americans’ “bulk sensitive personal data” or U.S. Government-related data.

The EO defines “sensitive personal data” to mean:

  • human ‘omic data’ (such as human genomic data, epigenomic data, proteomic data, transcriptomic data, microbiomic data, or metabolomic data),

  • biometric identifiers,

  • personal health data,

  • geolocation data and related sensor data,

  • personal financial data, and

  • certain covered personal identifiers.

The term “sensitive personal data” does not include publicly available data, personal communications, or informational materials.

The EO defines U.S. Government-related data to mean sensitive personal data that (i) a transacting party identifies as being linked or linkable to certain former U.S. federal government personnel; (ii) is linked to certain data that could be used to identify certain former U.S. federal government personnel; or (iii) is linked or linkable to certain sensitive locations controlled by the U.S. federal government.

Based on the DOJ’s accompanying Fact Sheet, data transfers would only be regulated if they exceed "bulk volumes” (defined by number of U.S. persons or devices implicated). The EO defines “bulk” to mean an amount of sensitive personal data that “meets or exceeds a threshold over a set period of time,” with the threshold to be established in the forthcoming regulations issued by DOJ. The DOJ is seeking input from stakeholders on where to set the threshold for bulk volumes. Data transfers of government-related data would be subject to the regulations regardless of volume.

The DOJ is presently contemplating increased security requirements for transactions related to three types of arrangements deemed to pose higher risk: (1) vendor agreements (including cloud services), (2) employment agreements, and (3) investment agreements, according to the Fact Sheet.

Also discussed in the Fact Sheet are five categorical exemptions being considered for activities that are:

  • Ordinarily incident to and part of financial activities that might require access to sensitive personal data (such as banks, e-commerce, legal compliance activities);
  • Within multinational companies for ancillary business purposes (such as payroll or human resources);
  • Passive investments that do not convey the rights or influence that ordinarily pose risk – similar to “excepted transactions” contemplated under the proposed outbound investment regulations;
  • Required or authorized by federal law or international agreements (such as public health surveillance); and
  • Conducted by the federal government or its contractors, employees, and grantees.

Agency Directives

The EO includes the following directives, which are intended to address the concerns noted above:

  • The DOJ is tasked with issuing regulations to Implement the restrictions described in the EO.The DOJ will be issuing Advance Notices of Proposed Rulemaking (ANPRMs) seeking comment on which countries constitute countries of concern, the categories of covered persons (i.e., individuals to whom transfers would be deemed within reach of countries of concern), types of regulated transactions, and exemptions. And the DOJ, in consultation with the Secretary of State, Secretary of Commerce, Secretary of Homeland Security, and heads of other relevant agencies, will be issuing licenses and advisory opinions.

  • DOJ and DHS are instructed to work together on security requirements and interpretive guidance designed to prevent access by countries of concern to Americans’ data through other commercial means (e.g., data available via investment, vendor, and employment relationships), noting that these should be based on the Cybersecurity and Privacy Frameworks developed by the National Institute of Standards and Technology, and issue enforcement guidance regarding the security requirements.

  • The Departments of Health and Human Services, Defense, and Veterans Affairs and National Science Foundation are directed to provide guidance to assist research entities in ensuring protection of their data and take steps, including issuing regulations, guidance, or orders, to prevent Federal grants, contracts, and awards from being used by countries of concern (including via companies in the U.S.) to access bulk sensitive health data.

  • Team Telecom is instructed to evaluate and address potential threats to Americans’ sensitive personal data in its reviews of existing submarine cable licenses and license applications that are owned, operated by, or subject to the direction of a country of concern.

The DOJ has contemporaneously issued an ANPRM to effectuate the EO and provide missing details. The ANPRM includes the categories of covered persons (i.e., individuals to whom transfers would be deemed within reach of countries of concern), types of regulated transactions, and exemptions. And the DOJ, in consultation with the Secretary of State, Secretary of Commerce, Secretary of Homeland Security, and heads of other relevant agencies, will be issuing licenses and advisory opinions. The EO also provides the DOJ with flexibility in executing and defining the scope of the rules. However, the EO explicitly prohibits the DOJ from establishing generalized data localization requirements as part of the targeted national security measures.

Next Steps

The EO and ANPRMs do not impose any immediate new legal obligations for companies. However, the ANPRMs will initiate two rounds of public feedback before any final rule is issued—with feedback on the ANPRMs likely being due in the middle of April. U.S. companies that do business with or that have ties to countries such as China (including Hong Kong and Macau), Russia, Iran, North Korea, Cuba, and Venezuela should review the potential implications of the forthcoming rules and consider whether to engage with the rulemaking process.

In addition to the ANPRMs, there are likely to be further rules and regulations promulgated based on the directives in the EO in the coming months. The EO’s accompanying Fact Sheet indicates that the Biden Administration will continue working with stakeholders in both the public and private sectors—including technology companies and advocates for privacy, safety, competition, labor, and human rights—to take actions protecting the privacy of Americans, particularly their most sensitive information.

[View source.]

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Hogan Lovells | Attorney Advertising

Written by:

Hogan Lovells
Hogan Lovells
Contact
more
less

Hogan Lovells on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide