On February 28, 2024, President Biden issued a new Executive Order in order to better secure the private data of U.S. citizens from being exploited by foreign adversaries of the United States. By issuing his Executive Order on Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern, President Biden has directed the U.S. Department of Justice (“DOJ”), in conjunction with Homeland Security, to promulgate regulations that will enact the goals of this Order. Ultimately, these regulations will be tailored to prevent bulk data from U.S. citizens from ending up in the hands of U.S. adversaries.
President Biden issued this Order pursuant to his powers under the International Emergency Economic Powers Act (50 U.S.C. 1701 et seq.) (“IEEPA”), which is the same authority that grants his powers to issue orders instituting the various sanctions programs. As such, this order includes some aspects that many sanctions compliance practitioners will recognize. For example, the Order will prohibit violations either “directly or indirectly.” Indirect violations can be a challenge for compliance officers, as this typically means that a company may need to understand what happens with the data past simply just who the buyer is. Turning to parallels in sanctions compliance, U.S. companies can risk violations by selling products to distributors that in turn sell those goods to prohibited entities. As such, these transactions will now likely require elevated due diligence to better understand potential counterparties, with strong care taken to identify and review any potential red flags.
In similar parallels with sanctions regulations, the Order includes a general catch all for “[a]ny transaction or other activity that has the purpose of evading or avoiding, causes a violation of, or attempts to violate any of the prohibitions promulgated pursuant to this section is prohibited.” Sanctions evasion has been a significant focus for regulators as of recent, so those same aggressive enforcement tactics will likely be applied to protecting data as well. Further, “causing a violation” can give regulators a sort of extraterritorial reach, as we have seen in the past.
While the “countries of concern” were not yet spelled out, we can reasonably make an educated guess at several of the countries that will be included. I would expect these restrictions to dovetail closely with existing sanctions programs. The number one target for this order will almost certainly be China, as the country is well known to be a significant risk in this regard already. The White House spokeswoman specifically referenced TikTok, the popular social media platform, as a potential Chinese data risk. The app is suspected of collecting significant amounts of data from its extensive userbase and funneling it all back to its headquarters in China. Further targets will certainly include Russia, as they are on the receiving end of significantly escalating sanctions restrictions. Further countries of concern will likely include Iran, North Korea, Cuba, and Venezuela.
While some of these countries are already off limits based on sanctions embargos, it is still important to establish these regulations around bulk data to better deal with modern threats. In this order, President Biden notes that “[a]ccess to Americans’ bulk sensitive personal data or United States Government-related data increases the ability of countries of concern to engage in a wide range of malicious activities.” The order references several data-related threats that our country now faces, including the use of artificial intelligence, espionage, and foreign influence campaigns, all of which require large troves of data and become significantly more effective with better and more targeted information.
To deal with these threats, this Order restricts the access of bulk sensitive personal data and US government-related data. Bulk sensitive data includes a variety of items, including “genomic data, biometric data, personal health data, geolocation data, financial data, and certain kinds of personal identifiers.” Further regulations will provide additional clarity on the precise definitions of each of these items. This order comes at a time when the well-known 23andMe company teeters on the brink of bankruptcy, with many wondering what will become of its vast trove of sensitive genetic data in such a process.
The Order further focuses on data brokers, or those entities engaged in the collection and processing of bulk data from US citizens. These entities profit—usually handsomely—by aggregating and selling this data to the highest bidders. Through this order, President Biden has encouraged the Consumer Financial Protection Bureau (“CFPB”) to take their own steps to ensure Americans are protected from these data brokers. Other avenues countries may use to obtain this data include third-party vendor agreements, employment agreements, investment agreements, or other related arrangements. China is well known to require companies provide access to all sorts of information, include sensitive data and intellectual property, so requiring access to bulk data is not unusual. Companies should begin to evaluate these arrangements sooner rather than later.
