Executive Order Directs DOJ to Issue Data Security Regulations to Address National Security Concerns

March 4, 2024

Reading Time : 10+ min

Key Points

  • On February 28, 2024, President Biden issued a highly anticipated EO on Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern, which directs DOJ to issue regulations to prohibit, or otherwise restrict transactions that could allow persons from countries of concern, such as China, access to bulk sensitive personal data of U.S. citizens or to U.S. government-related data (regardless of volume).
  • DOJ has issued an Advance Notice of Proposed Rulemaking setting forth the proposed scoping of key terms for these regulations, including the initial categories of covered transactions, and seeking public comment on 114 questions, with a 45-day comment period.
  • When the regulations become effective, certain transactions with Chinese owned or controlled entities and certain other China-related entities and individuals (or those from other countries of concern) involving six types of sensitive personal data will be prohibited, while other categories of “restricted transactions” may proceed only if the U.S. person complies with predefined security requirements.
  • The six categories of sensitive personal data include geolocation data, biometric identifiers, human genomic data, personal health data, personal financial data, and specified personal identifiers. In most cases, DOJ is considering adopting bulk thresholds for covered transactions that range from 100 U.S. persons to one million U.S. persons, depending on the type of sensitive personal data involved.
  • Given the relatively broad proposed scope of restricted transactions, due to both the types of agreements covered (vendor, employment and investment) and the number of “personal identifiers” that may be covered, a wide range of businesses may need to implement security requirements to undertake transactions with covered persons.
  • DOJ, in coordination with DHS, will issue the regulations implementing the program, and DHS is taking the lead on the security requirements for the restricted transactions. The EO directs DOJ to issue draft regulations within 180 days of the EO (by August 26, 2024). This new program therefore will not become effective until late 2024 at the earliest.

Background and Purpose

President Biden issued the Executive Order on Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern (EO) to address a perceived gap in existing national security authorities, expanding a national emergency determination to include the “unusual and extraordinary threat” posed by the continuing effort of certain countries of concern to access Americans’ sensitive personal data and U.S. government-related data. This action reflects growing concern within the U.S. government about persons from China and other countries of concern accessing Americans’ sensitive personal data through sales, licensing, vendor, employment, investment and similar commercial relationships, and sharing this information with adversarial governments. It further reflects concern that such transactions and relationships could enable these countries to use biometric, financial, genomic, geolocation or health data to engage in malicious cyber-enabled activities, espionage, tracking of military and national security personnel, blackmail or other nefarious activities. Advances in artificial intelligence and data analytics have exacerbated this risk.

Specifically, the EO, which was issued under the authority of the International Emergency Economic Powers Act (IEEPA), expands the scope of the national emergency declared in EO 13873, Securing the Information and Communications Technology and Services Supply Chain (ICTS), issued by former President Trump in May 2019, and addressed in EO 14034, Protecting Americans’ Sensitive Data from Foreign Adversaries, issued by President Biden in June 2021, which clarified how EO 13873 would apply to ICTS transactions involving “connected software applications.” Among other things, EO 14043 directed relevant agencies to develop recommendations to protect against harm from the unrestricted sale of, transfer of or access to U.S. persons’ sensitive data by persons owned or controlled by, or subject to the jurisdiction or direction of a foreign adversary.

Other authorities have similarly recognized the potential threats to national security posed by access to U.S. persons’ sensitive data. For example, the Foreign Investment Risk Review Modernization Act of 2018 expanded the authority of the Committee on Foreign Investment in the United States (CFIUS) to review a greater number of investments into U.S. businesses that collect or maintain sensitive personal data, and President Biden’s 2022 Executive Order 14083 on Ensuring Robust Consideration of Evolving National Security Risks by the Committee on Foreign Investment in the United States identified access to sensitive personal data, including health and biological data, as a key consideration for CFIUS’s risk analysis. However, while CFIUS and the Committee for the Assessment of Foreign Participation in the U.S. Telecommunications Services Sector (Team Telecom) can address risks arising in particular transactions, the United States does not have a comprehensive data privacy law, and existing laws do not address the national security risks posed by access to sensitive personal data through commercial transactions. Accordingly, the EO seeks to more holistically regulate transactions involving U.S. persons’ sensitive personal data to mitigate the risks associated with access to such data by countries of concern.

Summary of the Program

Although the U.S. Department of Justice (DOJ) states explicitly that the Advance Notice of Proposed Rulemaking (ANPRM) does not identify the full scope of approaches that DOJ might take in finalizing regulations to implement the EO, the ANPRM provides extensive insight on key parameters under consideration. Generally speaking, the ANPRM identifies categories of transactions involving bulk quantities of sensitive personal data that will be prohibited as well as categories of restricted transactions that may proceed if they comply with predefined security requirements. Importantly, DOJ does not intend to conduct a case-by-case review like CFIUS or Team Telecom.

Countries of Concern. DOJ is considering identifying the same set of jurisdictions on the Department of Commerce’s (Commerce) list of “foreign adversaries,” identified under the ICTS regulations, as the relevant “countries of concern” for purposes of this new program, i.e., China (including Hong Kong and Macau), Russia, Iran, North Korea, Cuba and Venezuela.

Covered Persons. The EO defines covered persons to include the following categories of entities and individuals:

    1. An entity owned by, controlled by or subject to the jurisdiction or direction of a country of concern, which DOJ proposes to define as majority owned by, controlled by or with its principal place of business in a country of concern.
    2. A foreign person who is an employee or contractor of such an entity.
    3. A foreign person who is an employee or contractor of a country of concern.
    4. A foreign person who is primarily resident in the territorial jurisdiction of a country of concern.
    5. A foreign person or entity that is designated by the DOJ as a covered person, including due to being controlled by a covered person identified above or knowingly causing or directing a violation of the EO.

With respect to item (5), DOJ expects to publish and maintain a list of covered persons similar to those of the Office of Foreign Assets Control (OFAC).

Covered Sensitive Personal Data.
Sensitive Personal Data. The EO defines sensitive personal data to include the following:

    1. Covered personal identifiers.
    2. Precise geolocation and related sensor data.
    3. Biometric identifiers.
    4. Human genomic data.
    5. Personal health data.
    6. Personal financial data.

The ANPRM elaborates on these terms, including in particular proposing a relatively broad definition for “covered personal identifiers,” which could include classes of personally identifiable data that are reasonably linked to an individual, whether in combination with each other, with other sensitive data or with other data disclosed by a transacting party. The proposed list of identifiers under consideration includes, among others, (a) full or truncated social security numbers; (b) financial account numbers; (c) device-based or hardware-based identifiers; (d) demographic or contact data (but not if such data is only linked to other demographic or contact data); (e) advertising identifiers such as Google Advertising AD; (f) authentication data such as account usernames; and (g) network-based identifiers such as IP addresses (but not if such data is only linked to other network-based identifiers). It does not include, for example, web-browsing history.

Bulk Thresholds. The program will generally regulate the specified categories of data transactions in the six categories of sensitive personal data only if the transactions exceed certain bulk thresholds. DOJ is considering adopting bulk thresholds within the ranges set forth below. However, those bulk volume thresholds would not apply to transactions involving certain U.S. Government-related data; the program will regulate data transactions involving sensitive personal data on certain U.S. Government personnel or precise geolocation data for sensitive locations regardless of the volume of such data.

Government Data. The EO defines “U.S. Government-related data” to mean “sensitive personal data that, regardless of volume, the Attorney General determines poses a heightened risk of being exploited by a country of concern to harm United States national security” and that (i) can be used to identify current or recent former U.S. government employees or contractors and former senior U.S. government officials, including the military; or (ii) is linked to sensitive U.S. government locations. As explained in the ANPRM, DOJ is considering including within that definition (1) any precise geolocation data for any location specified on a list of enumerated sensitive locations that the ANPRM refers to as the “Government-Related Location Data List” and (2) any sensitive personal data that a transacting party markets as linked or linkable to current or recent U.S. government employees, contractors and former senior officials.

Exclusions. Sensitive personal data will not include data that is a matter of public record that is lawfully and generally available to the public, personal communications or expressive information (e.g., videos, artwork or publications).

Covered Transactions. The program will regulate data transactions based on the risk of access by countries of concern to bulk U.S. sensitive personal data. The prohibited transactions will be those that DOJ determines pose an unacceptable risk of access by countries of concern, while the restricted transactions will be those that DOJ determines pose a risk of access that can be mitigated by certain security requirements. “Access” is defined as any logical or physical access, including the ability to obtain, read, copy, decrypt, edit, divert, release, affect, alter the state of, or otherwise view or receive, in any form.

The ANPRM identifies two categories of prohibited data transactions between U.S. persons and countries of concern or covered persons, based on an unacceptable risk of access by countries of concern:

    1. Data-brokerage transactions, which would be defined as a sale of, licensing of access to, or similar commercial transaction involving the transfer of bulk sensitive personal data or U.S. Government-related data.
    2. Genomic-data transactions involving the transfer of bulk human genomic data or biospecimens from which such data can be derived.

In addition, the ANPRM identifies three categories of restricted data transactions, based on a risk of access:

    1. Vendor agreements involving the provision of goods and services (including cloud-service agreements).
    2. Employment agreements.
    3. Investment agreements, i.e., any agreement in which a person obtains direct or indirect ownership or rights in relation to U.S. real property or U.S. entities but excluding certain passive investments.

These restricted data transactions will be prohibited unless certain security requirements are implemented, including organizational, transaction and compliance requirements, which are intended to mitigate the risk of access by countries of concern or covered persons. DHS, through the Director of the Cybersecurity and Infrastructure Security Agency, which will coordinate with DOJ to propose, seek public comment on, and publish these security requirements, which will be based on the Cybersecurity and Privacy Framework developed by the National Institute of Standards and Technology.

Exempt Transactions. The ANPRM contemplates exempting transactions that are:

    1. Ordinarily incident to and part of financial services, including banking, capital markets and financial insurance services, as well as payment processing and regulatory compliance.
    2. Ordinarily incident to and part of ancillary business operations (such as payroll or human resources) within multinational U.S. companies.
    3. Activities of the U.S. Government and its contractors, employees and grantees.
    4. Transactions required or authorized by federal law or international agreements.

Licensing and Advisory Opinions. DOJ is considering a licensing regime modeled on OFAC’s regime, which would authorize transactions that would otherwise be prohibited or restricted through the issuance of general and specific licenses, as well as enabling companies and individuals to request advisory opinions about the application of the regulations to specific transactions.

Penalties. DOJ is also contemplating creating and implementing a compliance and enforcement program modeled on the IEEPA-based economic sanctions program administered by OFAC. Because DOJ’s new program would be similarly authorized under IEEPA, DOJ will be able to assess penalties up to the maximum allowable under IEEPA, which is currently $368,136 per violation. This could include both civil and criminal penalties. DOJ currently intends to apply a knowledge standard for violations, i.e., not a strict liability standard; rather, DOJ contemplates that liability will be based on a standard of whether the U.S. person knew or should have known it was engaging in a violation.

Directions to Other Agencies. The EO also directs the following additional steps to enhance existing authorities to address data-security risks:

    • Directs Team Telecom to prioritize reviewing existing licenses for submarine cable systems owned or operated by country-of-concern entities or landing in a country of concern and to take further steps to address data-security risks on an ongoing basis.
    • Directs the Department of Health and Human Services (HHS) and certain other agencies to consider taking steps to prohibit federal funding that enables access to bulk sensitive personal data of U.S. citizens, including personal health data and human genomic data, by countries of concern and covered persons, or to impose mitigation measures (e.g., security requirements). These agencies are directed to publish guidance to assist U.S. research entities in ensuring protection of their bulk sensitive personal data. Within one year, these agencies must jointly submit a report to the President detailing their progress in implementing these aspects of the EO.
    • Encourages the Consumer Financial Protection Bureau to address the role that data brokers play in contributing to these national security risks.

Other Key Items

    • Prior Transfers: The EO directs DOJ, DHS and the Director of National Intelligence in consultation with relevant agencies, to recommend actions to detect, assess and mitigate national security risks arising from prior transfers of bulk sensitive personal data to countries of concern within 120 days. The ANPRM notes that the program will not apply retroactively but that DOJ may request information about transactions that occurred before the issuance of the EO.
    • Additional Human ‘omic Data: HHS and other regulators must also, within 120 days, assess and report on the risks and benefits of regulating transactions involving “human ‘omic data” other than human genomic data (such as human proteomic data, human epigenomic data and human metabolomic data) and recommend the extent to which such transactions should be regulated.

Next Steps

Public Comment. DOJ seeks public comment on the impact of these regulations and asked for feedback on 114 specific questions. The comment period will run for 45 days after official publication of the ANPRM, likely until around April 19, 2024, and DOJ will consider these comments as it prepares draft regulations implementing the program.

Regulations. DOJ must issue draft regulations within 180 days of the issuance of the EO (by August 26, 2024), and the draft regulations will likely have another comment period of 30–45 days, which DOJ will then consider before it issues final regulations. This new program, therefore, will not become effective until late 2024 at the earliest. In addition, the ANPRM notes that DOJ will decline to regulate restricted transactions until the security requirements are published and become effective.

Congressional Outlook. Sens. Gary Peters (D-MI) and Bill Hagerty (R-TN), along with Reps. Mike Gallagher (R-WI) and Raja Krishnamoorthi (D-IL), Chair and Ranking Member of the House Select China Committee, recently introduced bipartisan, bicameral legislation to safeguard Americans’ genetic data and personal health information from foreign adversaries, the Prohibiting Foreign Access to American Genetic Information Act of 2024. Congress also has scrutinized countries of concern’s access to communications networks, with the House Energy and Commerce Committee recently convening a hearing to explore needed legislative action, with a focus on the influence of China-based companies like Huawei Technologies Co. Ltd. in the global telecommunications industry. While lawmakers in Congress will continue to work to advance legislation to prevent access to Americans’ sensitive data by foreign adversaries, the prospects of passage in the duration of the 118th Congress remains unlikely given other congressional priorities in the near term.

Comparison to Other Data Protection Regimes

The EO and ANPRM do not purport to create an entirely new data protection regime in the United States similar to the European Union (EU) General Data Protection Regulation (GDPR). The U.S. approach is more surgical, not imposing massive restrictions on all transfers of personal information, but rather limiting restrictions to bulk transfers of sensitive personal data and U.S. government-related data (regardless of volume) to countries of concern.

While jurisdictions around the world have long had significant restrictions on export of personal data, this is the first step in that direction for the United States. For example, both China and Russia have myriad strict data localization laws, and China, in particular, imposes criminal sanctions on those mishandling personal data of Chinese citizens. The EO seeks to take a balanced approach, clarifying that the order is not authorizing the imposition of generalized data localization requirements or requirements to store or process covered data in the United States.

Additionally, Europe, which has been on the cutting edge of individual privacy protection for decades, has long held restrictions on the export of personal data of individuals in the EU, including under the EU Data Protection Directive, and followed by the EU GDPR. Such restrictions have been further clarified through relevant guidance stemming from the decisions in Schrems I and Schrems II.

The EO and ANPRM bring the United States closer to the emerging international standards restricting cross-border transfers of personal data.

***

Akin’s international trade, data protection and lobbying & public policy practices will closely track implementation of the EO’s directives and the resulting opportunities for industry engagement, as well as parallel congressional efforts. 


1 The ANPRM includes examples that illustrate the potential scope of these restricted transactions.

 

 

Share This Insight

© 2024 Akin Gump Strauss Hauer & Feld LLP. All rights reserved. Attorney advertising. This document is distributed for informational use only; it does not constitute legal advice and should not be used as such. Prior results do not guarantee a similar outcome. Akin is the practicing name of Akin Gump LLP, a New York limited liability partnership authorized and regulated by the Solicitors Regulation Authority under number 267321. A list of the partners is available for inspection at Eighth Floor, Ten Bishops Square, London E1 6EG. For more information about Akin Gump LLP, Akin Gump Strauss Hauer & Feld LLP and other associated entities under which the Akin Gump network operates worldwide, please see our Legal Notices page.