New Executive Order Seeks to Protect Americans Sensitive Personal Data

banner, flag, rubber stamp-206886.jpgIntroduction

On February 28, 2024, President Biden signed Executive Order 14117, titled “Preventing Access to Americans’ Bulk Sensitive Data and United States Government-Related Data by Countries of Concern” (EO), marking a significant step in safeguarding national security and personal privacy. This executive action responds to the urgent need to protect Americans’ sensitive personal data and U.S. government-related information from exploitation by certain nations deemed as “countries of concern.” By expanding existing authorities and addressing gaps in regulatory frameworks, the EO seeks to mitigate the growing threats posed by unauthorized access to biometric, financial, genomic, geolocation, and health data, thereby safeguarding against cyber-enabled activities, espionage, and other nefarious acts.

 

Background and purpose

President Biden’s issuance of the Executive Order on Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern (EO) reflects a strategic response to the evolving landscape of cyber threats and data vulnerabilities. Recognizing a critical deficiency in current national security measures, the EO expands upon previous executive orders, including EO 13873 issued by former President Trump in May 2019 and EO 14034 issued by President Biden in June 2021. These prior directives laid the groundwork for securing information and communications technology and services supply chains and protecting Americans’ sensitive data from foreign adversaries, respectively. However, the escalating risk of certain countries accessing sensitive personal data through commercial relationships necessitated a more comprehensive approach.

 

Grounded in the authority of the International Emergency Economic Powers Act (IEEPA), the EO augments the scope of the national emergency declared in EO 13873, further addressing the perceived threat posed by countries of concern. 

Specifically, the EO aims to mitigate risks stemming from sales, licensing, vendor engagements, employment, and investments that could facilitate unauthorized access to Americans’ sensitive personal data and U.S. government-related information. Such access, fueled by advancements in artificial intelligence and data analytics, poses significant risks, including cyber-enabled activities, espionage, tracking of military personnel, and blackmail.

While legislative efforts, such as the Foreign Investment Risk Review Modernization Act of 2018 and President Biden’s 2022 Executive Order 14083, have acknowledged the national security implications of accessing sensitive personal data, existing laws fall short of addressing the comprehensive regulatory framework needed to safeguard against emerging threats. Consequently, the EO seeks to fill this regulatory gap by holistically regulating transactions involving U.S. persons’ sensitive personal data, thereby bolstering national security in the face of evolving cyber threats.

Program summary 

The U.S. Department of Justice (DOJ) has clarified in explicit terms that the Advance Notice of Proposed Rulemaking (ANPRM) does not comprehensively outline all potential approaches for finalizing regulations in line with the Executive Order (EO). Nonetheless, the ANPRM offers detailed insights into crucial considerations, outlining specific parameters. In broad terms, it highlights prohibited categories of transactions involving substantial amounts of sensitive personal data, as well as restricted transaction categories that may proceed if they adhere to predefined security requirements. It is noteworthy that the DOJ does not plan to undertake a case-by-case assessment akin to CFIUS or Team Telecom. 

Country of concern 

In the realm of safeguarding national security, the recent Executive Order (EO) has cast its net wide, honing in on the transfer of sensitive personal data to what it deems “countries of concern.” 

These nations under scrutiny, as per the Department of Justice (DOJ)’s deliberations, may encompass China (encompassing Hong Kong and Macau), Russia, Cuba, Iran, Venezuela, and North Korea. But the scope doesn’t end there; the DOJ contemplates an expansive interpretation of “covered persons,” extending to individuals and entities subject to the jurisdiction of a “country of concern,” including foreign employees and contractors associated with said entities. To mitigate the risk of data ‘re-export’ to these countries, the DOJ is pondering requirements for foreign persons not falling under the covered persons category to refrain from reselling or providing access to restricted data to either a “country of concern” or a “covered person.”

Covered persons 

The EO meticulously defines “covered persons,” enveloping various entities and individuals within its ambit:

  1. Entities Under Scrutiny: Any entity owned by, controlled by, or subject to the jurisdiction or direction of a country flagged as a concern, which the DOJ contemplates defining as those predominantly owned by, controlled by, or with their principal place of business in such a country.
  2. Foreign Personnel Ties: Foreign individuals who serve as employees or contractors for the aforementioned scrutinized entities.
  3. Affiliation with Concerned Countries: Foreign individuals engaged as employees or contractors directly under a country of concern’s banner.
  4. Territorial Residence: Foreign individuals primarily residing within the territorial jurisdiction of a country of concern.
  5. DOJ Designations: Lastly, any foreign individual or entity branded by the DOJ as a covered person, whether due to being controlled by an identified covered person or for knowingly instigating or orchestrating a violation of the EO. In the case of item (5), the DOJ anticipates the establishment and upkeep of a roster of covered persons akin to the Office of Foreign Assets Control (OFAC) listings, ensuring transparency and accountability in enforcement.

Layers of covered sensitive personal data 

Within the intricate framework of the Executive Order (EO), lies the delineation of what constitutes sensitive personal data, a pivotal aspect of the regulatory landscape. The EO meticulously categorizes sensitive personal data to encompass the following:
 
  1. Covered Personal Identifiers: Acting as the keystones of individual identification, these identifiers form the cornerstone of the EO’s provisions.
  2. Precise Geolocation and Related Sensor Data: Pinpointing the exact coordinates and sensor-derived information weave the tapestry of data under scrutiny.
  3. Biometric Identifiers: Delving into the unique biological markers of individuals, this category embodies the essence of personal identification.
  4. Human Genomic Data: Peering into the blueprint of human existence, genomic data unlocks profound insights into an individual’s genetic makeup.
  5. Personal Health Data: Offering a glimpse into one’s medical history and well-being, this category stands as a testament to the sensitivity of personal health information.
  6. Personal Financial Data: Mapping out the financial footprint of individuals, this category encapsulates the economic essence of personal data.

Expounding upon these terms, the Advance Notice of Proposed Rulemaking (ANPRM) delves into the nuances, particularly proposing an expansive definition for “covered personal identifiers.” This broad interpretation may encompass classes of personally identifiable data reasonably linked to an individual, whether in combination with each other, with other sensitive data, or with data disclosed by a transacting party. The proposed roster of identifiers under scrutiny spans a spectrum, including but not limited to:

  1. Full or truncated social security numbers.
  2. Financial account numbers.
  3. Device-based or hardware-based identifiers.
  4. Demographic or contact data (excluding data solely linked to other demographic or contact data).
  5. Advertising identifiers such as Google Advertising IDs.
  6. Authentication data such as account usernames.
  7. Network-based identifiers such as IP addresses (excluding data solely linked to other network-based identifiers).

However, notably absent from this list is web-browsing history, indicative of the delineation and prioritization of sensitive data types.

 

Bulk threshold

In the intricate web of data transactions, the EO introduces the concept of bulk thresholds, serving as pivotal markers for regulation. These thresholds, if breached, trigger the regulatory apparatus, thereby ensuring heightened scrutiny and oversight. The Department of Justice (DOJ) contemplates adopting bulk thresholds within specified ranges, although exempting certain transactions involving U.S. Government-related data from these thresholds. Notably, data transactions involving sensitive personal data of U.S. Government personnel or precise geolocation data for sensitive locations remain subject to regulation, irrespective of transaction volume.
 

Government data unveiled 

At the heart of the Executive Order (EO) lies the meticulous definition of “U.S. Government-related data,” a term that holds significant implications for national security. 

The EO intricately defines this category to encompass sensitive personal data deemed by the Attorney General to present an elevated risk of exploitation by countries of concern, with the intent to undermine United States national security.

This data, irrespective of volume, carries the potential to:

  1. Identify Government Personnel: Data capable of identifying current or recent former U.S. government employees or contractors, as well as former senior officials, including military personnel. 
  2. Linked to Sensitive Government Locations: Data associated with locations of strategic importance to the U.S. government.

The Advance Notice of Proposed Rulemaking (ANPRM) further elucidates this definition by contemplating its expansion to include:

 
  1. Precise Geolocation Data: Any data pinpointing locations listed on the “Government-Related Location Data List,” marking them as sensitive and subject to heightened scrutiny.
  2. Marketing Linkage: Sensitive personal data marketed as connected or linkable to current or recent U.S. government employees, contractors, and former senior officials.

Exclusions: Parsing the limits of sensitive personal data 

Within the realm of sensitive personal data, certain exclusions carve out boundaries, delineating what falls beyond the purview of heightened scrutiny. These exclusions encompass:

  1. Public Record Data: Information lawfully and generally available to the public, exempt from the classification of sensitive personal data.
  2. Personal Communications: Private exchanges and interactions shielded from scrutiny.
  3. Expressive Information: Artistic creations, videos, publications, and similar forms of expression, safeguarded from heightened regulatory oversight.

Covered transactions 

The Executive Order (EO) introduces a multifaceted regulatory framework governing data transaction, meticulously crafted to mitigate the risk of access by countries of concern to bulk U.S. sensitive personal data. Within this intricate landscape, the EO categorizes transactions into two distinct tiers:
 
Prohibited Transactions: These transactions, deemed by the Department of Justice (DOJ) to pose an unacceptable risk of access by countries of concern, are outright prohibited. The definition of “access” spans a spectrum, encompassing any logical or physical interaction that enables the acquisition, manipulation, or release of data in any form. The EO identifies two primary categories of prohibited transactions:
 
  • Data-brokerage transactions: Involving the sale, licensing, or similar commercial transactions of bulk sensitive personal data or U.S. Government-related data.
  • Genomic-data transactions: Encompassing the transfer of bulk human genomic data or biospecimens capable of yielding such data.

Restricted Transactions: Transactions falling under this category pose a risk of access that can be mitigated by implementing specific security requirements. These transactions include:

 
  • Vendor agreements for goods and services.
  • Employment agreements.
  • Investment agreements, excluding certain passive investments.
The enforcement of security requirements aims to curtail the risk of access by countries of concern or covered persons. The Cybersecurity and Infrastructure Security Agency, in collaboration with the DOJ, will spearhead the formulation and publication of these requirements, drawing from the Cybersecurity and Privacy Framework developed by the National Institute of Standards and Technology.
 

Extempt transactions unveiled: carving out exceptions 

Amidst the regulatory landscape, certain transactions emerge as exempt from heightened scrutiny, encompassing:
  1. Financial services, including banking, capital markets, and financial insurance services.
  2. Ancillary business operations within multinational U.S. companies.
  3. Activities involving the U.S. Government, its contractors, employees, and grantees.
  4. Transactions mandated or authorized by federal law or international agreements.

Licensing and enforcement 

The DOJ contemplates a licensing regime modeled on the framework administered by the Office of Foreign Assets Control (OFAC), granting authorization for transactions otherwise prohibited or restricted. Additionally, the DOJ envisages establishing a compliance and enforcement program akin to the economic sanctions program governed by the International Emergency Economic Powers Act (IEEPA). Penalties for violations could reach up to $368,136 per violation, encompassing civil and criminal penalties, with liability based on a knowledge standard.
 

Strenghtening existing authorities

The EO further directs additional measures to bolster existing authorities in addressing data-security risks, including:
  1. Prioritizing reviews of submarine cable system licenses owned or operated by countries of concern.
  2. Evaluating federal funding to prevent access to bulk sensitive personal data by countries of concern.
  3. Addressing the role of data brokers in contributing to national security risks.

Prior transfers and additional OMIC data: assessing risk and mitigation

Within a 120-day timeframe, the DOJ, DHS, and the Director of National Intelligence, in consultation with relevant agencies, are tasked with recommending actions to detect, assess, and mitigate national security risks stemming from prior transfers of bulk sensitive personal data to countries of concern. Additionally, regulators are mandated to assess the risks and benefits of regulating transactions involving additional ‘omic data beyond human genomic data and propose appropriate regulatory measures.

Author:

Kosha Doshi, Final Year Student at Symbiosis Law School Pune and Legal Intern Data Privacy and Digital Law at Eu Digital Partners 
Kosha is also a co-author of “Facial Recognition at CrossRoads: Policy Perspectives on Disruption and Innovation,” at the Closing the Gap 2023 | Emerging and Disruptive Technologies: Regional Perspectives Conference in the Hague, Netherlands.