Safeguarding Data Privacy: Biden’s Executive Order to Protect Americans’ Sensitive Personal Data

Overview

On February 28, 2024, President Biden issued an “Executive Order on Preventing Access to American's Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern” (“the EO”).

The EO directs the Department of Justice (DOJ), along with other federal agencies, to issue regulations that prevent bulk transfer of Americans' sensitive personal data—such as personal identifiers, geolocation and related sensor data, biometric identifiers, human ‘omic data, personal health data, personal financial data—to countries of concern (potentially China, Russia, Iran, North Korea, Cuba and Venezuela), when such access would impose an unacceptable risk to the national security of the US and impose safeguards on activities that might allow these countries to access Americans' sensitive personal data.

This Executive Order is part of a broader, ongoing effort by the U.S. government to protect sensitive personal data from foreign adversaries/countries of concern and expects the definition of sensitive personal data to evolve over time, particularly as AI capabilities advance, and emphasizes managing the risks involved with utilizing AI to obtain and process sensitive personal data. Read on to learn more.

In alignment with the objectives of the EO, the DOJ has issued an Advanced Notice of Proposed Rulemaking (ANPRM), which serves as an initial step in the regulatory formulation process– currently seeking public comment on various topics related to the implementation of the EO’s goals.

Understanding the Root of the Concern

The core of the concern lies in the potential for countries of concern posing a threat to the United States to leverage cutting-edge technology, like as artificial intelligence (AI), to their advantage by analyzing and modifying large quantities of sensitive personal data and utilizing it for espionage, influence, kinetic, malicious cyber-enabled activities., or other purposes.

Additionally, regardless of volume, access to particular categories of sensitive personal data connected with populations and sites affiliated with the Federal Government, including the military, may be utilized to disclose information about those populations and locations that compromise national security.

Countries of concern may also seek to access Americans’ sensitive personal data and data related to the US government to collect information on activists, academics, journalists, dissidents, political figures, members of non-governmental organizations, and members of marginalized communities. This information could be used to intimidate these individuals, stifle dissent or political opposition, restrict freedom of expression, peaceful assembly, or association, or enable other forms of civil liberties suppression.

The threat extends beyond direct access by governments of concern, as these governments may also gain indirect access to sensitive data through companies that are owned, controlled by, or operating under the influence of such countries. This broad and multifaceted risk landscape underscores the imperative to protect Americans' sensitive personal and governmental data from exploitation by adversaries.

Applicability

The EO aims at preventing ‘U.S. persons’ from enabling "countries of concern" or "covered persons" from accessing or acquiring sensitive data.

U.S. persons: Entities organized solely under U.S. laws (including foreign branches), U.S. citizens, individuals in the U.S., and lawful residents

‘Countries of concern’: Any foreign government that has engaged in a long-term pattern or serious instances of conduct significantly adverse to the national security of the United States or the security and safety of United States persons and poses a significant risk of exploiting bulk sensitive personal data or United States Government-related data to the detriment of the national security of the United States or the security and safety of United States persons. The DOJ proposes that "countries of concern" include China, Russia, Iran, North Korea, Cuba, and Venezuela—as well as territories controlled by these nations, such as Hong Kong and Macau.

Covered person: Any entity or individual with significant ties to countries considered threats to the United States. This includes:

• Entities that are owned or controlled by, or operating under the jurisdiction or directives of, a country of concern.
• Foreign individuals employed by or contracting with such entities, or directly employed or contracting with a country of concern.
• Foreign individuals residing primarily within the territorial jurisdiction of a country of concern.
• Any person identified by the Attorney General as (i) being owned or controlled by, or under the jurisdiction or direction of, a country of concern; (ii) acting on behalf of or claiming to act on behalf of a country of concern or another covered person; or (iii) knowingly causing or directing, either directly or indirectly, a violation of this EO or any of its implementing regulations.

Sensitive Personal Data Categories

Under the directives of the EO, the DOJ’s ANPRM outlines proposed definitions for categories of sensitive personal data pertaining to U.S. individuals, which are as follows:

• Precise geolocation information. This includes real-time or historical data that identifies the physical location of an individual or device within a to-be-determined precision of meters or feet.
• Biometric identifiers. This includes facial images, voice prints, keyboard usage patterns, gait, and other physical and behavioral characteristics that identify an individual.
• Genomic data. This includes data representing DNA, genetic test results, and biological specimens from which DNA can be derived.
• Personal health data. This includes individually identifiable health information as defined under HIPAA, regardless of whether the information is collected by a covered entity or business associate.
• Personal financial data. This includes data related to an individual's financial transactions and status, including account details, purchase history, and credit reports.
• Combinations of covered personal identifiers. This category encompasses listed personal identifiers in combination with each other or with other information linking the identifiers to individuals. These identifiers may be considered linked in single-covered data transactions or multiple transactions over time. The listed identifiers include personal and contact details, device and network identifiers, account security information, advertising IDs, government and financial account numbers, and call details.

These categories are restricted from being transferred in bulk to countries of concern or covered persons. The determination of what constitutes "bulk" will be based on the number of U.S. individuals or devices involved, with specific thresholds being considered for each category. For instance, for Human Genomic Data and Biometric Identifiers, the low threshold starts with data involving more than 100 U.S. persons, with a high threshold exceeding data on more than 1,000 U.S. persons. For Precise Geolocation Data, the thresholds are set differently for the number of U.S. devices rather than persons, reflecting the nature of the data collected.

Additionally, the ANPRM outlines categories of government-related data that are restricted from transfer, regardless of the volume:

• Geolocation data within specified geofenced areas related to certain military, government, and other sensitive facilities. This type of data could compromise national security by disclosing details about these critical locations and the U.S. persons affiliated with them.
• Sensitive personal data that is marketed as being linked or potentially linkable to individuals who are currently or have recently been employees or contractors, or senior officials of the U.S. government, including those in the military and Intelligence Community.

Key Aspects of the Executive Order

Prohibited and Restricted Transactions

Section 2 of the EO directs that the Attorney General, in cooperation with the Secretary of Homeland Security and other pertinent agency heads to issue proposed regulations that would prohibit or restrict  U.S. persons from engaging in transactions that involve sensitive personal data or US-related data with foreign countries of concern. Transactions are prohibited or restricted if they:

• Involve bulk sensitive personal data or US Government related data;
• Are identified within a class of transactions that has been determined by the Attorney General to pose an unacceptable risk to US national security;
• Were initiated, is pending, or will be completed after the effective date of the regulations issued by the Attorney General pursuant to this section;
• Does not qualify for an exemption provided in, or is not authorized by a license issued pursuant to, the regulations issued by the Attorney General in response to the EO; and
• Are not ordinarily incident to the provision of financial services.

Within 180 days following the EO, proposed regulations will be published for public comment. These regulations will:

• Identify prohibited and restricted transaction classes.
• Define countries of concern and covered persons.
• Establish mechanisms for clarity, licensing, and defining terms used in the order.

The classes of transactions that the DOJ is currently considering for prohibition include:

• Data-brokerage transactions; and
• Transactions that would provide a country of concern or covered person with access to bulk human genomic data” or “human biospecimens from which that human genomic data can be derived.

Additionally, the DOJ is considering placing restrictions on agreements that involve entities or countries of concern and concern bulk sensitive U.S. personal data or U.S. government-related data, specifically:

• Vendor agreements, including agreements for technology services and cloud-service agreements;
• Employment agreements; and
• Investment agreements.

For the restricted transactions, The Secretary of Homeland Security, through the Cybersecurity and Infrastructure Security Agency (CISA), will develop security requirements based on the National Institute of Standards and Technology's frameworks. This includes issuing interpretive and enforcement guidance.

Protecting Sensitive Personal Data

Section 3 of the EO addresses US national security concerns regarding the access of sensitive personal data in bulk and government data by countries of concern with a focus on three main areas:

• Enhanced Security Measures for Submarine Cable Systems Linked to Countries of Concern

To safeguard data that transits through submarine cable systems, particularly those owned, controlled by, or terminating in countries of concern, the EO directs that the Committee for the Assessment of Foreign Participation in the United States Telecommunications Services Sector to:

• Prioritize reviewing licenses for submarine cables linked to countries of concern.
• Develop and issue policy guidance on reviewing these licenses, assessing third-party risks, and access to data by countries of concern.
• Continuously address security risks by updating agreements and revising mitigation measures, including implementing security requirements for restricted transactions.

• Safeguarding Anonymized Health and Genomic Data Against Re-identification by Countries of Concern

To prevent countries of concern from accessing or re-identifying anonymized or pseudonymized personal health and genomic data of U.S. persons, the EO directs that:

• Key departments (Defense, Health and Human Services, Veterans Affairs, and the National Science Foundation) are to consider issuing regulations or guidance to prohibit or mitigate the risk of providing sensitive data to entities linked to countries of concern.
• These departments will develop guidance to help U.S. research entities protect sensitive data.
• A joint report detailing progress will be submitted to the President within one year.

• Mitigating Risks from Data Brokerage Industry

To address the risk posed by data brokers who facilitate access to sensitive personal and government-related data by countries of concern. The EO directs that:

• The Director of the Consumer Financial Protection Bureau (CFPB) is encouraged to use their legal authority to address threats from the data brokerage industry and enhance compliance with federal consumer protection laws, including pursuing rulemaking proposals identified in a 2023 advisory panel.

Assessing the National Security Risks Arising from Prior Transfers of United States Persons’ Bulk Sensitive Personal Data

Section 4 of the EO mandates a review of the national security risks related to the prior transfer of U.S. persons' bulk sensitive personal data to foreign entities that may pose a threat.

• Timeline for Recommendations: Within 120 days after the regulations from section 2 of the EO are effective, key officials—including the Attorney General, the Secretary of Homeland Security, and the Director of National Intelligence—are tasked with drafting recommendations. These recommendations should focus on identifying, evaluating, and reducing national security risks stemming from the transfer of sensitive data to concerning countries.
• Review and Implementation: After these recommendations are made, the Assistant to the President for National Security Affairs (APNSA) has up to 150 days from when the regulations become effective to review them. Following this review, the APNSA, as deemed appropriate, will consult with the Attorney General, the Secretary of Homeland Security, and the heads of relevant agencies on how to best implement these recommendations, ensuring all actions are in accordance with applicable law

Report to the President

Section 5 mandates that within one year of the regulations' effective date of the regulations issued pursuant to section 2(c) of this EO, along with key department heads, must report to the President on the effectiveness of the EO’s measures against national security threats and their economic impact, including effects on U.S. industry's international competitiveness.

The Attorney General is also instructed to gather and consider public feedback on the EO’s economic implications.

Assessing Risks Associated with Human ‘omic Data

Section 6 of the EO mandates that within 120 days from the issuance of the EO, a comprehensive report is to be developed and submitted to the President via the Assistant to the President for National Security Affairs (APNSA). This task involves a collaborative effort among key positions and departments, including the APNSA, the Assistant to the President and Director of the Domestic Policy Council, the Director of the Office of Science and Technology Policy, and the Director of the Office of Pandemic Preparedness and Response Policy. They will consult with the Secretary of State, the Secretary of Defense, the Secretary of Health and Human Services, the Secretary of Veterans Affairs, the Director of the National Science Foundation, the Director of National Intelligence, and the Director of the Federal Bureau of Investigation.

The objective of the report is to:

• Assess the potential risks and benefits associated with regulating transactions involving various types of human ‘omic data (excluding human genomic data), such as proteomic, epigenomic, and metabolomic data.
• Provide recommendations on the extent to which these transactions should be regulated under section 2 of the EO.

The evaluation will specifically address:

• The potential risks these transactions pose to U.S. persons and national security.
• The economic and scientific implications of imposing regulations on transactions that allow entities of concern or covered persons to access these types of data.

Conclusion

In essence, President Biden's Executive Order reflects a proactive stance on national security, recognizing the critical importance of data protection in the digital age. It reflects an acknowledgment of the multifaceted nature of modern threats and the crucial role of data protection in safeguarding the United States and its citizens against foreign adversaries and offers a holistic strategy for increasing the security of sensitive personal data against external threats/countries of concern.