Executive Order Limits Sale or Transfer of Personal Data to Certain Countries
In Short
The Background: The U.S. Government has identified the exploitation of Americans' bulk sensitive personal data and U.S. government-related data by "countries of concern" as posing a national security risk.
The Result: On February 28, 2024, President Biden issued an Executive Order ("EO") that requires the development of rules to limit the ability of countries of concern to access personal and sensitive data.
Looking Ahead: The EO directs the Attorney General and several U.S. federal agencies to promulgate regulations to prevent or restrict certain transactions with and activities involving entities connected to countries of concern consistent with the EO.
The EO indicates a major step by the U.S. Government to significantly limit the sale, access, sharing, and transfer of Americans' bulk "sensitive personal data" to jurisdictions deemed "countries of concern," such as China and Russia. According to the EO, this action was necessary due to national security risks associated with actors using the data "to engage in espionage, influence, kinetic, or cyber operations" by such jurisdictions. A key focus of the EO is the use of such data in artificial intelligence systems ("AI") to train their data models and algorithms.
Importantly, the EO directs the following U.S. federal agencies to promulgate regulations:
- The Department of Justice ("DOJ") to prevent "bulk" transfers of Americans' sensitive personal data from access and exploitation by countries of concern;
- The Department of Health and Human Services, Department of Defense, and Department of Veterans Affairs to help ensure that Federal assistance programs are not used to facilitate access to Americans' sensitive health data by countries of concern;
- The DOJ and Department of Homeland Security to issue security requirements to address unacceptable risk posed by covered "transactions" with countries of concern, which will be based upon the Cybersecurity and Privacy Frameworks developed by the National Institute of Standards and Technology; and
- The Consumer Financial Protection Bureau ("CFPB") to address the threats of data brokers selling and sharing Americans' sensitive personal data with countries of concern, including through existing consumer protection laws.
The term "sensitive personal data" includes genomic, biometric, personal health, geolocation, financial, and certain types of personal identifiers. The regulations contemplated by the EO will generally bar the selling or transfer in bulk of this data to countries of concern and vendors who are known to supply data to these countries. U.S. persons will be prohibited or otherwise restricted from engaging in transactions that allow the acquisition, holding, use, transfer, transportation, or exportation of bulk sensitive personal data that poses an unacceptable risk to the national security of the United States. The EO addresses conduct by entities owned by, and entities or individuals controlled by or "subject to the jurisdiction or direction of," a country of concern, even where the government of a country of concern has only indirect access to such data. The EO defines "access" broadly to include the "logical or physical access, including the ability to obtain, read, copy, decrypt, edit, divert, release, affect, alter the state of, or otherwise view or receive, in any form, including through information technology systems, cloud computing platforms, networks, security systems, equipment, or software."
The EO does not impose generalized data localization requirements to store bulk sensitive personal data or U.S. government-related data within the United States or to use data processing centers located in the United States—in fact, it expressly disclaims such requirements.
Although the EO clarifies that it does not broadly prohibit U.S. persons from conducting general commercial or financial transactions with entities located in such countries, such as China, there are significant ambiguities in the EO that need to be further clarified under applicable regulations. In addition, it appears that there will be exemptions and licenses to this general prohibition, but it is unclear what they will entail or how they will be used or obtained. As a result, companies should carefully monitor the DOJ's implementation of the EO as it has the potential to significantly affect cross-border data exchange. The EO directs the Attorney General to publish proposed rules consistent with the EO within 180 days of the order.
Three Key Takeaways
- Companies should monitor DOJ and CFPB proposals for implementing the EO's policy goals; such regulations could have significant effects on cross-border data exchange and on data brokers' compliance requirements.
- Although the Attorney General has 180 days to publish proposed rules to implement the EO, companies should start to consider whether they may need to restructure their businesses to avoid transactions with covered persons that are prohibited or restricted by the EO.
- Relevant companies should review their internal bulk data transfer operations, including technology infrastructure, and other contractual arrangements to account for such requirements.