[co-author: Tanvi Chopra]
On February 28, 2024, the Biden Administration issued Executive Order (EO) 13873, focused on restricting certain transactions involving Americans' personal data, as well as sensitive government data, to specific countries. According to the White House, the EO is in response to concerns that sensitive data, whether legally obtained through commercial relationships or stolen by state-sponsored threat actors, can be exploited for espionage, blackmail, intimidation, or to reveal insights about military populations.
Following the release of the EO, the Department of Justice (DOJ) released an Advance Notice of Proposed Rulemaking (ANPRM) to implement the EO's data transaction restrictions. As directed by the EO, several other agencies will take additional actions in coming months. Comments to the ANPRM are due within 45 days of publication in the Federal Register (approximately April 15, 2024). The DOJ must issue a proposed rule (an update from the ANPRM) on the data security program by August 27, 2024 (180 days from the issuance of the EO) [EO Sec. 2(c)].
Though regulations are not yet established, the EO and ANPRM envision broad new legal requirements to protect sensitive personal and government-related data:
- Prohibited data transactions with "countries of concern" and specified entities
- Mandatory security safeguards for commercial agreements, including investment, employer, and cloud service agreements
- Security safeguards and data transfer restrictions for federal assistance and grants
- License reviews for subsea Internet cables
Below is an overview of the EO and ANPRM.
Business Takeaways
EO 13873, the ANPRM, and related agency actions will introduce a new regulatory landscape for U.S. businesses conducting large-scale data transactions. Though the regulations are not yet finalized and may change, businesses should begin to consider steps to prepare them for compliance.
Understanding scope and applicability. Companies should determine whether they handle data defined by the EO and ANPRM, such as bulk sensitive personal data and sensitive government-related data. Companies should also assess whether they engage in the types of transactions that will be regulated by the proposed data security program, including commercial agreements that involve access to sensitive covered data. Companies should assess whether their transactions fall within an exemption.
Assess risk and compliance activities. Companies will be expected to establish a compliance program based on their individualized risk profile. Companies should consider undertaking a risk assessment based on their size, types of data handled, and transactional relationships with non-U.S. entities. Companies should adapt their compliance activities to manage the risks to covered sensitive information. This may include recordkeeping, due diligence, and "know your customer" processes for higher-risk operations. Companies should be aware of the factors influencing enforcement decisions and establish a process for voluntarily reporting non-compliance as a mitigating measure.
Security safeguards and data management. Companies should prepare to update vendor, employment, and investment agreements with security requirements to protect sensitive covered data. Technology vendors, such as cloud and software-as-a-service providers, should prepare to implement security safeguards for customers that manage sensitive covered data. This will likely include basic organizational cybersecurity safeguards, protections against unauthorized access, and auditing or monitoring.
Engagement with regulatory developments. Company legal, sales, and security teams should stay informed of regulatory requirements as they evolve in order to adapt compliance and transaction strategies accordingly.
Applicability
The regulated transactions are aimed at preventing U.S. persons from enabling "countries of concern" or "covered persons" from accessing or acquiring sensitive data.
U.S. persons. U.S. persons include entities organized solely under U.S. laws (including foreign branches), U.S. citizens, individuals in the U.S., and lawful residents [EO, Sec. 7(n)].
Countries of concern. The DOJ proposes that "countries of concern" include China, Russia, Iran, North Korea, Cuba, and Venezuela—as well as territories controlled by these nations, such as Hong Kong and Macau [DOJ ANPRM, Sec. E, pg. 40].
Covered persons. The DOJ proposes that "covered persons" encompass 1) An entity owned, controlled, or subject to the jurisdiction or direction of a country of concern; 2) A non-U.S. person who is an employee or contractor of such an entity; 3) A non-U.S. person who is an employee or a contractor of a country of concern; and 4) A non-U.S. person who is primarily a resident of a country of concern. The DOJ proposes to maintain a list of covered persons, separately from international sanctions designations lists [DOJ ANPRM, Sec. II. E, pgs. 41-43].
Covered Data Transactions
The DOJ proposes restricting or regulating three categories of transactions:
Bulk sensitive personal data. U.S. persons would be prohibited from knowingly engaging in a transaction with countries of concern or covered persons that involves the sale, transfer, or access to bulk sensitive personal data. "Bulk" will be a defined volume of personal data that exceeds a threshold over a set period of time [DOJ ANPRM, Sec. II.B, pgs. 17-26].
Sensitive government-related data. U.S. persons would be prohibited from knowingly engaging in a transaction with countries of concern or covered persons that involves the sale, transfer, or access to sensitive government-related data, regardless of the volume of data [DOJ ANPRM, Sec. II.C, pg. 29].
Commercial agreements. Certain agreements would be required to implement security safeguards when they involve covered data transactions, i.e., access to bulk sensitive personal data or government-related data, and when a non-U.S. country or national has an interest in the transaction [DOJ ANPRM Sec. II.D, pgs. 32-39, 58-61]. The purpose of the safeguards is to prevent countries of concern or covered persons from accessing covered sensitive data. As directed by the EO, the security safeguards will be established by the Department of Homeland Security (DHS) in a separate upcoming public filing [EO, Sec. 2(d)]. The three types of agreements to be regulated are:
- Vendor agreements. This includes agreements for cloud computing services, such as software-as-a-service and infrastructure-as-a-service, involving access to covered sensitive data.
- Employment agreements. This includes agreements for employment, work performed as an independent contractor, and participation on a board or committee that involves access to covered sensitive data.
- Investment agreements. This includes agreements obtaining direct or indirect ownership rights in U.S. real estate or any U.S. legal entity that involves access to covered sensitive data. DOJ is considering excluding certain passive investments (such as purchase of publicly traded stock) and investments subject to the Committee on Foreign Investment in the United States (CFIUS).
Covered Sensitive Data Categories
The restricted transactions center on bulk sensitive personal data and sensitive government-related data. As directed by the EO, the DOJ ANPRM proposes definitions for each.
Bulk sensitive personal data. The ANPRM details six categories of personal data linked to U.S. individuals that cannot be transferred in bulk to countries of concern or covered persons. The bulk threshold is determined by the number of U.S. individuals or devices involved. The DOJ has not yet established the appropriate bulk threshold but is considering separate thresholds for each of the six categories of sensitive personal data. The categories include:
- Precise geolocation information. This includes real-time or historical data that identifies the physical location of an individual or device within a to-be-determined precision of meters or feet.
- Biometric identifiers. This includes facial images, voice prints, keyboard usage patterns, gait, and other physical and behavioral characteristics that identify an individual.
- Genomic data. This includes data representing DNA, genetic test results, and biological specimens from which DNA can be derived.
- Personal health data. This includes "individually identifiable health information" as defined under HIPAA, regardless of whether the information is collected by a covered entity or business associate.
- Personal financial data. This includes data about an individual's purchases, payment history, assets, liabilities, debts, and data in a credit or consumer report.
- Combinations of covered personal identifiers. This category encompasses listed personal identifiers in combination with each other or with other information linking the identifiers to individuals. These identifiers may be considered linked in single covered data transactions or multiple transactions over time. The listed identifiers include
- Contact or demographic data, such as name, birthdate, birthplace, zip code, residential or postal address, email address, phone number or similar account public account identifier;
- Device or hardware identifiers, such as MAC address, SIM card number, or International Mobile Equipment Identity (IMEI);
- Network identifier, such as IP address or cookie data;
- Account-authentication data, such as username and password or answer to security questions;
- Advertising identifiers such as MAIDs;
- Full or truncated government ID or account number such as a Social Security Number, driver's license or state identification number, passport number, or Alien Registration Number;
- Full financial account or PIN numbers; and
- Call detail data, such as CPNI.
Government-related data. The ANPRM also details two categories of sensitive government data that cannot be transferred to countries of concern or covered persons, regardless of the volume of data. Those categories include:
- Precise geolocation data for any specified location on a list of specific, to be determined, geo-fenced areas associated with government, military, or sensitive facilities.
- Sensitive personal data, sensitive personal data as defined above, that is marketed as linked or linkable to current or recent employees, contractors, or officials of the U.S. government, regardless of volume.
Exemptions and Licenses
Exemptions. The White House has made clear that these activities are not intended to be a general privacy regulation and are "aligned with the U.S.' longstanding support for trusted free flow of data." As directed by the EO, the data security program will contain several key exemptions from transaction restrictions [DOJ ANPRM, Sec. II.H, pgs. 53-58]. These include:
- Ordinary financial activities that entail processing payments and the transfer of personal financial data;
- Business operations such as payroll or human resources within multinational U.S. companies;
- Activities of the U.S. government and its contractors, employees, and grantees (such as federally funded health and research activities); and
- Transactions required or authorized by federal law or international agreements.
Licensing and advisory opinions. DOJ will establish a process to issue general and specific licenses, as well as advisory opinions. General licenses will give the flexibility to exempt or alter certain categories of otherwise-regulated transactions. Specific licenses would provide an opportunity to engage in a specific data transaction. Companies and individuals would also be able to request advisory opinions about the application of the regulations to specific transactions. [DOJ ANPRM, Sec. J-K, pgs. 61-66].
Compliance
DOJ proposes a risk-based due diligence and recordkeeping compliance program modeled on compliance with OFAC sanctions. According to the ANPRM, "US companies and individuals would be expected to develop and implement compliance programs based on their individualized risk profiles, which may vary depending on a range of factors such as their size and sophistication, products and services, customers and counterparties, and geographic locations" [DOJ ANPRM, Sec. II.L, pg. 68].
If a violation occurs, DOJ would consider the effectiveness of the compliance program in any enforcement action. This includes factors such as whether engaging in a prohibited transaction was intentional, whether security safeguards were commensurate with the risks, and whether noncompliance was voluntarily reported.
DOJ is considering requiring specific due diligence, recordkeeping, and reporting in discrete circumstances (such as engaging in a covered data transaction, or pursuant to a license). This limited set of affirmative requirements may include "know your vendor" and "know your customer" requirements [DOJ ANPRM, Sec. II.L, pgs. 68-70].
Enforcement and Penalties
As described in the ANPRM, DOJ is considering a process to establish civil monetary penalties for violations with mechanisms for pre-penalty notice, an opportunity to respond, and a final decision. Penalties could be based on noncompliance with the regulations, making material misstatements or omissions, and making false certifications or submissions [DOJ ANPRM, Sec. II.L, pg. 70-71].
The regulations proposed by the DOJ's ANPRM will apply to individuals and entities who knew or should have known of the circumstances of the transaction. In determining what a U.S. person "should have known," the DOJ would take relevant facts and circumstances into account rather than apply a strict liability standard [DOJ ANPRM, Sec. II.G, pg. 48].
Other Agency Actions
Separately from the DOJ's data security program, the EO directs several other agencies to take additional steps to protect the security of sensitive covered data.
Submarine internet cables. The EO directs the Committee for the Assessment of Foreign Participation in the U.S. Telecommunications Services Sector (Team Telecom) to prioritize the review of licenses for submarine cable systems that are owned or operated by countries of concern, that are subject to the jurisdiction of countries of concern, or that terminate in countries of concern (such as Hong Kong). Team Telecom must revise licensing requirements to include, as appropriate, security safeguards identified by DHS to address risks to bulk sensitive personal data [EO, Sec. 3(a)].
Federal grants and assistance. Citing concerns regarding entities in the healthcare market, the EO directs the Departments of Defense, Health and Human Services, Veterans Affairs, and the National Science Foundation to issue guidance or requirements for federal assistance programs and grants. The purpose of the guidance or requirements is to prevent prohibited transactions and secure covered sensitive information [EO, Sec. 3(b)].
Consumer protection. The EO encourages the Consumer Financial Protection Bureau (CFPB) to utilize its legal authorities to provide greater protections for personal information and limit the activities of data brokers [EO, Sec. 3(c)]. The Director of CFPB announced that it would issue new rules later this year.