The Biden Administration recently issued an Executive Order aimed at protecting American’s sensitive information and certain US Government data from threats posed by foreign actors. Of note is the Order’s focus on data brokers that may share data in bulk with foreign entities and/or individuals.

Following issuance of the Executive Order, the Department of Justice (DOJ) issued a notice outlining its future program under the Order, which identifies data-brokerage transactions involving bulk US sensitive personal data or certain government data as one of two types of “prohibited transactions.” (The other is transactions that provide certain foreign actors with bulk human genomic or human biospecimens.) DOJ will release proposed rules for the program that will be open for public comment.

For restricted transactions – identified so far as vendor agreements, employment agreements, and investment agreements involving bulk data or government-related data – US entities will need to implement specific security requirements. These will be determined as part of DOJ’s program.

The new materials identify six categories of bulk US sensitive personal data that may trigger the new restrictions: (1) covered personal identifiers (the notice provides a list of identifiers such as SSN, financial account numbers, etc.); (2) personal financial data; (3) personal health data; (4) precise geolocation data; (5) biometric identifiers; and (6) human genomic data. DOJ is also considering a risk-based approach to defining bulk data, with different thresholds for different types of data. For example, human genomic data of more than 1,000 U.S. persons poses a high risk while personal financial data for the same amount of people would pose a low risk. “Government-related data” covered under the program (regardless of volume or “bulk”) includes geolocation data associated with military and sensitive facilities (to be included in a forthcoming Government-Related Location Data List) and certain sensitive personal data associated with current and former federal officials and contractors.

Importantly, DOJ says the program is not meant to broadly prohibit commercial transactions and it does not impose requirements to keep data within the US (although this may be required by other laws and regulations). The focus is on national security and imposing limits on certain transactions of particular concern.

Putting It Into Practice: The practical implementation of the Executive Order is largely still unknown as critical definitions and parameters still need to go through rulemaking. However, companies should determine what personal data they collect on the American public and U.S. Government employees or contractors, and when and how they transfer that data to other parties. This will be especially relevant to anyone in the government contracting, healthcare, technology, financial, or life sciences spaces where the type of data handled by entities in those industries is a focus of this Executive Order.