Executive Order Prohibits Transfer of Sensitive Personal Data to “Countries of Concern”

by Patrick J. Austin and John Pilch

Photos of authors

From the left to right: Patrick J. Austin and John Pilch

On February 28, 2024, U.S. President Joe Biden issued Executive Order on Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern (EO), which authorizes the U.S. Attorney General to restrict large-scale transfers of personal data to “countries of concern.” The “countries of concern” identified in the EO include China (along with Hong Kong and Macau), Russia, Iran, North Korea, Cuba and Venezuela, according to a summary issued by the White House.

Regulating the Data Broker Industry

The EO represents a concerted effort to reign in and regulate the data broker industry. News reports indicate that there is concern over companies collecting increasing amounts of personal data (including granular data) and monetizing it through transactions with U.S. adversaries.

With the objective of regulating data brokers in mind, the EO encourages the Consumer Financial Protection Bureau (CFPB) to “consider taking steps, consistent with CFPB’s existing legal authorities, to protect Americans from data brokers that are illegally assembling and selling extremely sensitive data, including that of U.S. military personnel.”

In response, CFPB Director Rohit Chopra issued a press release declaring, “this year, [CFPB] will be proposing new rules to rein in these abuses that will safeguard families and our national security.”

DOJ Directed to Carry Out Significant Portions of the EO

The EO tasks the DOJ with carrying out much of the oversight and enforcement provisions. In addition to authorizing the Attorney General to prohibit large-scale data transfers to specific countries, the EO directs the DOJ to “issue regulations that establish greater protection of sensitive government-related data, including geolocation information on sensitive government sites and information about military members.”

The DOJ is also directed to collaborate with the Department of Homeland Security to “set high security standards to prevent access by countries of concern to Americans’ data through other commercial means, such as data available via investment, vendor, and employment relationships.”

Following the announcement of the EO, the DOJ issued a press release confirming it will, in consultation with other federal agencies, take proactive steps to issue regulations that “prohibit, or otherwise restrict, certain categories of data transactions that pose an unacceptable risk to national security.”

According to the DOJ’s press release, the National Security Division will be tasked with implementing the EO’s provisions on behalf of the Attorney General. The National Security Division plans to issue an Advance Notice of Proposed Rulemaking (ANPRM) describing the initial categories of transactions involving bulk sensitive personal data or certain U.S. Government-related data as outlined in the EO.

In addition, the DOJ plans to seek public comment on items the agency contemplates regulating, including “prohibitions on data brokerage and transfers of genomic data, and restrictions on vendor, employment, and investment agreements.”

The DOJ goes on to state that the expected data transfer review program “will not be administered through a case-by-case review of data transactions. Instead, [DOJ] regulations will establish generally applicable and transparent rules for engaging in specific categories of data transactions with certain countries of concern or covered persons subject to their jurisdiction.”

Personal Data Included in the EO

The EO focuses on “personal and sensitive” information, including:

  • Biometric data
  • Financial data
  • Genomic data
  • Geolocation data
  • Personal health data
  • Certain types of personally identifiable information

Notably, according to a fact sheet (pdf) issued by the U.S. Department of Justice (DOJ), the scope of “sensitive personal data” will not include the following:

  • Data that is a matter of public record, such as court records or other government records
  • Data that is lawfully and generally available to the public
  • Personal communications under 50 U.S.C. § 1702(b)(1)
  • Expressive information under 50 U.S.C. 1702(b)(3) such as videos, artwork, or publications.

Data Agreements in the Crosshairs

The reference to “vendor agreements” in both the EO and DOJ’s ANPRM should be noted by data brokers and companies that transfer personal data utilizing third party vendors or service providers. DOJ’s ANPRM is expected to seek restrictions on three types of agreements associated with large-scale data transfers:

  1. Vendor agreements involving the provision of goods and services (including cloud-service agreements)
  2. Employment agreements
  3. Investment agreements

The security requirements applicable to these transactions are to be established by the Department of Homeland Security’s Cybersecurity and Infrastructure Agency. The security requirements will be designed to mitigate the risk of access by countries of concern or covered persons and may include cybersecurity measures such as “basic organizational cybersecurity posture requirements, physical and logical access controls, data masking and minimization, and the use of privacy-preserving technologies.”

Exempted Data Transactions

Pursuant to EO and ANPRM, there will be “several across-the-board exemptions” for specific data transactions. Data transfers excluded from the DOJ’s regulatory jurisdiction include:

  1. Ordinarily incident to, and part of, financial services, payment processing, and regulatory compliance (e.g., banking, capital-markets, or financial-insurance activities; financial activities under the purview of other regulators; the provision or processing of payments involving the transfer of personal financial data or covered personal identifiers for the purchase and sale of goods and services; and legal and regulatory compliance)
  2. Ordinarily incident to and part of ancillary business operations (such as payroll or human resources) within multinational U.S. companies
  3. Activities of the U.S. government and its contractors, employees, and grantees (e.g., federally funded health and research activities, which the funding agencies will regulate themselves)
  4. Transactions required or authorized by federal law or international agreements (such as the exchange of passenger-manifest information, INTERPOL requests, and public health surveillance)

In addition, the forthcoming ANPRM contemplates exempting certain investments that “do not convey the rights or influence that ordinarily pose an unacceptable national-security risk of giving countries of concern or covered persons access to sensitive personal data.”

Complying with DOJ’s Proposed Regulations

According to the DOJ, the contemplated data transfer review program “would not prescribe general due-diligence requirements, affirmative recordkeeping requirements, or affirmative reporting requirements.” Rather, the contemplated program would be modeled on the IEEPA-based economic-sanctions programs administered by the Department of the Treasury’s Office of Foreign Assets Control.

The DOJ’s ANPRM envisions U.S. companies and individuals “developing and implementing compliance programs” tailored to their individualized risk profiles. The individual risk profiles would include factors such as the overall size and sophistication of the operation geographic location(s), specific products and services, and customers and counterparties.

Viability of the DOJ’s Proposed Regulatory Framework

The major unanswered question with the DOJ’s proposal is whether this compliance model would work. Based on the information available, the proposal has several holes and weaknesses, though it is not designed to be impermeable and unbreakable.

Instead, as Deputy Attorney General Lisa Monaco said, “The Justice Department has long focused on preventing threat actors from stealing data through the proverbial back door. This executive order shuts the front door.” As an analogy, speed limit signs do not prevent speeding, but they do establish expectations and grounds for punishment.

Penalties for Non-Compliance

According to the ANPRM, the DOJ is considering establishing civil penalties for violations and non-compliance. The specific penalty for a violation “would depend on the facts and circumstances of the violation, including the adequacy of any compliance program.” 

Looking Ahead

The DOJ released its ANPRM, which is being published in the Federal Register with a 45-day period for public comment. Once the public comment period closes, the DOJ will consider submitted comments on the ANPRM while preparing and issuing a notice of proposed rulemaking (NPRM).

Following the NPRM, there will be further review and preparation for a final rule. Companies and individuals will be required to comply with the regulations once the final rule goes into effect.

Patrick Austin is Of Counsel and John Pilch is a Cybersecurity/Privacy Analyst at Woods Rogers Vandeventer Black PLC. This post first appeared on the firm’s blog. 

The views, opinions and positions expressed within all posts are those of the author(s) alone and do not represent those of the Program on Corporate Compliance and Enforcement (PCCE) or of the New York University School of Law. PCCE makes no representations as to the accuracy, completeness and validity or any statements made on this site and will not be liable any errors, omissions or representations. The copyright of this content belongs to the author(s) and any liability with regards to infringement of intellectual property rights remains with the author(s).