New Executive Order Protecting US Personal Data: Implications for Foreign Investment Reviews

On February 28, 2024, President Biden issued Executive Order 14117 aimed at preventing bulk transfers of sensitive personal data to countries of concern. 

“Sensitive personal data” is defined generally as: covered personal identifiers; geolocation and related sensor data; biometric identifiers; “human ‘omic data” (i.e., data gathered from humans that characterizes or quantifies human biological molecules, such as genomic data); personal health data; or personal financial data - if these are linked or linkable to any identifiable US individual or to a discrete and identifiable group of US individuals, that could be exploited by a country of concern to harm US national security. 

Principal responsibility for implementation of the Order falls on the US Department of Justice, but other agencies whose portfolios involve sensitive personal data will also play important roles. DOJ has issued an Advance Notice of Proposed Rulemaking (ANPRM) and will be soliciting public comments until April 19, 2024.

Our colleagues in Linklaters’ Technology, Media, and Telecommunications practice have issued a separate client alert summarizing several key elements of the Order; in this post, we highlight some of the Order’s implications for US foreign investment controls.

Committee on Foreign Investment in the United States 

One question is how the Order’s definition of “sensitive personal data” could inform CFIUS’s definition of the term. CFIUS’s current definition includes both quantitative and qualitative thresholds, some of which overlap with those in the Order, but we’ve been told by CFIUS leadership to expect updates to the CFIUS regulations in the coming year. DOJ’s regulations implementing the Order could therefore serve as a model for an expansion of the CFIUS definition. Some examples:

  • CFIUS’s current definition includes personally identifiable genetic data, but both the Order and the ANPRM refer to “human ‘omic data” that goes beyond human genomic data to include other medical profile data such as epigenomic data, proteomic data, transcriptomic data, microbiomic data, and metabolomic data.
  • Both the Order and ANPRM contemplate the inclusion of identifiable biometric data, which is not one of CFIUS’s current qualitative tests.
  • Except for (i) genetic data or (ii) data collected specifically from US government agencies, personnel, or contractors with defense, intelligence, national security, or homeland security responsibilities, CFIUS’s current definition relies on a quantitative threshold of at least 1 million individuals. The ANPRM, by comparison, is contemplating a range of quantitative thresholds for “bulk” data that may be as low as 100 individuals for genomic, biometric, and precise geolocation data.

Notably, we are approaching the fourth anniversary of then-President Trump’s order, following a CFIUS review, that ByteDance Ltd. divest its interest in Musical.ly, through which the popular TikTok app is supported in the United States. The order has been challenged in federal court, but in the meantime, the Biden administration and ByteDance have been negotiating toward a settlement. The CFIUS recommendation to President Trump appears to have been driven at least in part by data security concerns. Whether the Order and its implementation will help or hinder resolution of the TikTok question remains to be seen.

Committee for the Assessment of Foreign Participation in the United States Telecommunications Services Sector (Team Telecom)

While the Order and ANPRM speak to a number of sectors in which sensitive personal data may be collected, the Order also explicitly addresses the transfer of such data by undersea cables. Team Telecom assesses any potential national security and law enforcement implications before the Federal Communications Commission (FCC) will grant or approve the transfer of certain types of telecom licenses to foreign parties; in some cases, FCC approval will be conditioned on terms identified by Team Telecom. The Order calls on Team Telecom to increase its focus on undersea cable licenses involving ownership, operation, or third-party access by countries of concern. Implementation of this part of the Order will be outside the scope of the ANPRM, though DOJ is a key member of Team Telecom.

* * *

This is not the first time an executive order issued in the past year may have implications for US government reviews of inbound foreign investments; the same could be said for the definition of technologies that fall within the scope of the outbound foreign investment regime that President Biden introduced last August in Executive Order 14105. Parties that handle sensitive personal data should keep a close watch on how this latest executive order is implemented by DOJ and then on how CFIUS and Team Telecom respond.