US – Executive Order establishes guardrails to protect Americans’ sensitive personal data

In response to America’s “significant digital footprint,” on February 28, the White House issued a landmark data protection executive order on “Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government Data by Countries of Concern” (Sensitive Data Executive Order or the EO).

The Sensitive Data Executive Order comes four months after the White House’s executive order on “Safe, Secure, and Trustworthy Artificial Intelligence” (AI Executive Order), and many elements of the AI Executive Order also permeate the Sensitive Data Executive Order. The Sensitive Data Executive Order requires the Attorney General to publish regulations by August 26, 2024. 

What is the Purpose of the EO?

The Sensitive Data Executive Order is intended to address serious data protection risks – in particular, risks to national security, foreign policy, privacy, and human rights and freedoms – posed by the ability of “countries of concern” to (i) access Americans’ sensitive personal data and United States Government-related data and (ii) utilize such data both (a) to engage in malicious activities and (b) to “identify other potential strategic advantages over the United States.”

Although the Sensitive Data Executive Order itself does not identify any particular “countries of concern,” the DOJ’s press release on the EO identifies China, Russia, North Korea, Cuba, Iran, and Venezuela as the contemplated “countries of concern.”

The EO seeks to regulate the ability of countries of concern to buy or access Americans’ sensitive personal data, including through commercial vendor agreements involving the sale of goods or services, as well as through employment or investment relationships. Our US Foreign Investment team discusses in detail the implications for US foreign investment controls in a separate client alert.

Who does the EO Impact?

Data Brokers

The Sensitive Data Executive Order expressly provides that entities in the data broker industry “pose a particular risk of contributing to the national emergency” described in the EO. Data brokers, companies which specialize in the collection and sale of personal and other data, have access to extensive amounts of rich data sets covering personal information, including, contact information, biographical information, health data, geolocation, social media, online browsing history, purchase history, and personal preferences, from a variety of sources.

In the press briefing announcing the EO, the White House press secretary stated that “Buying data through data brokers is currently legal in the United States, and that reflects a gap in our national security.”

Note that the EO “encourages” the Director of the Consumer Financial Protection Bureau (CFPB) to consider taking steps to address the particular risk posed by data brokers and to enhance compliance with federal consumer protection law. This builds on the substantial privacy-related activity the CFPB conducted in the second half of 2023. In particular, the CFPB released an outline of proposals intended to address certain questionable data broker practices involving sensitive personal data, AI systems and automated decision-making technology that were technically permitted by gaps in the Fair Credit Reporting Act (FCRA). 

The DOJ’s proposed implementing regulations will seek public comments on the prohibition of data brokerage transactions involving sensitive personal data and transactions involving the transfer of genomic data. They will also seek public comments on ways to reasonably restrict other types of sensitive personal data transactions facilitated through vendor, employment and investment agreements. The key consideration will be striking a balance between the huge volume of cross-border commerce and desire for innovation with US national security and privacy interests.

There are a number of other industries that may be significantly impacted. We highlight several of these industries below:

Telecommunications and network infrastructure

The EO (i) highlights risks with respect to the transmission of data via submarine cables owned or operated by, subject to the jurisdiction or control of, or terminating in the jurisdiction of a country of concern and (ii) tasks Team Telecom (the Committee for the Assessment of Foreign Participation in the United States Telecommunications Services Sector) with (a) reviewing existing licenses for such submarine cable systems, (b) issuing policy guidance for reviews of license applications and existing licenses for such submarine cable systems, and (c) addressing associated national security and law assessment risks. For more on the implications for US foreign investment controls, see hereSubmarine cables (fiber optic cables on the ocean floor) transfer over 95% of most global communications, including private sector, military and government data, Internet and voice transfers (not satellites)[1] and are capable of carrying multiple terabits of data per second.[2]

Healthcare

The EO (i) notes that advances in technology increasingly enable countries of concern to exploit health information, including by re-identifying or de-anonymizing data that has previously been anonymized, pseudonymized, or de-identified, (ii) directs multiple federal agencies to take steps to protect sensitive personal health data and human genomic data, and (iii) directs a group of executive office directors to assess the risks and benefits of regulating transactions governing certain types of humanomic data and recommend the extent to which such transactions should be regulated.

Connected and Autonomous Vehicles

While such industry is not expressly mentioned in the EO, it seems likely to be significantly affected, based on the inclusion of “geolocation and related sensor data” in the definition of “sensitive personal data,” coupled with the massive amount of data processed by such vehicles.

Industry Carveouts Limiting the EO’s Scope

The Sensitive Data Executive Order exempts certain categories of data transactions to facilitate low-risk commercial activity and minimize any unintended business or market impacts. For example, data transactions that are incidental to financial services transactions are not caught by the EO. This could include HR/payroll transactions to employees based outside of the United States. Additionally, the EO is not intended to disrupt open scientific research or an open and secure Internet. Likewise, data transactions involving personal communications would be exempt.

What are the EO’s Key Elements?

Details TBD: As with the AI Executive Order, much of the substance of the Sensitive Data Executive Order will need to be fleshed out by the various federal departments and agencies tasked by the EO, in particular the U.S. Attorney General and the Secretary of Homeland Security. In terms of next steps, the DOJ’s National Security Division plans to issue a notice of proposed rulemaking detailing the initial categories of transactions involving bulk sensitive personal data or certain US Government-related data per the EO.[3] As part of the rulemaking process, the DOJ would seek public comment on the prohibitions on data brokers and transfers of genomic data, as well as restrictions on vendor, employment, and investment agreements.

Prohibited or Restricted Transactions: Regulations to be issued by the Attorney General pursuant to the Sensitive Data Executive Order will, subject to limited exemptions, prohibit or restrict Americans from engaging in certain transactions in which a foreign country has an interest that involve bulk sensitive personal data or United States Government-related data sharing and are determined to pose an unacceptable risk to the national security of the United States based on the ability of “countries of concern” or “covered persons” to access such data. DOJ Deputy Attorney General Lisa Monaco remarked that the Order “make[s] clear that American citizens' sensitive and personal data is not for sale to our adversaries.”[4]

Definitions: The term “sensitive personal data” means covered personal identifiers, geolocation and related sensor data, biometric identifiers, humanomic data, personal health data, personal financial data, or any combination thereof…that could be exploited by a country of concern to harm United States national security if that data is linked or linkable to any identifiable United States individual or to a discrete and identifiable group of United States individuals.” The inclusion of geolocation data, biometric data, and personal health data aligns with other recent legal and regulatory initiatives, and the inclusion of humanomic data – defined by the EO as “data generated from humans that characterizes or quantifies human biological molecule(s)” – aligns with the AI Executive Order’s focus on biosecurity and biological weapons.

Security Requirements and NIST: For transactions that are restricted rather than prohibited, the Department of Homeland Security is tasked with publishing security requirements to address the unacceptable risks posed by such transactions, with such requirements to be based on the Cybersecurity and Privacy Frameworks developed by the National Institute of Standards and Technology (NIST).

  • This represents further support for NIST frameworks and standards, following the AI Executive Order, which (i) charged NIST with establishing critical testing standards, (ii) contemplated NIST frameworks as foundational resources for the establishment of guidelines and best practices, and (iii) incorporated certain NIST practices and principles.
  • In a somewhat timely development, NIST released v. 2.0 of its Cybersecurity Framework just two days before the Sensitive Data Executive Order. Such version represents the first update to that framework released in more than five years.

Key Exclusions: Ostensibly as part of the balancing efforts, the Sensitive Data Executive Order expressly provides that such security requirements shall not include generalized data localization requirements. In practice, this means that there is no requirement to store or host data on servers or data centers located in the United States. Likewise, there is no prohibition on storing US sensitive personal data in data centers located overseas, including in countries of concern. This represents a contrast with the data localization requirements established by other countries, notably China and Russia, and even the EU’s restrictions under the GDPR on the transfer and storing of EU personal data outside of the EU.

Concern with AI: In addition to the common elements that it shares with the AI Executive Order, the Sensitive Data Executive Order is underpinned by AI considerations, including the ability of countries of concern both (i) to utilize AI and other advanced technologies to exploit bulk sensitive personal data and US Government-related data and (ii) to utilize bulk data sets to develop and enhance their own AI and advanced technology initiatives in ways that could potentially detriment US national security.

Takeaways

The Sensitive Data Executive Order represents a significant step in the current Administration’s efforts to address risks posed by the complex and constantly evolving data and technology ecosystem, and to balance those risks against the fundamental goals of innovation and leadership. It also represents another example of the substantial legislative and regulatory focus on certain elements of the data and technology landscape.

As US Government agencies propose implementing regulations, companies should participate in the rulemaking process and consider potential impacts to their cross-border business. This includes updating existing data maps – both the categories of data, especially sensitive personal data and US Government-related, and data flows within the organization and to third parties. Similarly, companies should review the audit and security controls in place over their data. This is a priority for companies handling sensitive personal data, including health/biometric, financial, government and/or geolocation data, as well as for companies who contract with or consult with federal government. If you’d like to discuss any of the issues raised by the Sensitive Data Executive Order, please reach out to one of our Key Contacts to schedule a call at your earliest convenience.


[1]   “Submarine Cables,” National Oceanic and Atmospheric Administration, US Department of Commerce, (Feb. 22, 2024) available at: https://www.noaa.gov/submarine-cables.

[2]    “The Battle for Bandwidth: Submarine Cable and Broadband Satellite Data,” New Space Economy, (Aug. 13, 2023), available at: https://newspaceeconomy.ca/2023/08/13/the-battle-for-bandwidth-submarine-cable-and-broadband-satellite-data.

[3]    DOJ Office of Public Affairs, “Justice Department to Implement Groundbreaking Executive Order Addressing National Security Risks and Data Security,” (Feb. 28, 2024), available at: https://www.justice.gov/opa/pr/justice-department-implement-groundbreaking-executive-order-addressing-national-security.

[4]    See id.