On February 28, 2024, President Biden signed Executive Order 14117 (the Order) aimed at protecting Americans’ sensitive personal data and U.S. Government-related data from exploitation by “countries of concern.” This move constitutes a transformative overhaul in the U.S. approach to data regulation and creates the foundation for a comprehensive regulatory structure governing U.S. data.

The Order instructs the Attorney General to issue regulations that prohibit or restrict U.S. persons from transferring Americans’ personal data to “countries of concern” or “covered persons,” including engaging in any acquisition, holding, use, transfer, transportation, or exportation of, or dealing in, any property in which a foreign country or national thereof has any interest (“a transaction”), where the transaction:

  • involves bulk sensitive personal data or U.S. Government-related data, as defined by the Attorney General; and
  • is in a class of transactions that has been determined by the Attorney General to pose an unacceptable risk to national security because it may enable access by countries of concern or covered persons to Americans’ bulk sensitive personal data or U.S. Government-related data.

The Order exempts certain classes of transactions that are less likely to pose these unacceptable national-security risks, including financial-services transactions, and authorizes the Attorney General to exempt additional classes of transactions. Reiterating its broad support for cross-border data flows, the Order prohibits the Attorney General from imposing generalized data-localization requirements to store Americans’ bulk sensitive personal data or government-related data within the United States.

On the same day the Order was issued, the Department of Justice issued an Advance Notice of Proposed Rulemaking (the ANPRM) to preview and seek stakeholder input on the program that it proposes to establish to implement the Order. The ANPRM proposes listing China (including Hong Kong and Macau), Russia, Iran, North Korea, Cuba, and Venezuela as countries of concern. It suggests defining covered persons to include entities that are 50 percent or more owned, directly or indirectly, by a country of concern, or that are organized or chartered under the laws of, or have their principal place of business in, a country of concern, along with certain other categories.

Transactions involving “bulk sensitive personal data or U.S. government related data” would be prohibited or restricted to countries of concern and covered persons. The term “bulk U.S. sensitive personal data” would include six categories of data: U.S. persons’ covered personal identifiers, personal financial data, personal health data, precise geolocation data, biometric identifiers, and human genomic data. The ANPRM seeks comment on what the thresholds for “bulk” data would be. The term “U.S. government related data” would include 1) geolocation data associated with certain military, other government, and sensitive facilities; and 2) sensitive personal data that is marketed as linked or linkable to current or recent former employees or contractors, or former senior officials, of the U.S. government, including the military and intelligence community.

In the ANPRM, the U.S. Department of Justice (DOJ) contemplates establishing a program with two categories of transactions. A first category would be transactions involving “bulk sensitive data or U.S. government related data” that would be prohibited altogether with respect to countries of concern or covered persons (“prohibited transactions”). These prohibited transactions would include 1) data brokerage transactions; and 2) any transaction that provides a country of concern or covered person with access to bulk human genomic data or human biospecimens from which that human genomic data can be derived. A second category of transactions are those that would have been prohibited, except to the extent they comply with predefined security requirements (“restricted transactions”). Restricted transactions would include vendor agreements, employment agreements, and investment agreements, whose risks can be mitigated through appropriate security-related conditions in these agreements. The program would provide a process for the DOJ to issue licenses to exempt certain transactions.

The ANPRM gives several examples of transactions that would be prohibited under this framework:

  • a U.S. data broker sells bulk U.S. sensitive personal data to an entity headquartered in a country of concern;
  • a U.S. data broker enters into an agreement that gives a covered person a license to access government-related data held by the U.S. company; or
  • a U.S. data broker maintains a database of bulk U.S. sensitive personal data and offers an annual membership to a covered person.

Interaction with Existing Authorities

The proposed rules have considerable crossover with the Committee on Foreign Investment in the United States (CFIUS) and the Committee for the Assessment of Foreign Participation in the U.S. Telecommunications Services Sector (Team Telecom) regulatory review frameworks, and to a lesser extent, the Department of Commerce’s ICTS program and export control laws. Under the Order, many of these regulators are tasked with coordinating with each other and with the DOJ with respect to sensitive data issues, and in a few cases, to take a more aggressive approach to pre-existing reviews. For example, Team Telecom is mandated to prioritize the review of existing licenses for submarine cable systems that are owned or operated by persons owned by, controlled by, or subject to the jurisdiction or direction of a country of concern, or that terminate in the jurisdiction of a country of concern. The Order also calls for Team Telecom to assess and update its review policy for such submarine cable license applications going forward.

The Order extends the case-by-case data security reviews that the DOJ already regularly performs as a participant in the CFIUS and Team Telecom processes into a more systematic review process. While those latter reviews address data security risks on a case-by-case basis (i.e., when the acquisition of U.S. businesses or licenses create those risks), the ANPRM calls for a more categorical approach to prohibitions of specified data transfers.

Key Takeaways

The Order and ANPRM mark a significant shift in the U.S. government’s regulation of personal data and empower the DOJ to implement a comprehensive regulatory structure to address the issue of bulk data transfer to entities that are owned or controlled by potential adversaries. The contemplated restrictions may create significant diligence and compliance requirements for companies that transfer data abroad. In particular:

  • International commercial technology transactions and investments are likely to be significantly impacted: Companies that do business in countries of potential concern to the U.S. government, such as China and Russia, are already familiar with the obligation to consider, e.g., what technologies they send abroad. However, this proposed “export control for data” regime is entirely new. Many companies that have pre-existing foreign joint ventures or already engage in significant cross-border collaboration may not have evaluated their data exchanges in light of these kinds of security concerns. And going forward, just as companies with business partners in China evaluate U.S. export control laws to ensure proper technology transfer, companies will need to assess compliance with these regulations before undertaking any data transfers or establishing data flows across borders. This regulatory framework may ultimately have a profound impact on the way businesses approach cross-border data movements and international operations involving sensitive data.
  • Companies should review their data compliance practices: Most companies that handle bulk Americans’ sensitive personal data are likely to be affected by this proposed rule, ranging from industries such as finance, hospitality, communications, and healthcare, among others. Such companies should consider establishing or enhancing their compliance programs to prevent bulk data violations and potential exposure to DOJ penalties. Similar to how export control regulations may influence companies’ decisions on where to operate, these proposed data regulations are poised to become a key consideration in international business planning. The DOJ is considering a model in which U.S. companies and individuals are expected to develop and implement compliance programs based on their individualized risk profiles, which may vary depending on factors such as size, sophistication, product and service offerings, customers and counterparties, and geographic location.
  • Significant carve-outs are proposed: A series of exemptions from these requirements are outlined in the ANPRM, including data transactions involving certain kinds of data, including data transactions involving personal communications or informational materials; transactions for the conduct of U.S. government business; financial-services, payment-processing, and regulatory-compliance-related transactions; intra-entity transactions incident to business operations (e.g., sharing employees’ covered personal identifiers for human resources purposes, or sharing data with auditors and law firms for regulatory compliance); and transactions required or authorized by federal law or international agreements. Despite these proposed exemptions, it seems likely that the DOJ will maintain the overriding authority to prohibit any specific data exchanges that are deemed a national security risk.
  • The proposed definitions are far-reaching: The DOJ proposes to define “bulk U.S. sensitive personal data” as “a collection or set of data relating to U.S. persons, in any format, regardless of whether the data is anonymized, pseudonymized, de-identified, or encrypted…[.]” This proposed definition means that anonymizing, de-identifying, or encrypting data within these categories is not sufficient to exempt companies from meeting this definition, thereby capturing a broader range of companies. The DOJ’s proposed definition of “data brokerage” is similarly expansive: “the sale of, licensing of access to, or similar commercial transactions involving the transfer of data from any person (the provider) to any other person (the recipient), where the recipient did not collect or process the data directly from the individuals linked or linkable to the collected or processed data.” This expansive scope of “data brokerage” isn’t limited to resellers; it also captures scenarios where access is furnished to any recipient who did not themselves collect the data from the subjects directly.
  • Expect foreign governments to take note: The establishment of this program may prompt foreign governments to adopt or expand similar safeguards around sensitive data access.

The deadline to submit comments on the ANPRM is 45 days after Federal Register publication.  Wilson Sonsini Goodrich & Rosati routinely helps clients navigate complex regulatory schemes and manage risks related to the enforcement of privacy and data protection laws. For more information, please contact Maneesha MithalChris OlsenJoshua GruenspechtDemian AhnKara MillardBoniface Echols, or any member of the firm’s privacy and cybersecurity or national security practices.