On Wednesday, February 28th, 2024, President Biden issued an Executive Order on Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern (the “EO”).  The purpose of the EO is to restrict the mass transfer of certain types of Americans’ personal data to, and to curb access to United States Government-related data by, “Countries of Concern.”  The E.O. is based under the President’s authority under the International Emergency Economic Powers Act, the same authority used to impose sanctions on certain countries, such as Iran, Russia, and North Korea.

The E.O. directs the U.S. Department of Justice (“DOJ”) to issue implementing regulations, including prohibiting or otherwise restricting U.S. persons from engaging in certain categories of transactions that involve U.S. Government-related data or bulk sensitive personal data.  DOJ issued an Advance Notice of Proposed Rulemaking (“ANPRM”) that identifies China (including Hong Kong), Russia, North Korea, Iran, Cuba, and Venezuela as Countries of Concern.  DOJ proposes to define “bulk US. sensitive personal data” to include personal identifiers, geolocation and related sensor data, biometric identifiers, personal health data, and personal financial data. DOJ proposes to define “United States Government-related data” as including “precise geolocation data” associated with “military, other government, or other sensitive facilities or locations” and “sensitive personal data” linked or linkable to “current or recent former employees or contractors, or former senior officials, of the U.S. government, including the military,” and intelligence community. 

DOJ’s ANPRM specifies specific commercial agreements that would be subject to restrictions, specifically investor, vendor, and employment relationships, which agreements would be subject to “security requirements,” to be issued by the Cybersecurity and Infrastructure Security Agency (CISA).

Similar to U.S. sanctions programs administered by the U.S. Treasury Department’s Office of Foreign Assets Controls (“OFAC”), DOJ expects to require U.S. persons (including companies) to maintain certain types of records associated with certain data transactions or transactions conducted pursuant to a general or specific license. 

In announcing the E.O., administration officials emphasized that no data or transactions will be immediately cut off or limited, and that the E.O. is a framework under which DOJ will issue final rules. Additionally, the EO exempts from regulation certain types of for financial services data transactions, DOJ’s ANPRM is contemplating further exempting data transfers relating to the ancillary operations of multinational companies, such as payroll.

Written comments must be submitted within 45 days of publication of the ANPRM in the federal register.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Anand Sithian Anand Sithian

For high-stakes internal and government investigations and complex regulatory and compliance matters, companies and individuals look to Anand to provide strategic advice and counseling, particularly on issues relating to the Bank Secrecy Act and Anti-Money Laundering (“BSA/AML”), economic sanctions, and digital assets. Anand

For high-stakes internal and government investigations and complex regulatory and compliance matters, companies and individuals look to Anand to provide strategic advice and counseling, particularly on issues relating to the Bank Secrecy Act and Anti-Money Laundering (“BSA/AML”), economic sanctions, and digital assets. Anand is resident in the firm’s New York office and a member of the firm’s International Trade, White Collar and Regulatory Enforcement, and Financial Services groups.

A former federal prosecutor, Anand leverages his government experience to guide clients through complex white-collar matters, including grand jury and regulatory investigations, enforcement proceedings, and internal investigations. Anand has deep experience in parallel criminal and civil investigations and proceedings, and often represents clients in defending against civil lawsuits related to government investigations.

Representing some of the world’s largest banks and technology companies, Anand has addressed a wide range of issues, including economic sanctions, BSA/AML; economic sanctions and national security; payments and cryptocurrency; securities laws; and cybersecurity enforcement. In the regulatory space, Anand prides himself on providing commercial and actionable advice, including in the developing areas of digital assets, FinTech, and payments.

Photo of Neda Shaheen Neda Shaheen

Neda M. Shaheen is an associate in the Washington, D.C. office of Crowell & Moring, and is a member of the Privacy and Cybersecurity and International Trade Groups. Neda focuses her practice on representing her clients in litigation and strategic counseling involving national…

Neda M. Shaheen is an associate in the Washington, D.C. office of Crowell & Moring, and is a member of the Privacy and Cybersecurity and International Trade Groups. Neda focuses her practice on representing her clients in litigation and strategic counseling involving national security, technology, cybersecurity, trade and international law. Neda joined the firm after working as a consultant at Crowell & Moring International (CMI), where she supported a diverse range of clients on digital trade matters concerning international trade, national security, privacy, and data governance, as well as advancing impactful public-private partnerships.