On Wednesday, February 28th, 2024, President Biden issued an Executive Order on Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern (the “EO”). The purpose of the EO is to restrict the mass transfer of certain types of Americans’ personal data to, and to curb access to United States Government-related data by, “Countries of Concern.” The E.O. is based under the President’s authority under the International Emergency Economic Powers Act, the same authority used to impose sanctions on certain countries, such as Iran, Russia, and North Korea.
The E.O. directs the U.S. Department of Justice (“DOJ”) to issue implementing regulations, including prohibiting or otherwise restricting U.S. persons from engaging in certain categories of transactions that involve U.S. Government-related data or bulk sensitive personal data. DOJ issued an Advance Notice of Proposed Rulemaking (“ANPRM”) that identifies China (including Hong Kong), Russia, North Korea, Iran, Cuba, and Venezuela as Countries of Concern. DOJ proposes to define “bulk US. sensitive personal data” to include personal identifiers, geolocation and related sensor data, biometric identifiers, personal health data, and personal financial data. DOJ proposes to define “United States Government-related data” as including “precise geolocation data” associated with “military, other government, or other sensitive facilities or locations” and “sensitive personal data” linked or linkable to “current or recent former employees or contractors, or former senior officials, of the U.S. government, including the military,” and intelligence community.
DOJ’s ANPRM specifies specific commercial agreements that would be subject to restrictions, specifically investor, vendor, and employment relationships, which agreements would be subject to “security requirements,” to be issued by the Cybersecurity and Infrastructure Security Agency (CISA).
Similar to U.S. sanctions programs administered by the U.S. Treasury Department’s Office of Foreign Assets Controls (“OFAC”), DOJ expects to require U.S. persons (including companies) to maintain certain types of records associated with certain data transactions or transactions conducted pursuant to a general or specific license.
In announcing the E.O., administration officials emphasized that no data or transactions will be immediately cut off or limited, and that the E.O. is a framework under which DOJ will issue final rules. Additionally, the EO exempts from regulation certain types of for financial services data transactions, DOJ’s ANPRM is contemplating further exempting data transfers relating to the ancillary operations of multinational companies, such as payroll.
Written comments must be submitted within 45 days of publication of the ANPRM in the federal register.