On February 28, 2024, the White House issued Executive Order 13873 on Preventing Access to Americans' Bulk Sensitive Personal Data and United States Government Related Data by Countries of Concern (the EO), following the release of its press release. In particular, the EO highlights the policy of limiting access by countries of concern to sensitive personal data and government data of Americans when such access poses an unacceptable risk to national security. The EO maintains that unrestricted data transfers to countries of concern can lead to the exploitation of sensitive personal data through intermediaries, supplier agreements, employment agreements, investment agreements, or other agreements.
The EO also underscores the risk of access to sensitive personal data and government data by entities owned, controlled, or subject to a country of concern, which may indirectly access such data. The United States Department of Justice (DoJ) extensively detailed the scope of the EO. In particular, the EO specifies that it does not allow for generalized data localization requirements and does not prohibit specific commercial transactions, as detailed by the DoJ.
What are Prohibited and Restricted Transactions?
The EO states that prohibited and restricted transactions prohibit US persons from engaging in any acquisition, holding, use, transfer, carriage, or export of, or dealing with, any property in which a foreigner or country has an interest, where the transaction:
- involves sensitive personal data or government data;
- is part of a class of transactions determined by the Attorney General of the United States (AG) to represent an unacceptable risk to national security;
- has been initiated, is pending, or will be completed after the effective date of the regulations to be issued by the AG;
- does not fall within the exemption provided by regulations to be issued by the AG;
- is not ordinarily incident and part of the provision of financial services, including banking services, financial markets, and financial insurance services, or required for legal compliance.
AG Actions
The EO directs the AG to publish within 180 days of the EO a proposed rule outlining:
- classes of transactions that represent an unacceptable risk to national security and are prohibited;
- classes of transactions that represent an unacceptable risk to national security but are adequately mitigated by security requirements;
- countries of concern and classes of persons covered by the EO;
- mechanisms for providing clarity to persons affected by the EO;
- licenses authorizing transactions otherwise prohibited or restricted.
Sensitive Personal Data
Additionally, the EO provides actions to address the risk of access to sensitive personal data by countries of concern, including:
- directing the Committee for the Assessment of Foreign Participation in the United States Telecommunications Services Sector to review existing licenses for submarine cable systems owned or operated by covered persons;
- directing the Departments of Defense, Health and Human Services, and Veterans Affairs to issue regulations, guidelines, or orders on access to health data, genomic data; and
- directing the Consumer Financial Protection Bureau (CFPB) to take steps to improve consumer protection law compliance regarding the data brokerage industry and bulk access to sensitive personal data.
Definitions
The EO provides a series of definitions, some of which will be defined in regulations issued by the AG.
'Covered Person' is defined as:
- an entity owned, controlled, or subject to the jurisdiction or direction of a country of concern;
- a foreign person who is an employee or contractor of such entity;
- a foreign person who is an employee or contractor of a country of concern;
- a foreign person who primarily resides in the territorial jurisdiction of a country of concern; or
- any person designated by the Attorney General as owned, controlled, or subject to the jurisdiction or direction of a country of concern, as acting on behalf of or purporting to act on behalf of a country of concern or another covered person, or as causing or directing, directly or indirectly, a violation of this order or any regulation implementing this order.
While 'Sensitive Personal Data' is considered to include covered personal identifiers, geolocation data and sensor-related data, biometric identifiers, 'omic' human data, personal health data, personal financial data, or any combination thereof, as further defined in regulations issued by the AG.
Update: March 1, 2024
The CFPB confirms plan to create rules to limit some data sellers' activities
On February 28, 2024, the Consumer Financial Protection Bureau (CFPB) announced that, in line with the EO, it will propose rules to limit some data sellers' activities, including those selling personal data abroad. In particular, CFPB Director Rohit Chopra stated, "The executive order calls on the CFPB to use its legal authorities to provide greater protections. This year, we will propose new rules to curb these abuses that will safeguard families and our national security."
Below is the letter sent to Congress on the EO.
MESSAGE TO CONGRESS ON PREVENTING ACCESS TO AMERICANS' BULK SENSITIVE PERSONAL DATA AND UNITED STATES GOVERNMENT RELATED DATA BY COUNTRIES OF CONCERN
TO THE CONGRESS OF THE UNITED STATES:
Under the International Emergency Economic Powers Act (50 U.S.C. 1701 et seq.) (IEEPA), the National Emergencies Act (50 U.S.C. 1601 et seq.), and section 301 of title 3, United States Code, I hereby report that I have issued an Executive Order that expands the scope of the national emergency declared with Executive Order 13873 of May 15, 2019 (Securing the Information and Communications Technology and Services Supply Chain), and further addressed with additional measures in Executive Order 14034 of June 9, 2021 (Protecting Sensitive Data of Americans from Foreign Adversaries).
The ongoing efforts of certain countries of concern to access Americans' sensitive personal data and United States government data constitute an unusual and extraordinary threat, which has its source in whole or in substantial part outside the United States, to the national security, foreign policy, and economy of the United States. Access to Americans' sensitive personal data or government data enhances countries of concern's ability to engage in a wide range of harmful activities, including espionage, influence, kinetic or cyber operations, or to identify other potential strategic advantages against the United States.
To address this threat and to take further steps in relation to the national emergency declared with Executive Order 13873, the order authorizes the Attorney General, in coordination with the Secretary of Homeland Security and in consultation with the heads of relevant agencies, to issue, subject to public notice and comment, regulations to prohibit or otherwise limit large-scale transfers of Americans' personal data to countries of concern and to provide assurances around other activities that may give those countries access to sensitive data. Section 2(b) of the order authorizes the Attorney General, in consultation with the heads of relevant agencies, to take such actions, including issuing rules and regulations and using all other powers granted to the President by the IEEPA, as may be necessary or appropriate to carry out the purposes of the order.
Additionally, section 2(d) of the order authorizes the Secretary of Homeland Security, through the Director of the Cybersecurity and Infrastructure Security Agency, in coordination with the Attorney General and in consultation with the heads of relevant agencies, to propose, solicit public comments, and publish security requirements addressing the unacceptable risk represented by restricted transactions, as identified by the Attorney General. Section 2(e) of the order authorizes the Secretary of Homeland Security, in coordination with the Attorney General, to take such actions, including issuing rules, regulations, standards, and requirements; issuing interpretive guidance; and using all other powers granted to the President by the IEEPA that may be necessary to accomplish the purposes described in section 2(d) of the order.
I attach a copy of the Executive Order I have issued.
JOSEPH R. BIDEN JR.
THE WHITE HOUSE,
February 28, 2024.
#NationalSecurity #SensitiveData #DataProtection #CFPB #ExecutiveOrder
Glossary
- Executive Order (EO): An executive action issued by the President of the United States to provide instructions or regulate government administration.
- Sensitive Personal Data: Personal information considered sensitive and subject to particular protection, including personal identifiers, geolocation data, biometrics, human 'omics,' personal health, and financial data.
- Department of Justice (DoJ): The federal executive body of the United States responsible for enforcing federal laws and administering justice.
- Prohibited and Restricted Transactions: Activities prohibited or subject to restrictions by the Attorney General of the United States, including acquisitions, holdings, transfers, and transactions involving sensitive data.
- Attorney General (AG): The head of the United States Department of Justice, responsible for enforcing federal laws.
- Consumer Financial Protection Bureau (CFPB): A United States government agency responsible for overseeing consumer financial practices and enforcing consumer financial protection laws.
- Committee for the Assessment of Foreign Participation: Body tasked with reviewing and assessing foreign participation in the US telecommunications services sector.
- Covered Personal Identifiers: Information that can be used to identify an individual, including names, addresses, phone numbers, and other related data.
- National Emergency: An extraordinary situation requiring immediate and extraordinary government actions to protect national security and interests.
- IEEPA (International Emergency Economic Powers Act): A US law granting the President powers to regulate commerce during national emergencies.
