Introduction

On Wednesday, February 28, 2024, US President Joe Biden’s administration issued an executive order that directs the Departments of Justice (DOJ), Homeland Security, Health and Human Services (HHS), Defense, and Veteran Affairs to take action to prevent foreign adversaries from gaining access to US citizens’ sensitive personal data. The order, entitled “Preventing Access to Americans’ Bulk Sensitive Personal Data and US Government-Related Data by Countries of Concern”, will prohibit the bulk transfer and sale of sensitive US personal data to countries of concern, with violations subject to civil and criminal penalty.

With a legal basis in the International Emergency Economic Powers Act (IEEPA), the program places a specific focus on sensitive health, financial, biometric, and genomic data transferred in bulk volume. In addition to the DOJ-led program prohibiting these transfers, the executive order also places more stringent guardrails around sensitive government-related data, commercial data broker transactions, federal grants that facilitate access to sensitive health data, and licensing for submarine cables under the auspices of ‘Team Telecom’. Misuse of this data by US foreign adversaries raises national security risks around genomic surveillance, human rights abuses, artificial intelligence (AI) systems, targeted biothreats, and the ability to develop kompromat on US citizens and military personnel.

The DOJ will issue an Advanced Notice of Proposed Rulemaking (ANPRM) subject to two rounds of public comment, but the executive order represents a significant step in closing current structural loopholes that render US personal data free fodder for the People’s Republic of China’s (PRC) economic and technological ambitions.

The Executive Order and DOJ Rulemaking

Countries of Concern / Covered Persons

Countries of concern targeted by the executive order will include the same six foreign adversaries covered by the Commerce program to secure the Information and Communications Technology and Services (ICTS) supply chain. These countries include: the PRC (including Hong Kong and Macau), Russia, Iran, North Korea, Cuba, and Venezuela.

A covered person is defined as:

  • Entities (including companies) owned by or subject to the jurisdiction of a country of concern
  • A foreign person employed by a covered entity
  • A foreign person employed by a country of concern
  • A foreign person who resides primarily in a country of concern

The DOJ will act as the lead implementer of programming, but the Departments of State, Homeland Security, Commerce, and the Treasury will maintain important roles in rulemaking, licensing, and identifying countries of concern and covered persons.

While a public list of designated covered persons will be published, it will not be exhaustive, and the DOJ will supplement this list if additional entities meet certain criteria. Transactions of data that take place domestically will not be covered.

Types of Data

The executive order focuses on six categories of highly sensitive personal data that pose the greatest national security risks if obtained by foreign adversaries. These categories include:

  • Geolocation data (especially linked to certain sensitive government locations)
  • Biometric identifiers (for example, fingerprints or facial recognition)
  • Human genomic data and other biodata (upon a risk assessment by the DOJ)
  • Personal health data
  • Personal financial data
  • Other categories of covered personal identifiers specifically listed by the DOJ

Data falling under one of these six categories is only covered under the proposed rulemaking if it exceeds certain bulk thresholds—in other words, if it is sold or transferred en masse. The data covered in the executive order does not include public records (court or government records), personal communications, or expressive information (videos or publications). However, sensitive government-related data and data on US government personnel will not be subject to these bulk thresholds and regulated regardless of volume.

Types of Transactions

Certain key types of transactions are covered by the executive order. First, data brokerage transactions—transactions in which companies that specialize in collecting personal data from public records or private sources sell that data to covered entities—are regulated. Special focus may be placed on government-related data subject to data brokerage, and provisions may be added to prevent the “re-export” of data from non-covered data brokers to covered entities. Second, genomic data transactions, from which sensitive personal data can be easily derived, are also regulated.

Covered data transactions will be restricted in vendor, employment, and investment agreements.

  • Vendor agreements involve transactions of personal data between US businesses and contractors headquartered in countries of concern to provide goods and services (such as IT-related services).
  • Employment agreements involve transactions of data by US companies that develop digital applications and employ covered persons in countries of concern.
  • Investment agreements involve transactions of data that occur when covered persons invest in US businesses that are rich in sensitive data.

Exemptions   

While the executive order creates an impressive new swath of protections for sensitive personal data, certain exemptions are aimed at preserving economic relationships with partner countries. First, financial data transactions—such as those that fall under e-commerce, legal compliance, or take place between banks or financial institutions—are exempt. These transactions are already subject to oversight by financial regulators and will continue to be monitored for compliance with sanctions, export controls, and anti-money laundering (AML) standards.

Other carve-outs will include:

  • Transactions that take place for the purpose of business operations within multinational countries (related to HR or payroll processing). Such transactions are already comprehensively regulated.
  • Federally funded grantees, including health and research establishments. Data security concerns involved in global data-sharing for research purposes will be handled by relevant agencies.
  • Data transactions that are already covered by federal or international law.

Bolstering US Data Security Infrastructure Across the Federal Government

The executive order will make critical adjustments to current structures that govern strategic arenas in US technological capabilities, such as telecommunications, genomic data, and data brokerage.

  • “Team Telecom” will heighten its review of licensing for submarine cable systems owned by countries of concern.
  • The Departments of Defense, HHS, Veteran Affairs, and the National Science Foundation will place limits on grantmaking that may involve the transfer of genomic data to covered entities.
  • The Consumer Financial Protection Bureau will be encouraged to place increased attention to the role data brokerage plays broadly in US national security concerns.

National Security Motivations Around Sensitive Data

Decades of unprotected transfers of sensitive US data have left the United States vulnerable to the strategic data collection interests of the PRC. For example, the intelligence community has assessed that US healthcare data may be particularly sought after by the PRC for its ethnic diversity to drive competitiveness in AI-based precision medicine approaches. For years, the PRC has been able to gain access to this data through both licit and illicit means. Federal measures like the US Privacy Act of 1974, the Health Insurance Portability and Accountability Act (HIPAA), and the Children’s Online Privacy Protection Act (COPPA) provide fragmented and limited data protection, and states have adopted regulations on a case-by-case basis. But no updated, omnibus federal framework has limited the transfer of sensitive US data. Meanwhile, the European Union has maintained the General Data Protection Regulation (GDPR), which establishes protections for the personal data of European citizens and has been modelled around the globe.

The lack of a comprehensive data privacy framework in the United States has contributed to national security vulnerabilities around data security.  Steps like implementing cybersecurity measures or anonymizing data can protect against foreign hacking and data leakage, but the bulk collection of data has not come with corresponding cybersecurity requirements, and it is easy for needed security measures to remain neglected. Routine anonymization is often insufficient to protect privacy and identities. A 2019 study from Nature Communications found that given only 15 demographic traits, the personal profiles of 99.8% of Americans in any dataset could be re-identified. A lack of concrete guidelines and penalties governing US data transactions ensures that foreign actors with malicious intentions have all the necessary tools to track American citizens (including intelligence and military personnel), develop biothreats, and train AI models—and with AI being compared to the “new oil” for its geopolitical import, data serves as crucial currency.

The PRC, specifically, has been ambitious in collecting sensitive data, including forcibly on its own citizens. In its Made in China 2025 strategy, the PRC zeroed in on the biotech industry and announced the collection of healthcare information to be a priority. As recently as February of this year, the PRC announced it has built the world’s most detailed human genome, with implications for the treatment of disease and in support of the PRC’s global biotechnology leadership aspirations. Such ambitions pose challenges to US national security and global human rights, not least through the PRC’s DNA surveillance and AI-enabled facial recognition regime targeting and detaining as many as a million ethnic Uyghur Muslims in Xinjiang. Decoupling US companies and data from these abuses is an urgent moral and national security priority.

Past legislation has recognized these national security concerns and introduced greater protections for Americans’ personal and biometric data, but these efforts have either floundered in Congress or not yet managed to secure passage. Broad comprehensive privacy legislation like the American Data Privacy and Protection Act was introduced in June 2022 to limit corporate transfer of personal data without user consent. In the genomic data realm, the BIOSECURE Act was introduced in January 2024 to restrict federally funded medical providers from using biotech companies like BGI Group and its subsidiaries that are housed in countries of concern (paired with a bill containing similar goals introduced to the Senate in December 2023). Similarly, states have increasingly recognized the urgent need to protect foreign collection and use of biometric information, with Illinois, Texas, and Washington passing landmark legislation regulating such data transactions, and at least 17 states bringing related bills to the floor in 2023. This week’s executive order thus represents a landmark and long-anticipated development in comprehensive federal oversight of sensitive data transfers.

The executive order also presents significant progress in the realm of cybersecurity enhancement. Permission to proceed with the transfer of sensitive data in covered agreements will now require increased cybersecurity measures, including data minimization and masking techniques; the use of privacy-preserving technologies; and controls on physical access to data centers. This progress aligns closely with recommendations made in the Alliance for Securing Democracy at GMF’s May 2021 Weaponized Web report, and the report’s proposed cybersecurity reporting structure-issuing guidance for compliance and certification could further enhance new developments.

Future Considerations

As more details surrounding implementation continue to unfold, considerations remain surrounding the breadth and depth of the order. The government will need to create mechanisms, for example, to measure and set “bulk thresholds”, with implications on the financial viability of smaller versus larger corporations that conduct covered data transactions. Balancing the desire to maintain open free flows of data with trust among democratic allies and partners while guarding against autocratic misuse will remain a tension moving forward.

The DOJ ANPRM also contemplates a provision on the ‘re-export’ of restricted data, whose implementation will be necessary for achieving the executive order’s stated objectives. Given that only entities affiliated with covered countries are included in bulk transfer restrictions, there is nothing preventing an intermediary harbored in a third country from accessing the restricted data and then reselling it or retransferring it to a covered entity. The contemplated provision involves a certification or self-attestation from recipients of data transactions that they will not transfer that data to covered entities, but a stronger mechanism may be needed. Absent a robust re-export regime with means of enforcement, it is hard to see how the program will be effective in meaningfully restricting the transfer of sensitive data to determined malign actors. The order also leaves open many of the data collection risks associated with social media platforms and autocratic apps like TikTok and WeChat. As recently as 2023, TikTok has maintained “exceptions” that allow it to continue to collect and store US data on PRC servers. With more and more Americans getting their news from the platform, data access combined with the potential for targeted manipulation remains a risk unaddressed by the executive order.

The executive order is a first step, however, in recognizing the strategic value of data and the national security risks with completely unsecured flows of sensitive information. The proposal for a heightened review of submarine cable licenses for the risks of data exfiltration also suggests a recognition of the connected Future Internet and the need to secure data across infrastructure, storage, and application layers of the technology stack. This data can both drive competitiveness of AI and Internet of Things (IoT)-based systems but also reveal geographic information on sensitive sites, personal information on sensitive users, or business and intellectual property information on sensitive technologies. Extending data protections to the application layer around the IoT and connected devices from vehicles to smart refrigerators is the next step in bolstering the security of US information from malign actors. As the PRC moves to integrate more deeply into global technology stacks, these considerations will grow in importance, as will the need for the United States to align data protection and security policies with its democratic allies and partners.

The views expressed in GMF publications and commentary are the views of the author alone.