On 28 Feb., U.S. President Joe Biden signed what the White House called a "groundbreaking" new executive order on "Preventing Access to Americans' Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern." The president also sent a letter to Congress explaining the move.

The executive order kicks off multiple government workstreams, including a forthcoming regulation from the U.S. Department of Justice, which would block or place restrictions on designated personal data transactions with foreign adversaries of the U.S. and their proxies. Similar existing national security regulations define "countries of concern" to include China, Cuba, Iran, North Korea, Russia and Venezuela.

Commercial data privacy and security rules, including recommendations to implement privacy enhancing technologies, are also expected as part of a separate regulatory process through the Department of Homeland Security. These future rules would include minimum privacy and security standards that must be met before organizations engage in certain transactions that would otherwise be prohibited under the DOJ regulations.

Closing the digital gates

To begin the rulemaking on personal data transactions, the Biden-Harris administration has opted to engage in a two-part regulatory process via the DOJ. That process began immediately with the unofficial release of an advance notice of proposed rulemaking. Once the ANPRM is published in the Federal Register, stakeholders will have 45 days to submit comments. Subsequently, the DOJ will issue a draft regulation, which will be subject to a second round of comments from interested parties. With this timeline in motion, final rules are unlikely to be complete before the presidential election at the end of 2024.

The executive order is consistent with the current trend of heightened expectations for due diligence in transactions involving bulk personal data or sensitive data. Privacy professionals and security teams should pay close attention to this rulemaking, especially if their organizations engage in the buying or selling of bulk personal data — or any amount of sensitive data about U.S. government personnel such as members of the military.

High threat count

In explaining its unprecedented executive order, the White House fact sheet describes concerns about "extraordinary threats" from foreign adversaries who purchase commercially available data on U.S. citizens in order to "engage in malicious cyber-enabled activities, espionage, coercion, influence, and blackmail; build profiles on and target activists, academics, journalists, dissidents, government personnel, political figures, and members of nongovernmental organizations and marginalized communities for surveillance, influence, and intimidation; to curb dissent and for other nefarious purposes."

The concerns echo alarm bells that scholars and national security experts have been repeatedly ringing in recent years. Duke University's Sanford School of Public Policy released a report last fall on the sale of data on U.S. military personnel, based on an investigative analysis of data brokers' due diligence around transactions. The study found that many data brokers exhibit a "lack of robust controls" around the purchase of U.S. military data, even in some cases when the purchaser was located outside of the U.S.

Out with localization; in with targeted exclusion

Some commentators have classified the executive order as a proposed restriction on the flow of data across borders. Yet the contours of the proposal do not neatly fit into this category. Though national borders would play a role, the location of personal data is not the primary factor for determining whether a transaction would be banned or restricted.

The proposal would have the effect of restricting the sale of data to entities within certain countries, but it also restricts the sale of that same data to certain individuals and organizations no matter where they are located, when the U.S. designates them as proxies for countries of concern. There are no proposed restrictions on where personal data is stored or the means through which it is transferred. Instead, the determining factor is the nature of the party purchasing the data.

Steps toward 'carefully calibrated' regulations

As previewed in the ANPRM, the proposed regulatory regime would be targeted within multiple dimensions with its scope limited to covered types of:

• Personal data
• Data subjects
• Transactions
• Selling entities
• Purchasing entities

Each of these restrictions of coverage is explored below.

Sensitive personal data and 'covered personal identifiers'

The draft ANPRM considers the inclusion of four sensitive data categories within the scope of covered data, plus "covered personal identifiers." The sensitive categories of data include:

• Biometric data, defined as "measurable physical characteristics or behaviors used to recognize or verify the identity of an individual, including facial images, voice prints and patterns, retina and iris scans, palm prints and fingerprints, gait, and keyboard usage patterns that are enrolled in a biometric system and the templates created by the system."
• Precise geolocation and related sensor data (with precision standards to be determined).
• Human genomic data, whether the entire set or a subset of an individual's genetic sequencing data. As part of the program, there would also be restrictions on access to human biospecimens from which this data could be derived.
• Personal health data, with the definition adopted from the Health Insurance Portability and Accountability Act.
• Personal financial data (subject to exclusions) including "data about an individual’s credit, charge, or debit card, or bank account, including purchases and payment history; data in a bank, credit, or other financial statement, including assets, liabilities and debts, and transactions; or data in a credit or consumer report."

Beyond these traditional sensitive data categories, the "personal identifiers" considered to be included under the ANPRM are those that are "reasonably linked to an individual, and that — whether in combination with each other, with other sensitive personal data, or with other data that is disclosed by a transacting party pursuant to the transaction and that makes the personally identifiable data exploitable by a country of concern — could be used to identify an individual from a data set or link data across multiple data sets to an individual."

As contemplated, the rule would designate a comprehensive list of identifiers that would fall under the same restrictions as sensitive data when linked with another "listed identifier" in a transaction or series of transactions to related covered recipients:

• Government ID numbers
• Financial account numbers
• Device-based or hardware-based IDs
• Advertising IDs
• Demographic or contact data, except when linked only to other demographic or contact data (including name, birthdate, birthplace, zip code, address, phone number, email address and similar public account identifiers)
• Account authentication data (username, password, etc.)
• Network-based identifiers
• Call-detail data (customer proprietary network information under existing telecom privacy rules)

Like the demographic exception, the final three categories above would also be excluded from restrictions in situations where they are linked only to other identifiers within those three categories.

General exceptions are also proposed for public data, trade secrets, proprietary information, personal communications and expressive materials.

Bulk personal data of US citizens

The prohibitions contemplated in the ANPRM would apply to any transaction involving the covered personal data of a set number of Americans over a threshold for each type of sensitive data category. The ANPRM explains that these limits would be based on a risk assessment of human-centric and machine-centric characteristics of relevant datasets. The DOJ is particularly interested in stakeholder feedback on this section of the proposal, though it also includes specific questions on all aspects of the ANPRM.

The DOJ proposes two different possibilities for the bulk thresholds, a low and a high proposal, reprinted below. If a transaction or set of related transactions included the specified data of more than the listed number of U.S. persons (or devices in the case of geolocation data), it would be prohibited under the proposed rule.

• Human genetic data: Low > 100 persons; High > 1,000 persons.
• Biometric identifiers: Low > 100 persons; High > 10,000 persons.
• Precise geolocation data: Low > 100 devices; High > 10,000 devices.
• Personal health data: Low > 1,000 persons; High > 1 million persons.
• Personal financial data: Low > 1,000 persons; High > 1 million persons.
• Covered personal identifiers: Low > 10,000 persons; High > 1 million persons.

Any amount of 'government-related' data

The covered personal data of U.S. government personnel would not be subject to the proposed volume thresholds. Transactions involving such data — the same sensitive data types identified above — would be flatly prohibited under three scenarios:

• If a transacting party identifies the data as being linked or linkable to categories of U.S. government personnel.
• If the data is linked to categories of data that could be used to identify U.S. government personnel.
• If the data is linked or linkable to a list of defined sensitive government locations.

Do not sell to the block list

U.S. persons would be banned from knowingly engaging in "covered data transactions" with countries of concern or any person who is a national of one of those countries. "Transactions" are more than just sales. They include "any acquisition, holding, use, transfer, transportation, exportation of, or dealing in any property in which a foreign country or national thereof has an interest."

The draft rule would categorically prohibit any such transaction if it meets the data requirements explained above and falls into any one of the following categories:

• Data brokerage, meaning "the sale of, licensing of access to, or similar commercial transactions involving the transfer of data from any person (the provider) to any other person (the recipient) where the recipient did not collect or process the data from the individuals linked or linkable to the collected or processed data."
• A vendor agreement for any goods or services, including cloud-computing services, in exchange for payment or other consideration.
• An employment agreement, excluding independent contractors.
• An investment agreement, in which any person "obtains direct or indirect ownership interest rights in relation to (1) real estate located in the U.S. or (2) a U.S. legal entity."

The final three categories above (vendor, employment and investment agreements) would only be prohibited in relation to covered data transactions if they fail to meet the security requirements later to be specified through DHS rulemaking. The DOJ ANPRM includes a preview of the likely requirements, which "would be based on, as applicable and appropriate, existing performance goals, guidance, practices, and controls, such as the Cybersecurity and Infrastructure Security Agency Cybersecurity Performance Goals, National Institute of Standards & Technology Cybersecurity Framework, NIST Privacy Framework, and NIST SP 800-171 rev. 3."

Until the DHS rules are finalized, DOJ is proposing to "decline to regulate restricted covered data transactions" that would be subject to the new DHS privacy and security rules.

Contracts required for all foreign transactions

Further, the order would prohibit data brokerage transactions with any foreign person unless the U.S. provider contractually requires the foreign recipient to refrain from the onward transfer of the data to a country of concern or covered person through a "subsequent covered data transaction." That is, restrictive contractual terms would be required for all transfers of bulk sensitive data or government-related data to any non-U.S. entity.

Just the beginning

There is much left to discuss. Apart from the difficulty of comparing the executive order to existing data rules, it has renewed conversations in Washington, D.C., and other policy hubs about digital sovereignty and the role of national security law in restricting the flow of sensitive personal data between entities and across borders.

As stakeholders engage in the multipart comment process, the bulk data restrictions are likely to be further refined and clarified to ensure they reflect the administration's stated policy goals.