The U.S. is becoming increasingly wary of the potential for mass foreign surveillance tied to citizens' sensitive personal information transferred between entities in different countries. Warnings regarding such data stockpiling by the likes of China and Russia have pushed the U.S. government into action.
The wheels are in motion toward a solution. The White House and U.S. Congress have created new mandates through executive order and bipartisan legislation, respectively, to require bans on certain data transfers to specific countries of concern, including China and Russia.
But the approaches of the executive order and enacted legislation are not linear, according to panelists at an IAPP Privacy. Security. Risk. 2024 breakout session seeking to outline when and how requirements will impact covered entities.
"The focus has long been on illicit access to data through hacking and stealing and other mechanisms," said the U.S. Department of Justice's Devin DeBacker, chief of the National Security Division's Foreign Investment Review Section. More specifically though, DeBacker told P.S.R. attendees the government is trying to address concerns stemming from "lawful access through commercial activities that U.S. persons engage in" which "pose unacceptable risk."
Executive Order 14117, issued in February, prohibits or restricts the bulk sale of Americans’ personal data to six countries and carries specific forthcoming regulations from the U.S. Department of Justice that will guide specifics around transfer limitations. President Joe Biden then signed the Protecting Americans' Data from Foreign Adversaries Act, which carries the same sentiments as the executive order with key nuances among its definitions and specific provisions that could raise compliance issues for companies tied to both sets of requirements.
Countries of concern under the executive order include China, Cuba, Iran, North Korea, Russia and Venezuela, while the PADFAA excludes coverage of Cuba and Venezuela.
DeBacker said illicit access through commercial means falls under the radar when put up against the more obvious threats associated with backdoor access.
"It doesn't do much good to close (backdoor access) if you can just walk in the front door and buy the data in an open market," DeBacker said. "Or if you're a foreign adversary, getting it through a commercial relationship your companies and individuals have."
Contrasting solutions
There are a range of key differences between the executive order and the legislation despite sharing the same protection goals.
The PADFAA is in effect now while the executive order awaits completion of a rulemaking procedure that is currently in the advanced notice stage. DeBacker said proposed rules "will arrive shortly" with the aim of completion within a year of the executive order being issued. He characterized that timeline as "quick" compared to more long-winded rulemaking initiatives the government has undertaken.
Applicability is another area with important nuances as the executive order covers transactions by U.S. persons to six countries of concern and the PADFAA strictly focuses on data brokerage to only four countries. Enforcement falls on different agencies — the DOJ has the executive order while the Federal Trade Commission has sole authority on the PADFAA — and the executive order brings civil and criminal penalties versus the PADFAA's civil penalties.
American University Washington College of Law Scholar-in-Residence and adjunct professor Alex Joel, CIPP/G, CIPP/US, was particularly focused on the contrasts among definitions and how they "really draw out the distinctions" between the executive order and the law. For example, the executive order uses U.S. "persons" while the PADFAA uses U.S. "individual," which do not carry the same meaning.
"U.S. 'persons' is a more traditionally defined term," Joel said. "A U.S. 'individual' is an individual residing in the U.S. So what does that mean for Americans traveling abroad or living abroad? That's not clear to me."
Joel also identified differences related to an expansive definition of sensitive data. There is some overlap with the executive order, but the PADFAA includes unique categories, including browsing history and additional aspects connected to communications content.
"The law was passed quickly," Joel said. "There wasn't a lot of debate. I know the FTC and the DOJ are in conversation to try to work some things out."
Calibrating compliance
The unsettled nature of the executive order makes it impossible to fully begin balancing two compliance regimes. However, a majority of covered entities are likely ahead of the game already if they've been following national security developments and trends.
"So with the six countries named (in the executive order), I think five are not really a big problem," Cisco Systems Vice President, Deputy General Counsel, and Chief Privacy Officer Harvey Jang, AIGP, CIPP/E, CIPP/US, CIPT, FIP, said. "There's already been significant export controls, sanctions and issues. As American companies, we've already decoupled."
Jang alluded to companies severing Russian ties as the clearest and most recent example of the sort of separation the executive order and the PADFAA are requiring. However, the most complex issue from a business angle, according to Jang, is how to approach the uneven relationship between China and the U.S.
"Sometimes we're friends. Sometimes we're competitors, rivals or adversaries. All of it and all at the same time," Jang said. "It's different factions and different groups looking at it from different perspectives."
Business practices and efforts to make them compliant may vary based on industry and sector.
In June, IAB Executive Vice President and General Counsel Michael Hahn and Legal Counsel Adam Eisler broke down the PADFAA compliance challenges potentially facing the advertising industry. Hahn and Eisler provided a "conservative read of the law" while recommending a tempered approach to compliance in lieu of firm guidelines for the industry.
With the executive order, stakeholders will have a chance to shape the clarity and certainty they seek through public comments in the rulemaking process. The deadline for public comments toward the executive order's advanced notice of proposed rulemaking closed 19 April, however, another consultation will begin when the proposed rule is formally published.
"The government is listening," Jang said. "I think, in the early round (of comments), industry groups ... were just advocating for clarity on what's in scope, what's out and getting some of those FAQs."
Jang indicated the dialogue at the advanced notice of proposed rulemaking stage clarified that human resources and operations data are not in scope with the executive order. He said such constructive conversations moving forward will help the executive order become "narrowly tailored to really hit the goals that it's trying to achieve."
Joe Duball is the news editor for the IAPP.
