U.S. President Joe Biden closed February 2024 with the Executive Order on Preventing Access to Americans' Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern, which signaled important developments on the country's plans to position and guard itself — through new rules established by the Department of Justice — against global adversaries such as China, Iran and Russia. The executive order speaks volumes about how the U.S. views the next-generation impacts of data flows on the digital economy and how it can be better equipped as a global leader.
Meanwhile, a slew of Congressional actions, including a newly introduced bill from the House Energy and Commerce Committee, are also tackling the same considerations. They aspire to solve the issues of overcollection, sharing and sale of consumers' personal data, including sensitive data by certain third parties that are loosely defined as "data brokers."
The takeaways
The U.S. is not declaring a position on data localization
For some, the knee-jerk reaction to the executive order is that the U.S. is taking similar actions to countries like India, which created provisions to provide the government with full discretion to restrict data to certain countries, by notification, in its 2023 Data Protection Act. More steeped privacy professionals might compare the order to earlier draft stages of India's bill, which would have created a "black list" of nations with whom data flows were restricted.
Furthermore, some readers may believe the order's language resembles the data localization provisions in the EU's approach to digital markets and privacy, including, for example, the EU Data Act. Before jumping to such a conclusion, it is important to evaluate the executive order in a broader context by looking at the bigger picture of the U.S.'s digital trade and data flow policies over time to understand that data localization is not the means to the end here.
Data free flow with trust remains the essential guiding principle for international cooperation on data flows, coming out of World Economic Forum meetings, as well as meetings with the G7, G20 and the Organisation for Economic Co-operation and Development in recent years.
The U.S. is not trying to close off digital data flows or retreat into a cocoon of its own. Rather, it is setting restrictions that impose stronger safeguards to strengthen its value as a digital trade partner and its role as a world leader, while continuing to allow the free flow of data with other countries that follow the same guiding principles. For example:
- The U.S. recently reworked its agreement on the EU-U.S. Data Privacy Framework on trans-Atlantic data flows, with a newly created Data Protection Review Court to further mitigate the risk of a Schrems-like debate, ruling or violation.
- The U.S. Federal Trade Commission offered its handshake by signing onto the Global Cooperation Arrangement for Privacy Enforcement on the Cross-Border Privacy Rules program.
The economic consequences of the new restrictions are meant to sustain and promote the digital economy
While the executive order does not delineate an estimated dollar amount by which the new restrictions may impact the digital economy, in 2016 the McKinsey Global Institute estimated the international flow of data contributing to the world economy to be valued at USD11 trillion by 2025. Quantifying how businesses derive value from the data remains challenging and elusive.
As a result of the executive order, U.S. companies may feel like taking a more cautious approach toward digital data flows. For U.S.-headquartered multinational companies working with international vendors and third parties located in other nations and subject to their laws, which were not previously restricted, the new restrictions may create further barriers and/or limitations on sharing bulk data and engaging in retail, commercial, financial and government transitions for companies, regardless of size. This may put downward pressure on their participation in the digital economy, especially for U.S. companies coping with many different laws, standards and frameworks in the absence of a comprehensive federal privacy law.
On the flip side, it could encourage more companies to proactively review their data mapping or data review practices, while leveraging interoperable frameworks such as the global CBPR. This can support better return on investment for companies looking to take a global privacy compliance approach and potential reductions in duplicative spending on the many frameworks that support compliance — from standard contractual clauses to the EU-U.S. DPF to CBPRs. It can also incentivize the role of accountability agents that work in coregulatory models with the government to help provide a light-touch approach to enforcement and monitor the playing field for bad actors.
Finally, what appears to be happening is a closer alignment between the U.S.'s targeted approach to data flows and the EU's, India's and other countries' built-in protections for sensitive data in their national data privacy laws and regulations.
The executive order alludes to converging global definitions of data protection and adequacy
Maintaining adequacy in data protection should and will remain a top priority for the U.S., particularly in light of executive action like this one. The uncertainty of the state of trans-Atlantic data flows after the "Schrems I and II" decisions placed U.S. data practices under heightened scrutiny. This executive order signals the country's desire to take concrete steps to protect the commercial and government data of its own citizens.
Other nations are already acting to secure their data protection via adequacy provisions in their national privacy regulations. For example, Article 45 of the EU General Data Protection Regulation allows for the transfer of personal data to a third country, when the third country ensures an "adequate level of protection." In a similar vein, the executive order signals the U.S. is committed to partnering with like-minded countries with similar levels of adequacy to impose robust data practices that are "adequate" in nature, which will serve as an effort to future-proof and strategically equip the U.S. going forward.
The opportunity for newer, stronger and more secure approaches to data privacy
The order candidly states AI-based malware use, related spoofing incidents and cyber threats are rampant in nations where data privacy controls are lax or where foreign governments can easily access the data of U.S. consumers because they claim national security exemptions, allowing strategic access for them to manipulate the data.
The order also provides hope for next-generation technologies and ways to share data responsibly and efficiently, noting a process to build new regulations that will potentially standardize and incentivize the use of privacy-enhancing technologies through joint efforts by the DOJ and the Department of Homeland Security. The field of PETs has already been defined and loosely framed through guidance by the National Institute of Standards and Technology, so this executive order effort could strengthen the potential use of the technology.
PETs leverage advanced cryptography and statistics to link data or servers, to allow for responsible data sharing without identifying the data. They can include a range of tools such as homomorphic encryption, federated learning, synthetic data and differential privacy. Implementing regulations will likely provide more clarity on the minimum privacy and security requirements — and use of PETs — that companies should be leveraging, which will help spark more innovative solutions to data privacy problems.
Future considerations
While the order's fact sheet focuses on restricting the bulk purchase and sharing of sensitive data, it also leaves a trail of unanswered questions that public stakeholders can answer through the Advance Notice of Proposed Rulemaking by the DOJ's National Security Division.
The definitions of personal information, sensitive data and special category data vary, as does the way that data is shared between affiliated and nonaffiliated entities.
For example, in a post about recent privacy complaints, the FTC said, "Browsing and location data are sensitive. Full stop." The FTC has been pushing the envelope on this. The bottom line has been vouching for heightened protections and responsibilities when processing sensitive data, including geolocation data, health data and browsing data, as well as how to prevent inappropriate access — without consumer consent — by third parties, including data brokers. Taking a closer look at the FTC's agenda with regard to protecting sensitive data sheds light on what is to come. Are we going to see more concrete enforcement action, and potentially a "commercial surveillance" rule, in this space, as well as potential further alignment between the U.S. and other countries in their approach to privacy?
The order includes "genomic and personal health data, financial data, geolocation" and other personal identifiers, as well as sensitive government data of military members and government sites, in its definition of sensitive data. Will this sensitive data also be subject to protections in recently passed U.S. state consumer privacy laws, data broker registration laws, as well as those outlined in older sectoral laws like the Health Information Portability and Accountability Act or Title V of the Gramm-Leach-Bliley Act?
Under the order, U.S. government-related data is a specifically protected category that the attorney general says, "poses a heightened risk of being exploited by a country of concern to harm United States national security." This is because it is linked, or linkable, to categories of current or recent federal government employees, contractors or senior officials or it is linkable to sensitive locations controlled by the government, such as military bases or government properties. To what extent will America's list of foreign adversaries and allies continue to change and evolve? How will this impact our digital trade and data flows with these nations?
The term "data broker" is defined broadly, capturing the wide swath of third parties that process and share consumer data. Will this result in subjecting more companies that collect and sell personal data to the executive order than those that register as data brokers and are subject to U.S. state consumer privacy and data broker laws?
The order defines "country of concern" as a designated foreign government that "has engaged in a long-term pattern or serious instances of conduct significantly adverse to the national security of the United States or the security and safety of United States persons, and poses a significant risk of exploiting bulk sensitive personal data or United States Government-related data to the detriment of the national security." It delegates final authority to designate specific countries of concern to the attorney general. How will the current and future attorney general exercise this authority?