Biden Directs Attorney General to Restrict Transfer of Sensitive Personal Data to Countries of Concern

10 minute read | March.18.2024

On February 28, 2024, President Biden issued Executive Order 14117, calling for new regulations to prohibit or restrict transactions that enable countries of concern to access sensitive U.S. personal and government data. The order seeks to address the mounting risk that countries of concern -- today, China, Russia, Iran, North Korea and Venezuela -- could use advanced technologies such as artificial intelligence (AI) to process large sets of sensitive personal data or data associated with the U.S. government. The danger is that these countries of concern could use insights from processing the data to engage in “espionage, influence, kinetic, or cyber operations” against the United States. Additionally, the order is intended to address the risk that countries of concern may use bulk sets of sensitive personal data to create and refine AI to improve their ability to exploit data.

The order directs the Department of Justice (DOJ) to draft regulations prohibiting or restricting transactions that enable countries of concern to access certain U.S. sensitive personal and government data. DOJ’s National Security Division has issued an Advanced Notice of Proposed Rulemaking outlining the contemplated regulations.

Comments on the notice are due by April 19, 2024. DOJ is expected to issue a proposed rule by August 26, 2024.

What Companies Need to Know

The order and notice envision an expansive new regulatory regime that restricts transactions involving bulk sensitive personal data and U.S. government data between U.S. persons and covered persons associated with countries of concern.

The new regulatory regime would build on U.S. government efforts to protect sensitive personal data, including those of the Committee on Foreign Investment in the United States (CFIUS).
CFIUS can prohibit specific foreign investment transactions within its jurisdiction on the grounds that a transaction poses a national security risk as a result of its connection to sensitive personal data.
The notice outlines broad prohibitions and restrictions rather than a case-by-case review.

No new restrictions take effect immediately. While a proposed rule is expected in August, the precise timing for a final rule remains unclear.
The notice:

Proposes prohibiting (i) covered data brokerage transactions and (ii) any other transactions that provide a country of concern or covered persons with access to bulk human genomic data or human biospecimens from which that data can be derived.
Contemplates restricting other transactions, namely certain vendor agreements, employment agreements and investor agreements. The proposal would require such agreements to meet security requirements the Cybersecurity and Infrastructure Security Agency (CISA) of the Department of Homeland Security plans to issue.
Envisions a civil enforcement mechanism modeled after economic sanctions programs administered by the Treasury Department’s Office of Foreign Assets Control (OFAC). The proposed regulatory regime would require companies to implement risk-based compliance programs commensurate with their size and sophistication, products and services, customers and counterparties and geographic locations.

Companies that may be affected should monitor developments, consider submitting comments on the notice and assess the potential impact on future transactions.

Who Would Be Covered?

The notice proposes regulating data transactions between U.S. persons and covered persons, defined in the order to include entities subject to the jurisdiction, direction, ownership or control of countries of concern and their employees and contractors, as well as employees and contractors, and residents, of China (including Hong Kong and Macau), Russia, Iran, North Korea, Cuba and Venezuela.

This expansive definition includes both persons who fall within pre-defined categories, as well as persons DOJ would designate on a public list, modeled on OFAC sanctions lists.

What Data Would be Covered?

The order directs the Attorney General to restrict transactions involving bulk sensitive personal data or U.S. government-related data. The order provides basic definitions for these terms, which are further defined in the notice.

a. Bulk Sensitive Personal Data

The order outlines six categories of sensitive personal data, which the notice further defines:

Covered personal identifiers. These are classes of data that are reasonably linked to an individual and that could be used to identify an individual from a data set or link data across multiple data sets to an individual. The notice proposes a list of identifiers, including government identification numbers, financial account numbers, device-based and hardware-based identifiers, demographic and contact data, advertising identifiers, account-authentication data, network-based identifiers and call-detail data.
Geolocation and related sensor data. Under the notice, only precise geolocation data that identifies the physical location of an individual or a device within a certain distance would be covered. The precise distance will be determined during the rulemaking process. This includes real-time and historical data.
Biometric identifiers. The notice defines this term as “measurable physical characteristics or behaviors used to recognize or verify the identity of an individual, including facial images, voice prints and patterns, retina and iris scans, palm prints and fingerprints, gait and keyboard usage patterns that are enrolled in a biometric system and the templates created by the system.”
Human ‘omic data. The order covers all data generated from humans that characterizes or quantifies human biological molecules, including human genomic data, epigenomic data, proteomic data, transcriptomic data, microbiomic data and metabolomic data. The notice proposes covering only human genomic data in the first rulemaking.
Personal health data. The notice borrows the definition of individually identifiable health information from the Health Insurance Portability and Accountability Act, including information collected by a covered entity or business associate.
Personal financial data. This category would include credit card and bank account data and history, financial statement data and data in credit or consumer reports.

The notice proposes different thresholds to determine when a collection of sensitive personal data constitutes bulk data based on its category.

b. U.S. Government-related Data

The order defines U.S. government-related data as sensitive personal data that poses a heightened risk of being exploited by a country of concern to harm United States national security regardless of volume and that:

A transacting party identifies as being linked or linkable to certain current or former federal employees, contractors or officials;
Is linked to categories of data that could be used to identify certain current or former federal employees, contractors or officials; or
Is linked or linkable to certain sensitive locations, the geographical areas of which will be specified publicly.

The notice proposes categorizing U.S. government-related data into two categories:

Precise geolocation data for any location within an enumerated list of specific geofenced areas associated with military, government and other sensitive locations.
Any sensitive personal data, regardless of volume, that a transacting party markets as linked or linkable to current or recent former employees or contractors or former senior officials of the U.S. government, including the military and Intelligence Community.

What Transactions are Covered?

The notice proposes a two-tiered regulatory regime consisting of “prohibited transactions” (certain classes of “highly sensitive” transactions prohibited in their entirety) and “restricted transactions” (transactions that would be permitted only if they comply with security requirements to be developed by CISA).

a. Prohibited Transactions

The notice would categorically prohibit covered data transactions that raise the highest national security risks. These transactions would enable countries of concern or covered persons to access bulk U.S. sensitive personal data or government-related data. The notice identifies two categories of covered data transactions that warrant prohibition:

Data brokerage transactions.
Any transactions that provide a country of concern or covered person with access to bulk human genomic data or human biospecimens from which that data can be derived.

b. Restricted Transactions

The notice would restrict certain covered data transactions by prohibiting them except to the extent that they comply with predefined security requirements. These transactions may enable countries of concern or covered persons to access bulk U.S. sensitive personal data or government-related data unless certain security requirements are implemented. CISA will establish these security requirements in a separate rulemaking. The notice identifies three categories of covered data transactions for restriction:

Vendor agreements, including technology services and cloud service agreements such as Software-as-a-Service (SaaS).
Employment agreements, including employment on a board or committee, executive-level agreement and employment services at an operational level.
Investment agreements, including investments in real estate in the U.S. and investments in a U.S. legal entity.

c. Exempt Transactions

The notice contemplates exempting data transactions involving personal communications and information or informational materials and certain transactions for U.S. government activities.

Enforcement and Compliance

The notice outlines a civil enforcement regime with processes similar to those followed by OFAC and CFIUS. It would have mechanisms for a pre-penalty notice, an opportunity to respond and a final decision.

However, unlike OFAC regulations, which are applied on a strict liability basis, the notice states that the rules to be issued are “not intended to operate as a strict-liability standard.” Rather, DOJ would prohibit U.S persons “knowingly” engaging “in a covered data transaction with a country of concern or covered person” and knowingly directing transactions that would be prohibited if a U.S. person engaged in them. In addition to civil enforcement, the DOJ fact sheet published alongside the order and notice notes that the order also authorizes DOJ to pursue criminal remedies for violations of the new regulations.

DOJ does not propose general compliance requirements and instead contemplates a risk-based compliance model similar to economic sanctions programs that OFAC administers. U.S. persons would be expected to develop and implement risk-based compliance programs, with the expectation that programs will vary based on factors such as the U.S. person’s “size and sophistication, products and services, customers and counterparties, and geographic locations.” Similar to the enforcement regime for OFAC economic sanctions programs, DOJ would consider the adequacy of the compliance program in any enforcement action.

In addition, the notice contemplates a licensing regime to authorize covered data transactions that would otherwise be prohibited or restricted. This regime would be modeled on the licensing regime OFAC uses and would include both general and specific licenses.

Other Relevant Provisions

As discussed above, the order directs CISA to develop a framework of security requirements that private parties must implement before engaging in restricted transactions. These security requirements may include “(1) organizational requirements (e.g., basic organizational cybersecurity posture), (2) transaction requirements (e.g., data minimization and masking, use of privacy-preserving technologies, requirements for information-technology systems to prevent unauthorized disclosure, and logical and physical access controls) and (3) compliance requirements (e.g., audits).” CISA will issue these security requirements through a separate notice-and-comment rulemaking process.

The order also directs the Committee for the Assessment of Foreign Participation in the United States Telecommunications Services Sector (Team Telecom) to consider threats to bulk sensitive personal data in reviewing new applications and existing licenses related to submarine cable lines.

With regard to healthcare, the order requires several federal agencies to consider steps to prohibit assistance that enables countries of concern or covered persons to access United States persons’ bulk sensitive personal data, including personal health and human genomic data.

The order directs the Consumer Financial Protection Bureau to consider addressing the risk posed by entities in the data brokerage industry who may enable access to bulk sensitive personal data and U.S. government-related data by countries of concern and covered persons.

What's Next?

The order is the first significant move by the U.S. government to restrict cross-border data transfer. The order and notice contemplate an expansive new regulatory regime to address national security risks posed by commercial transactions that potentially transfer sensitive personal or U.S. government data to countries of concern. The program is intended to reflect the U.S. government’s commitment to the free flow of information, but is still likely to impose significant compliance obligations.

The order instructs the Attorney General to publish a proposed rule by August 26, 2024. U.S. companies will likely need to develop and implement rigorous compliance programs based on their risk profiles. Companies should monitor the rulemaking process and forthcoming CISA security requirements.

As the regulations develop, we strongly recommend that companies transacting in covered data confirm compliance efforts with legal counsel.

Want to know more? Reach out to one of the authors or another member of the Orrick team.

Authors

Jeanine P. McGuinness Partner, International Trade and Investment, FCPA & Anti–Corruption

Washington, D.C.

See my bio

D:+1 202 339 8543
E: [email protected]

Practice:

International Trade and Investment
FCPA & Anti–Corruption
Anti‐Money Laundering and Bank Secrecy Act
Mergers & Acquisitions
Responsible Business
Strategic Advisory & Government Enforcement (SAGE)

vCard

See full bio

Jeanine P. McGuinness Partner

Washington, D.C.

Jeanine’s clients include major U.S. and foreign financial institutions, and pharmaceutical, technology, telecommunications, energy, and natural resources companies.

Examples of Jeanine’s experience include:

Represents clients in preparing voluntary self-disclosures, administrative subpoena responses and license applications, and represents companies in connection with enforcement actions by the Treasury Department’s Office of Foreign Assets Control (OFAC)
Provides policy and compliance advice to clients affected by frequent changes in U.S. sanctions, including sanctions targeting Iran, Cuba, and Russia/Ukraine
Assists foreign purchasers of U.S. companies in national security reviews, including navigating the CFIUS process, through preparation of notices, meetings with CFIUS member agencies, advising on follow-on investigations, and negotiating and implementing mitigation agreements
Assists clients in developing and updating economic sanctions, anti-money laundering, and anti-corruption compliance policies and procedures
Represents financial institutions in connection with U.S. federal and state enforcement actions regarding compliance with U.S. anti-money laundering laws and regulations
Represents lenders, underwriters, borrowers, and issuers in international lending and capital markets transactions regarding sanctions, anti-corruption, and anti-money laundering issues
Advises a U.S. trade association and its member banks regarding U.S. sanctions, anti-corruption, and anti-money laundering issues in lending transactions, and prepares guidance for the industry on these matters
Advises financial institutions on the application of U.S. anti-money laundering regulations, with specific emphasis on customer identification program (CIP)/know your customer (KYC)/customer due diligence (CDD) requirements and suspicious activity reporting requirements
Regularly advises private equity and hedge funds regarding compliance with U.S. anti-money laundering and sanctions laws and regulations, including with respect to appropriate provisions in subscription materials and enhanced due diligence on high-risk investors
Advises clients regarding sanctions-related inquiries from the Securities and Exchange Commission (SEC) and state agencies implementing divestment laws and assists clients in preparing sanctions-related disclosure for inclusion in annual reports to the SEC

Jeanine is ranked in both the CFIUS Experts and Export Controls & Economic Sanctions categories by Chambers USA in 2019, 2020, 2021, and 2022. An interviewee had this to say of their experience working with Jeanine, “I am continuously impressed by her extensive knowledge, excellent communication skills and her ability to wrap her subject matter expertise around the details of the matter and then drive conclusions or recommendations for next steps."

Harry Clark Partner, International Trade and Investment, Mergers & Acquisitions

Washington, D.C.

See my bio

D:+1 202 339 8499
E: [email protected]

Practice:

Technology & Innovation Sector
International Trade and Investment
Mergers & Acquisitions
Responsible Business
Strategic Advisory & Government Enforcement (SAGE)

vCard

See full bio

Harry Clark Partner

Washington, D.C.

Harry is experienced in areas such as CFIUS/Exon-Florio examinations of foreign investment, military and “dual use” export control regulations (ITAR/EAR), economic sanctions administered by the U.S. Treasury Department (OFAC), customs regulations, the Foreign Corrupt Practices Act, anti-money laundering rules, anti-boycott requirements and defense industrial security requirements. He executes internal corporate investigations regarding trade and investment rules and advises on such rules in the context of corporate transactions.

Additionally, Harry has extensive experience with government contracting matters. His government contracting work has included, for example, design and implementation of U.S. Defense Department renewable energy projects. He also represents broad industry coalitions on major trade litigations and international negotiations. His experience in these areas includes a leading role in what is often considered the largest-ever international trade dispute: the controversy regarding unfair softwood lumber imports from Canada. It has involved myriad administrative proceedings before federal agencies, NAFTA panel appeals, WTO dispute proceedings, judicial proceedings and international settlement agreements.

Harry has represented a coalition of major U.S. oil companies in antidumping and countervailing duty litigation. As a related matter, he pursues policy issues with congressional and executive branch officials and advises on international trade rules (e.g., GATT, WTO agreements and NAFTA).

Chambers 2022 recognizes Harry as a leader in the field of export controls and economic sanctions (Chambers Global and Chambers USA), as well as CFIUS (Chambers USA). Previous editions have also recognized Harry’s achievements regarding his work related to the Foreign Corrupt Practices Act. Clients note that Harry provides “accurate, straightforward guidance incredibly efficiently” and “he has an ability to translate complex legal requirements and rules into business-friendly jargon.”

Elizabeth Zane Partner, International Trade and Investment, Mergers & Acquisitions

Washington, D.C.

See my bio

D:+1 202 339 8532
E: [email protected]

Practice:

International Trade and Investment
Mergers & Acquisitions
Strategic Advisory & Government Enforcement (SAGE)

vCard

See full bio

Elizabeth Zane Partner

Washington, D.C.

Elizabeth's experience includes work on internal investigations, voluntary disclosures, commodity jurisdiction requests and developing and implementing compliance programs. She also advises clients on government contracting matters.

Shannon Yavorsky Partner, Cyber, Privacy & Data Innovation, Technology Transactions

San Francisco; London

See my bio

D:+1 415 773 5731
E: [email protected]

Practice:

Technology & Innovation Sector
Cyber, Privacy & Data Innovation
Technology Transactions
Global Compliance & Regulatory
Government Investigations and Enforcement Actions
Responsible Business
Strategic Advisory & Government Enforcement (SAGE)

vCard

See full bio

Shannon Yavorsky Partner

San Francisco; London

She advises public and private companies across several sectors, including life sciences and health technology, financial services, private equity, insurance, social media and technology on a range of EU and U.S. federal and state privacy laws. Shannon’s strategic counseling advice includes, but is not limited to:

Advertising and payment card processing self-regulatory frameworks
Controlling the Assault of Non-Solicited Pornography And Marketing Act (CAN-SPAM)
Electronic Communications Privacy Act (ECPA)
EU AI Act
EU e-Privacy Directive (EPD)
EU General Data Protection Regulation (GDPR)
Fair Credit Reporting Act (FCRA)
Gramm–Leach–Bliley Act (GLBA)
Health Insurance Portability and Accountability Act (HIPAA)
National Institute of Standards and Technology (NIST) AI Risk Management Framework (AIRMF)
Telephone Consumer Protection Act (TCPA)
U.S. state breach notification laws
U.S. state privacy laws in California, Colorado, Connecticut, Utah, Virginia and other states

Shannon also helps clients undertake comprehensive privacy, cybersecurity and AI risk assessments, evaluates privacy, security and AI risks in corporate transactions and drafts and negotiates data-related contracts. She advises clients on cross-border data transfers, data breaches and developing global privacy and AI compliance programs.

Cosmas Robless Associate, Cyber, Privacy & Data Innovation

Washington, D.C.

See my bio

D:+1 202 339 8663
E: [email protected]

Practice:

Technology & Innovation Sector
Cyber, Privacy & Data Innovation

vCard

See full bio

Cosmas Robless Associate

Washington, D.C.

Cosmas provides guidance on issues relating to numerous privacy and cybersecurity laws, including the U.S. state privacy laws in California, Colorado, Connecticut, Utah, Virginia and other states, state data breach notification laws, and Europe’s General Data Protection Regulation (GDPR).

Cosmas graduated with honors from Harvard Law School. During law school, he participated in the Berkman Klein Center's Cyberlaw Clinic, completed a clinical placement in the Securities, Financial & Cyber Fraud Unit of the United States Attorney’s Office for the District of Massachusetts, and interned with the Special Assistant for Legal & Legislative Matters to the Secretary of the Navy. Prior to law school, Cosmas served as a submarine officer in the U.S. Navy.

Cosmas is accredited by the International Association of Privacy Professionals (IAPP) as a Certified Information Privacy Professional in the United States (CIPP/US).