Biden order bars data broker sale of Americans’ sensitive data to adversaries

US President Joe Biden signed a sweeping executive order involving multiple government agencies that seeks to protect Americans’ sensitive personal data from exploitation by barring data brokers from selling that sensitive information to a list of US adversaries, most prominently China. In announcing the order, entitled Preventing Access to Americans’ Bulk Sensitive Personal Data and U.S. Government-Related Data by Countries of Concern, the White House said that “companies are collecting more of Americans’ data than ever before, and it is often legally sold and resold through data brokers. Commercial data brokers and other companies can sell this data to countries of concern, or entities controlled by those countries, and it can land in the hands of foreign intelligence services, militaries, or companies controlled by foreign governments.”

The order calls for regulations to prevent the large-scale transfer to countries of concern Americans’ most personal and sensitive information, including genomic data, biometric data, personal health data, geolocation data, financial data, and certain kinds of personally identifiable information.

The Department of Justice (DOJ) will be responsible for implementing the EO, in consultation with other relevant federal agencies, and plans to issue regulations that protect Americans’ sensitive personal data from access and exploitation by countries of concern. “This Executive Order gives the Justice Department the authority to block countries that pose a threat to our national security from harvesting Americans’ most sensitive personal data—including human genomic data, biometric and personal identifiers, and personal health and financial data,” US Attorney General Merrick Garland said.

“Today, we make clear that American citizens’ sensitive and personal data is not for sale to our adversaries,” Deputy Attorney General Lisa Monaco said. “The Justice Department has long focused on preventing threat actors from stealing data through the proverbial back door. This executive order shuts the front door by denying countries of concern access to Americans’ most sensitive personal data.”

Justice Department rulemaking based on data transaction categories

A fact sheet released by the DOJ details how it plans to implement the order. First, the DOJ does not plan to implement the EO through a case-by-case review of data transactions. Instead, it will establish rules through a rulemaking proceeding for engaging in specific categories of data transactions with certain countries of concern or covered persons subject to their jurisdiction.

The DOJ’s Advance Notice of Proposed Rulemaking (ANPRM) will contemplate identifying six countries of concern: China (including Hong Kong and Macau), Russia, Iran, North Korea, Cuba, and Venezuela. Among the items the ANPRM will address are:

Covered persons: The program will be defined categorically to include certain classes of entities and individuals subject to the jurisdiction, direction, ownership, or control of countries of concern, if data to these persons will place that data within the reach of the countries of concern. The EO defines four categories of covered persons:

• “An entity owned by, controlled by, or subject to the jurisdiction or direction of a country of concern”
• “A foreign person who is an employee or contractor of such an entity”
• “A foreign person who is an employee or contractor of a country of concern” and
• “A foreign person who is primarily resident in the territorial jurisdiction of a country of concern”

According to the EO and the ANPRM, the categories of covered persons would not include anyone who is a US citizen, national, or lawful permanent resident, anyone admitted to the United States as a refugee or granted asylum, any entity organized solely under US laws or jurisdiction, and any person located in the United States.

The EO also authorizes DOJ to supplement these categories of covered persons by designating specific entities or individuals as covered persons if they meet certain criteria, such as being owned or controlled by or subject to the jurisdiction or direction of a country of concern or acting on behalf of a country of concern or another covered person.

Sensitive personal data: The EO defines “sensitive personal data” to mean covered personal identifiers, geolocation, and related sensor data, biometric identifiers, personal health data, human genomic data, personal financial data, or any combination thereof that could be exploited by a country of concern to harm United States national security if that data is linked or linkable to any identifiable United States individual or a discrete and identifiable group of United States individuals.

The DOJ plans to refine the scope of these sensitive personal data categories further in its rulemaking. Sensitive personal information will not include data that is a matter of public record, such as court or other government records, that is lawfully and generally available to the public or personal communications.

Bulk thresholds and US government-related data: The DOJ’s program will generally regulate the specified categories of data transactions in the six categories of sensitive personal data only if the transactions exceed prescribed bulk volumes (i.e., a threshold number of US persons or US devices). However, those bulk volumes would not apply to transactions involving certain US government-related data. The program will regulate data transactions involving sensitive personal data on US government personnel or locations regardless of the volume of such data.

For government-related personnel data, the ANPRM will contemplate focusing on sensitive personal data that a transacting party (such as a data broker) markets as linked or linkable to current or recent former employees or contractors or former senior officials of the federal government, including the intelligence community and military. For US government-related data on locations, the ANPRM will contemplate focusing on geolocation data that is linked or linkable to certain sensitive locations within geofenced areas that the Department would specify on a public list.

Covered data transactions: The forthcoming ANPRM contemplates identifying two categories of prohibited data transactions between US persons and countries of concern or covered persons:

• Data-brokerage transactions
• Genomic data transactions involving the transfer of bulk human genomic data or biospecimens from which such data can be derived

The ANPRM will further contemplate identifying three categories of restricted data transactions:

• Vendor agreements involving the provision of goods and services (including cloud service agreements)
• Employment agreements
• Investment agreements

The Department of Homeland Security’s Cybersecurity and Infrastructure Agency (CISA) will establish the security requirements for these restricted transactions.

Exempt data transactions: The EO contains, and the ANPRM will contemplate, several across-the-board exemptions for data transactions that would be excluded from regulation to the extent that they are: 

• Financial transactions that are already subject to regulations
• Ordinary ancillary business operations such as payroll or human resources
• Activities of the US Government and its contractors, employees, and grantees, such as federally funded health and research activities, which the funding agencies will regulate themselves
• Transactions required or authorized by federal law or international agreements, such as exchanging passenger manifests or INTERPOL requests

Licensing and advisory opinions: The EO directs, and the ANPRM will contemplate issuing general and specific licenses and advisory opinions, allowing companies and individuals to apply for an exception to the rules to engage in a particular data transaction. DOJ would make licensing decisions with the concurrence of the State, Commerce, and Homeland Security Departments.

Other government agency actions to protect personal data

Under the EO, one arm of the Justice Department, The Committee for the Assessment of Foreign Participation in the United States Telecommunications Services Sector, also known as Team Telecom, will consider the threats to Americans’ sensitive personal data in its reviews of submarine cable licenses.

The EO also directs the Departments of Defense, Health and Human Services, Veterans Affairs, and the National Science Foundation to consider taking steps to use their existing grantmaking and contracting authorities to prohibit federal funding that supports or otherwise mitigate the transfer of sensitive health data and human genomic data to countries of concern and covered persons.

The EO further encourages the Consumer Financial Protection Bureau to consider taking steps to address the role that data brokers play in contributing to national security risks, including by continuing to pursue the rulemaking proposal under the Fair Credit Reporting Act identified at the September 2023 Small Business Advisory Panel for Consumer Reporting Rulemaking.

Sensitive data executive order a step in the right direction

Privacy observers appear to embrace the administration’s action. “The administration is trying to get ahead of a practice that’s been going on for a while,” Aloke Chakravarty, co-chair of Snell & Wilmer’s cybersecurity, data protection, and privacy practice group, tells CSO. “They want to send a message that certain activities will be prohibited and that there are lines that foreign companies may not be able to cross.”

Notably, Biden’s EO does not bar the controversial and privacy-invasive practice of data brokers selling Americans’ sensitive data domestically. Even here, Chakravarty thinks the EO might give the DOJ greater latitude to go after these kinds of commercial transactions. “I think this provides some teeth if there is a factual basis to suggest that domestic data brokers are further selling their holdings to any of these sanctions or prohibited countries, then I think it provides an enforcement mechanism…through tools in DOJ’s arsenal.”

Information Technology Industry Council (ITI) Senior Vice President of Policy and General Counsel John Miller said, “We appreciate that the Biden Administration aims to craft targeted rules to address a specific national security threat and has structured the rulemaking process in a way that ensures opportunities for necessary and robust stakeholder engagement.” He added: “The administration has also been clear that today’s action is no substitute for a federal privacy law, which is the strongest and most comprehensive way to protect Americans’ personal data.”

Brandon Pugh, the policy director of the R Street Institute’s cybersecurity and emerging threats team, said that the EO “is a step in the right direction” to protect Americans’ data from exploitation from countries of concern but that additional action will be needed. “The key to success will be getting the implementation and accompanying regulations right to ensure trade, innovation, ordinary business practices, and existing legal frameworks like data flow agreements are not unduly impacted,” regarding the security requirements established by CISA, how exemptions and exceptions are addressed and streamlining the process for licenses and advisory opinions.