United States: White House Unveils New Order To Protect Bulk Data

On February 28, 2024, President Joe Biden signed an executive order to protect America's bulk sensitive personal data. This executive order provides an overview of upcoming regulations to limit foreign countries' access to the bulk sensitive personal data of United States persons and the United States Government when such access poses an unacceptable security risk. These regulations aim to balance the unacceptable risks associated with bulk data flow and the need to support secure data flow across borders for legitimate economic, scientific, and trade purposes.

The order defines sensitive personal data as covered personal identifiers, geolocation and related sensor data, biometric identifiers, human 'omic data, personal health data, personal financial data, or any combination thereof, as further defined in regulations issued by the Attorney General pursuant to Section 2 of the order, and that could be exploited by a country of concern to harm United States national security if that data is linked or linkable to any identifiable United States individual or to a discrete and identifiable group of United States individuals. It requires the Attorney General, in coordination with the Secretary of Homeland Security and consultation with the heads of relevant agencies, to create regulations that outline the class of prohibited bulk personal data transactions, exceptions to these prohibitions, identities of new or existing countries of concern, and, if appropriate, classes of covered persons. The regulations shall govern any transaction that:

• involves bulk sensitive personal data or United States Government-related data, as further defined by regulations issued by the Attorney General pursuant to this section;
• is a member of a class of transactions that has been determined by the Attorney General, in regulations issued by the Attorney General pursuant to this section, to pose an unacceptable risk to the national security of the United States because the transactions may enable countries of concern or covered persons to access bulk sensitive personal data or United States Government-related data in a manner that contributes to the national emergency described in this order;
• was initiated, is pending, or will be completed after the effective date of the regulations issued by the Attorney General pursuant to this section;
• does not qualify for an exemption provided in, or is not authorized by a license issued pursuant to, the regulations issued by the Attorney General pursuant to this section; and
• is not, as defined by regulations issued by the Attorney General pursuant to this section, ordinarily incident to and part of the provision of financial services, including banking, capital markets, and financial insurance services, or required for compliance with any Federal statutory or regulatory requirements, including any regulations, guidance, or orders implementing those requirements.

The regulations must also establish a process to issue, modify, or rescind licenses for transactions that would otherwise be impermissible, establish mechanisms to provide clarity to impacted parties, coordinate with the Committee on Foreign Investment in the United States and other stakeholders, and develop a process for record keeping, as appropriate.

The order also requires the Attorney General to, within 120 days of the effective date of the regulations, recommend appropriate actions to mitigate national security risks with respect to prior transactions of a United States person's bulk sensitive personal information data to the countries of concern. The Secretary of Homeland Security, acting through the Director of Cybersecurity and Infrastructure Security, will draft regulations and seek public comments on security requirements designed to address the unacceptable risks posed by the transactions that the Attorney General identifies. Additionally, Section 5 of the order requires a report to the president within one year of the effective date of the regulation. This report will include an update on the effectiveness and economic impact of the regulations. This report to the president will provide another opportunity for the public to comment on the impact of the regulation. Additionally, the Departments of Health and Human Services, Defense, and Veterans Affairs must ensure that Federal grants, contracts, and awards are not used to facilitate access to Americans' sensitive health data by countries of concern, including via companies located in the United States and the Committee for the Assessment of Foreign Participation in the United States Telecommunications Services Sector (often called "Team Telecom") must consider the threats to Americans' sensitive personal data in its reviews of submarine cable licenses.

While the threshold amount of data that constitutes, "bulk" data will be set by the regulations, companies involved in collecting, selling, and transmitting large amounts of sensitive personal data should begin to understand where and how their data is controlled and shared. Specifically, companies involved in the transmission of bulk sensitive personal data to countries, or businesses closely aligned with countries of concern with a track record of misusing data to infringe upon privacy and human rights will need to ensure that the data is used in a way that is not detrimental to United States national security.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.