President Biden issued an Executive Order intending to prevent the large scale transfer of Americans’ personal data to “countries of concern,” including Russia and China.
The Executive Order targets personal and sensitive information, including genomic data, biometric data, personal health data, geolocation data, financial data, and certain kinds of personally identifiable information.
"It's about time," says Emlily Kilcrease at Washington think tank CNAS. "While the EO gives a polite nod to the importance of open data flows, there remains a yawning void in the U.S. digital trade space, left by the recent U.S. retreat from its traditional digital trade positions.
"While the data security EO is urgently needed, the United States must pursue a balanced strategy for the digital economy, one that includes robust security protections and positions the United States for a leadership role in setting the rules for an open digital future," asserts Kilcrease.
Peter Swire and Samm Sacks at Lawfare concur with Kilcrease: "Accurate assessment of the new order, however, requires an understanding of this order as part of a much bigger departure from the traditional U.S. support for free and open flows of data across borders.
"Recently, in part for national security reasons, the U.S. has withdrawn its traditional support in the World Trade Organization (WTO) for free and open data flows, and the Department of Commerce has announced a proposed rule, in the name of national security, that would regulate U.S.-based cloud providers when selling to foreign countries, including for purposes of training artificial intelligence (AI) models.
"We are concerned that these initiatives may not sufficiently account for the national security advantages of the long-standing U.S. position and may have negative effects on the U.S. economy."
The Executive Order directs the Department of Justice, in consultation with other agencies, to issue regulations that prohibit or otherwise restrict U.S. persons from engaging in certain categories of transactions that involve U.S. Government-related data or bulk sensitive personal data
Concurrent with the issuance of the Executive Order, the Justice Department’s National Security Division published an Advance Notice of Proposed Rulemaking (ANPRM) in the Federal Register to provide transparency and clarity about the intended scope of the program, and to solicit comments on its development and implementation.
An unofficial version of the ANPRM is available at the link below; this is the text of the ANPRM as signed by the Assistant Attorney General for National Security. The official version of the ANPRM will be published in the Federal Register.
The E.O. directs the Justrice Department to issue regulations addressing transactions that involve U.S. persons’ bulk sensitive personal data or U.S. Government-related data, that pose an unacceptable risk of access by countries of concern or covered persons subject to their jurisdiction, and that meet other criteria.
In tandem with the issuance of the E.O., the Department will issue an Advance Notice of Proposed Rulemaking (ANPRM) to provide additional details on the proposed rules and to provide notice and solicit comment from the public.
Six countries of concern: China (including Hong Kong and Macau), Russia, Iran, North Korea, Cuba, and Venezuela.
Covered persons: The program will regulate U.S. persons’ data transactions with “covered persons” which will be defined categorically to include certain classes of entities and individuals subject to the jurisdiction, direction, ownership, or control of countries of concern because, as a legal and practical matter, providing data to these persons will place that data within the reach of the countries of concern.
Sensitive personal data: The E.O. will define “sensitive personal data” to mean “covered personal identifiers, geolocation and related sensor data, biometric identifiers, human ‘omic data, personal health data, personal financial data, or any combination thereof.
Existing national-security authorities, like Committee on Foreign Investment in the United States (CFIUS) and Team Telecom, allow Justice to review and address these data-security risks on a case- by-case basis for discrete kinds of activities.
However, no existing laws comprehensively and prospectively address the national security risks posed by access by countries of concern or covered persons subject to their jurisdiction or control to sensitive personal data through commercial transactions. This targeted new program will be designed to address this gap in our national security authorities.
In addition to directing the establishment of this targeted new program, the E.O. will take three additional steps to enhance existing authorities to address data-security risks:
For U.S. telecommunications infrastructure, the E.O. will direct the Committee for the Assessment of Foreign Participation in the U.S. Telecommunications Services Sector (Team Telecom), which is chaired by the Attorney General, to prioritize reviewing existing licenses for submarine cable systems owned or operated by country-of-concern entities or landing in a country of concern; to publicly issue policy guidance regarding reviews of license applications, including the assessment of third-party data-security risks; and to take further steps to address data-security risks on an ongoing basis.
For the U.S. health care market, the E.O. will direct the Departments of Defense, Health and Human Services, and Veterans Affairs, and the National Science Foundation, to consider taking steps to use their existing grantmaking and contracting authorities to prohibit federal funding that supports, or to otherwise mitigate, the transfer of sensitive health data and human genomic data to countries of concern and covered persons.
For consumer protection, the E.O. will encourage the Consumer Financial Protection Bureau to consider taking steps to address the role that data brokers play in contributing to these national-security risks.
The E.O. and the ANPRM will not impose any immediate new legal obligations. Instead, the issuance of the E.O. and ANPRM will initiate two rounds of formal opportunities for the public to provide feedback on the contemplated program before any final rule is issued.
The E.O. and ANPRM categorically exclude the regulation of transactions to the extent they involve personal communications under 50 U.S.C. § 1702(b)(1). Both the E.O. and ANPRM will categorically exclude the regulation of transactions to the extent they involve expressive information under 50 U.S.C. § 1702(b)(3), such as videos, artwork, and publications.
CFIUS and Team Telecom review only discrete kinds of transactions only on a transaction-by-transaction basis.
The Department of Commerce’s ICTS program regulates transactions and classes of transactions involving foreign-adversary-produced information and communications technologies and services used in the United States. By contrast, this data-security program will regulate transactions involving Americans’ sensitive personal data that may be transferred to countries of concern.
Export controls are used to address the transfer of sensitive U.S. products and technologies and prevent countries of concern from acquiring and using them for malign purposes. But they do not address the flow of sensitive personal data itself or the counterintelligence and related risks posed by such data.
Comments
No comments on this item Please log in to comment by clicking here