Background
On February 28, the White House announced an executive order aimed at preventing "countries of concern" from accessing and exploiting US individuals' bulk sensitive personal data and US government-related data due to perceived national security risks. The executive order particularly emphasizes potential risks associated with the use of sensitive data to develop AI capabilities and algorithms.
Key points of the executive order include:
- Directing the Department of Justice to implement new regulations to restrict "countries of concern" from accessing and exploiting US individuals' sensitive personal data.
- Directing the Department of Justice to implement new regulations to protect sensitive government-related data.
- Mandating the Department of Justice and Homeland Security to set security stands prevent "countries of concern" from accessing US individuals' data through other commercial means, including via investment, vendor, and employment relationships.
- Requiring the Department of Health and Human Services, Defense, and Veterans Affairs to ensure that Federal grants, contracts, and awards are not used to allow "countries of concern" to access US individuals' sensitive health data, including any access by these countries via companies located in the US.
- Instructing Team Telecom (Committee for the Assessment of Foreign Participation in the United States Telecommunications Services Sector) to take into account the threats to sensitive personal data in its reviews of submarine cable licenses.
Following up on our newsletter from last week, let's discuss this executive order.
The Order
The order aims to mitigate the risk of "countries of concern" accessing US individuals' bulk sensitive personal data through various channels, including data brokerages, third-party vendor agreements, and employment contracts. This prohibition applies to entities and individuals subject to the jurisdiction of these countries. The underlying concern stems from the possibility that these nations may enforce laws related to cyber, national security, or intelligence, mandating entities and individuals within their jurisdiction to provide access to US individuals' bulk sensitive personal data and US government-related data to their respective intelligence services.
Specific departments and officials are directed to implement protective measures as outlined in the previous section. For the sake of brevity and relevance to our audience, we will highlight a few key points that we believe are of particular interest to your corporation.
Accessing Sensitive Personal Data
The executive order propels the issuance of regulations aimed at preventing "countries of concern" from accessing US individuals' bulk sensitive personal data and mandates the implementation of mitigation measures to impede such assistance. Notably, this prohibition extends to data that have been anonymized, pseudonymized, or de-identified. The rationale behind this move stems from the combination of technological advancements and the access to vast datasets by those "countries of concern", which could lead to re-identification or de-anonymization of data.
Sensitive personal data, as defined in the order, include geolocation and sensor data, biometric identifiers, human 'omic data, personal health data, personal financial data, and personal identifiers — data that can reasonably be linked to an individual and used for identification purposes. Of particular concern within this scope are personal health data and human genomic data, which the order singles out for heightened attention.
Prohibited and Restricted Transactions
The order mandates regulations preventing US persons from engaging in transactions involving bulk sensitive personal data or US government-related data with foreign countries or nationals if these transactions facilitate access to the data by "countries of concern." Covered activities include acquisition, holding, use, transfer, transportation, exportation, or dealing in such data. Exceptions to this requirement include transactions integral to financial services provision or compliance with federal regulations.
This requirement aims to curb access to US consumers' data by companies under the jurisdiction of "countries of concern," impacting commercial dealings such as investments, data brokerage services, and agreements. While primarily affecting US parties, it also presents challenges for non-US companies in obtaining and utilizing US individuals' personal data, as well as in broader commercial engagements with US entities.
Data brokerage
The executive order then addresses concerns regarding "countries of concern" accessing US data through data brokers. Recognizing the heightened risk posed by the data brokerage industry, given its routine involvement in collecting, assembling, evaluating, and disseminating bulk sensitive personal data and a subset of US government-related data, the order calls upon the Director of the Consumer Financial Protection Bureau (CFPB) to identify measures to mitigate associated risks.
Similar to transaction restrictions and prohibitions, this mandate is expected to influence how entities can procure, access, and utilize data in the future. However, the full extent of these impacts will only become evident upon the release of further policies.
FAQ
Q: Which countries are considered "countries of concern"?
A: The executive order does not explicitly list the "countries of concern". However, following the White House's release of the Fact Sheet, various news reports suggest that "countries of concern" may include China (including Hong Kong and Macau), Russia, Iran, North Korea, Cuba, and Venezuela. It's important to note that this information is not official and should be taken with a grain of salt.
Q: What types of data does the executive order cover
A: The executive order covers various categories of data, including sensitive personal data, government-related data, and data concerning military personnel. Sensitive personal data includes geolocation and sensor data, biometric identifiers, human 'omic data, personal health data, personal financial data, and personal identifiers—information that can reasonably be linked to an individual and utilized for identification purposes. Moreover, the order applies to data acquired through diverse channels, encompassing data of US consumers and employees, as well as data obtained through other agreements, such as those facilitated by data brokerage services.
human 'omic data -- data generated from humans that characterizes or quantifies human biological molecule(s), such as human genomic data, epigenomic data, proteomic data, transcriptomic data, microbiomic data, or metabolomic data
Q: Does this executive order apply to my company if we only have access to a small amount of US consumers' data?
A: The executive order focuses on regulating access to bulk sensitive personal data or US government-related data of US individuals. Its practical application hinges on the definition of "bulk," which will be clarified in the regulations issued by the Attorney General in accordance with the order. As of now, the threshold for what qualifies as "bulk" remains unspecified. To err on the side of caution, it is advisable for companies to take precautions if they access any sensitive personal data in the US.
Q: Does this order mean that my company is now required to store US individuals' data in the US?
A: No, the order does not mandate a general requirement for data to be stored exclusively in the US. However, given the directive to avoid transferring and storing US consumers' data in "countries of concern," companies may find it necessary to relocate their facilities to process such data.
Q: Is my company affected if we access the data stored in the US via our internal network without actually transferring the data back to China?
A: Yes, your company is still subject to the provisions of the order. While much attention has been placed on the transfer and trade of sensitive personal data in news reports, it's important to note that the executive order prohibits the "access" of bulk senstive personal data. This term "access" encompasses actions such as obtaining, reading, copying, decrypting, editing, diverting, releasing, affecting, altering the state of, or otherwise viewing or receiving data via any platform or network. Thus, accessing data stored in the US, even through internal networks, falls within the scope of the order's restrictions.
Q: Is my company affected if all US consumers' data are accessed and processed by employees in a third country?
A: The impact on your company hinges on the relationship between those employees and the entity in the third country, particularly if that entity is connected to a "country of concern." The order prohibits "countries of concern" and "covered persons" from accessing bulk sensitive data. Covered persons include foreign individuals who are employees or contractors of an entity owned by, controlled by, or subject to the jurisdiction or direction of a country of concern. Strictly interpreted, any employee directly employed by an entity located in a "country of concern" could be considered a covered person and thus prohibited from accessing US sensitive personal data.
What's Next?
"Historically", multinational corporations' concerns about cross-border data transfers have largely revolved around complying with regulations such as the GDPR when transferring data out of the EU. Conversely, the US has lacked a general federal law restricting cross-border data transfers. Nonetheless, the issuance of this order shouldn't be surprising, given the ongoing discourse surrounding data security and the US government's vigilance on citizens' data privacy in recent years.
This executive order marks the beginning of a new era of regulations governing how and by whom US individuals' personal data may be accessed and processed. In light of this development, companies operating within the US or serving US-based consumers are strongly urged to conduct a comprehensive review of their data processing practices. This proactive approach will ensure alignment with emerging regulatory frameworks and help mitigate potential compliance risks.
