Quick Hits
- The EO directs the U.S. Department of Justice (DOJ), in conjunction with the U.S. Department of Homeland Security, to set standards addressing access to Americans’ sensitive personal data by hostile nations and their affiliates through commonly utilized channels like employment, investment, vendor, and other commercial relationships.
- The EO also seeks to stem the bulk sale of sensitive personal data by commercial data brokers and other commercial entities to hostile nations and the entities and individuals associated with them.
- The term “sensitive personal data” will include things like geolocation data, biometric identifiers, human genomic data, personal health data, and personal financial data, as well as other soon-to-be-determined data elements. The term is not currently expected to include other information like employment history, educational history, or organizational memberships.
Touted by the White House as “the most significant executive action any President has ever taken to protect Americans’ data security,” the EO aims to kick-start the development of standards that address access by hostile nations to Americans’ sensitive personal data through certain transactions, including those arising out of employment, investment, and vendor relationships. The EO also takes aim at commercial data brokers engaged in the practice of selling bulk sensitive personal data to countries of concern, as well as the entities and individuals associated with them.
The EO seems to acknowledge that executive action cannot take the place of comprehensive, bipartisan privacy legislation, even going so far as to explicitly call upon the U.S. Congress to pass such a law. However, considering the current political climate and lack of movement on federal privacy legislation, the EO may well represent a watershed moment in American privacy law, as it represents one of the earliest steps taken at the federal level to protect Americans from the transfer of their personal data outside the United States.
Among other things, the Executive Order on Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern directs the DOJ, in consultation with other federal agencies, to promulgate regulations that address the EO’s aims. The DOJ has already provided a number of salient details about how it intends to handle implementation.
Detailed Background
Which countries are ‘countries of concern,’ and who are ‘covered persons’?
First, it is important to emphasize that the EO seeks only to address sales and transfers to certain hostile nations (“countries of concern”) and the entities and individuals associated with them (“covered persons”). While the list of countries of concern is short and predictable (countries of concern identified at this time include China—including Chinese-controlled territory, such as Hong Kong and Macau—Cuba, Iran, North Korea, Russia, and Venezuela), the Biden administration’s approach to defining covered persons is more involved.
The term “covered persons,” describes certain categories of entities and individuals, including:
- entities that are “owned by, controlled by, or subject to the jurisdiction or direction of a country of concern”;
- foreign persons employed by or acting as a contractor of an above-described entity;
- foreign persons employed by or acting as a contractor of a country of concern; and
- foreign persons who primarily reside within the territorial jurisdiction of a country of concern.
Broad exclusions are anticipated, including for entities organized solely under U.S. law or jurisdiction and “any person located in the United States,” as well as all U.S. citizens, nationals, lawful permanent residents, and individuals who have been admitted to the United States as a refugee or granted asylum in the United States.
Entities that do fall within the enumerated categories, however, will be considered “subject to the jurisdiction, direction, ownership, or control of countries of concern” because the cyber, national security, or intelligence laws of countries of concern may obligate these entities to provide their national intelligence services access to the sensitive personal data. While at first glance this rationale seems to echo some of the concerns raised in Schrems II with respect to transfers of European personal data to the United States, the DOJ’s proposed regulations may be less impactful than Schrems II due to anticipated exceptions not present in the European Union’s General Data Protection Regulation (GDPR) that would de-scope many standard business-related data transfers.
Many standard transfers associated with legitimate international business operations will likely be exempted.
The DOJ’s program will, subject to exceptions for U.S. Government–related data, generally regulate just those transactions that exceed a certain threshold number (i.e., that occur in bulk). The program contemplates two types of data transactions that will be subject to regulation. The first transaction type, called a “prohibited transaction,” is expected to encompass “data-brokerage transactions” and “genomic-data transactions involving the transfer of bulk human genomic data or biospecimens from which such data can be derived” when they involve either countries of concern or covered persons.
A number of ostensibly more routine transactions involving countries of concern or covered persons—including vendor agreements that involve the provision of goods and services and employment agreements—will constitute a second type of regulated transaction, to be called “restricted data transactions.” The regulatory program, as set forth in the ANPRM, however, “is not intended to impede all U.S. persons’ data transactions with countries of concern or persons subject to their jurisdiction.” As such, a number of broad exemptions are contemplated for many ordinary, lawful data transfers that are “incident to and part of financial services, payment processing, and regulatory compliance,” as well as human resources and payroll processes that are part of ancillary business operations between U.S. companies and their subsidiaries and affiliates in countries of concern.
A licensure program may provide a safe harbor.
Those entities that anticipate this EO and subsequent rulemaking will meaningfully affect their activities will also want to be aware that the DOJ is contemplating the establishment of formal processes by which a company or person would apply for a “license” to engage in data transactions that would otherwise be subject to regulation. The DOJ also expects affected companies and individuals would be able to request advisory opinions regarding the application of the new regulations to their specific data transactions.
Practical Implications
The aforementioned exemptions will likely insulate many companies engaged in ordinary business activities like sharing employees’ Social Security numbers or full financial account numbers for human resources purposes, completing payroll transactions (such as transactions involving the payment of salaries to overseas employees or contractors), sharing data with auditors and law firms for regulatory compliance, and sharing data for “risk-management purposes” from being significantly affected by the regulations as currently proposed. Companies that engage in the bulk sale of sensitive personal data and companies that transfer substantial amounts of sensitive personal data but do not have a good handle on where that data is processed, however, may want to evaluate their privacy programs to ensure they know exactly what personal data they have, where it is going, and for what purpose. They can then make adjustments where necessary to ensure compliance with the final rule.
Ogletree Deakins’ Cybersecurity and Privacy Practice Group will continue to monitor developments and will provide updates on the Cybersecurity and Privacy blog.
Follow and Subscribe