On February 28, 2024, the White House issued an Executive Order on Preventing Access to Americans’ Bulk Sensitive Data and United States Government-Related Data by Countries of Concern.  The 17-page Executive Order pointed out that “countries of concern” could use bulk sensitive data in a variety of ways that could adversely affect U.S. national security, including:  “Countries of concern can rely on advanced technologies, including artificial intelligence (AI), to analyze and manipulate bulk sensitive personal data to engage in espionage, influence, kinetic, or cyber operations or to identify other potential strategic advantages over the United States” (at 1).   The Executive Order does not impose any immediate legal obligations on any company.

The Executive Order pointed out that countries of concern can obtain access to this data in several ways, including “through data brokerages, third-party vendor agreements, employment agreements, investment agreements, or other such arrangements”” (at 3-4).  Furthermore, the Executive Order found that the concern was not only for countries of concern but also “[e]ntities owned by, and entities or individuals controlled by or subject to the jurisdiction or direction of, a country of concern” (at 3 (emphasis supplied)).  The Executive Order was careful to note that it does not “broadly prohibit United States persons from conducting commercial transactions, including exchanging financial and other data as part of the sale of commercial goods and services, with entities and individuals located in or subject to the control, direction, or jurisdiction of countries of concern” (at 4).

The Executive Order provided in Section 2 that the Attorney General, in consultation with the Department of Homeland Security, will issue regulations on the topic of prohibited and regulated transactions (at 4).  The affected transactions including any relevant transaction that “was initiated, is pending, or will be completed after the effective date of the regulations” (at 5), and the regulatory prohibitions shall take precedence over “any contract entered into or any license or permit granted prior to the effective date of the applicable regulations” (at 9).  Note that the Executive Order specifically prohibited the regulations from including any generalized data localization requirements (at 8).

Section 3 of the Executive Order focused on protecting sensitive personal data, including data traveling in submarine cables, where the cable is “owned or operated by persons owned by, controlled by or subject to the jurisdiction or direction of a country of concern, or that connects to the United States and terminates in the jurisdiction of a country of concern” (at 9).  [Privacy lawyers may find this concern ironic in light of the EU’s concerns about mass surveillance of personal data traveling in submarine cables, as described in Schrems.]  This section also pointed out that, with respect to healthcare data:  “Even if such data is anonymized, pseudonymized, or de-identified, advances in technology, combined with access by countries of concern to large data sets, increasingly enable countries of concern that access this data to re-identify or de-anonymize data, which may reveal the exploitable health information of United States persons” (at 10-11).  The Department of Health and Human Services will be one of the agencies contributing to the regulations under this section.  This section of the Executive Order also addresses the data brokerage industry, which can “enable access to bulk sensitive personal data and United States Government-related data by countries of concern and covered persons” (at 11).  The Consumer Financial Protection Bureau is “encouraged” to consider taking steps to address this risk (at 11-12).

The Executive Order also contains some important definitions:

Access” is broadly defined as “logical or physical access, including the ability to obtain, read, copy, decrypt, edit, divert, release, affect, alter the state of or otherwise view or receive, in any form, including through information technology systems, cloud computing platforms, networks, security systems, equipment, or software.”

Covered person” is defined as “an entity owned by, controlled by, or subject to the jurisdiction or direction of a country of concern; a foreign person who is an employee or contractor of such an entity; a foreign person who is an employee or contractor of a country of concern; a foreign person who is primarily resident in the territorial jurisdiction of a country of concern; or any person designated by the Attorney General . . . “

Covered personal identifiers.”  The Executive Order left the definition up to the Attorney General’s regulations but provided general guidance:  “specifically listed classes of personally identifiable data that are reasonably linked to an individual, and that—whether in combination with each other, with other sensitive personal data, or with other data that is disclosed by a transacting party pursuant to the transaction that that makes the personally identifiable data exploitable by a country of concern—could be used to identify an individual from a data set or link data across multiple data sets to an individual.”  The Executive Order, however, did specifically exclude the following from the definition:

(i)         demographic or contact data that is linked only to another piece of demographic or contact data (such as first and last name, birth date, birthplace, zip code, residential street or postal address, phone number, and email address and similar public account identifiers); or

(ii)        a network-based identifier, account-authentication data, or all-detail data that is linked only to another network-based identifier, account-authentication data, or call-detail data for the provision of telecommunications, networking or  similar services.

Human ‘omic data.”  The Executive Order added this new term, which it defined as “data generated from humans that characterizes or quantifies human biological molecule(s), such as human genomic data, epigenomic data, proteomic data, transcriptomic data, microbiomic data, or metabolomic data, as further defined” by the Attorney General regulations.

Sensitive personal data.”  Similar to “covered personal identifiers,” the Executive Order provided a general description but left the definition up to the Attorney General’s regulations:  “covered personal identifiers, geolocation and related sensor data, biometric identifiers, human ‘omic data, personal health data, personal financial data, or any combination thereof, as further defined” in the Attorney General regulations.  The Executive Order contains specific exceptions for information that is part of a public record or made available to the general public, as well as information subject to certain provisions of the International Emergency Economic Powers Act of 1977 (IEEPA).

Finally, the Executive Order, in Section 8(e), makes it clear that there is no private right of action.

See Part 2 for a description of the Attorney General proposed regulations.