Biden Administration Announces New Sensitive Data Restrictions

At a Glance

• The Biden administration released an Executive Order that would restrict “countries of concern” from accessing Americans’ sensitive personal data.
• The Executive Order directs the secretary of Homeland Security and other agency heads to develop rules that would better protect Americans’ sensitive personal data.

Overview

On February 28, 2024, the Biden administration released an Executive Order that would restrict “countries of concern” from accessing Americans’ sensitive personal data, including “genomic data, biometric data, personal health data, geolocation data, financial data, and certain kinds of personally identifiable information.” The Executive Order is an attempt to prevent “large-scale transfers” of sensitive data to “countries of concern.” According to the Biden administration, as well as a report from the Office of the Director of National Intelligence, such transfers occur with alarming regularity and “can enable intrusive surveillance, scams, blackmail, and other violations of privacy.” It remains to be seen exactly how the president’s Executive Order will be implemented and enforced. Many of the key terms in the EO, including “bulk” and “countries of concern,” are undefined and will require action by various executive branch departments to become effective.

The EO, which relies on authority under the International Emergency Economic Powers Act (IEEPA), directs the Departments of Justice (DOJ), Homeland Security (DHS) and other federal agencies to issue regulations in order to better protect American sensitive data. Specifically, the EO directs the Attorney General and Secretary of DHS to issue regulations that would prohibit United States persons from entering transactions with foreign nationals that involve bulk sensitive personal data and pose an “unacceptable risk to national security.” The EO also directs the secretary of DHS to issue data security requirements, based on NIST’s recently updated Cybersecurity Framework and Privacy Framework, that would adequately mitigate the risk of access to American sensitive data. The EO also directs agency heads to consider whether rulemaking in particular areas or industries could help protect American sensitive data, including in network infrastructure, the health care industry and the data broker industry.

Concurrent with the release of the EO, the National Security Division of the DOJ announced that it will issue an Advanced Notice of Proposed Rulemaking describing the initial categories of transactions involving bulk sensitive personal data or certain U.S. Government-related data as outlined in the EO and seeking public comment on items the Department of Justice contemplates regulating, including prohibitions on data brokerage and transfers of genomic data, and restrictions on vendor, employment and investment agreements. Due to the time-consuming rulemaking process that DOJ and other agencies must follow, it is doubtful that any sensitive data restrictions will come into effect in the next few months.

Implications for Health Data Sharing

The EO identifies risks associated with “countries of concern” having access to Americans’ health data. Even when health information has been de-identified or pseudonymized, the EO posits that bad actors can rely on publicly available technological tools and datasets to attempt to re-identify the data. The EO directs the secretaries of Defense and Health and Human Services, along with other agency heads, to “consider taking steps, including issuing regulations, guidance or orders” to prohibit or mitigate the provision of assistance that could enable countries of concern to access “United States persons’ bulk sensitive personal data, including personal health data and human genomic data.”

The concern that foreign governments may be able to access American health data is not a new one. Indeed, the Biden administration first announced its plan to restrict access to Americans’ sensitive data in 2021. Since that time, some states, including Florida and Montana, have enacted restrictions on where certain types of health data and genetic data, respectively, can be stored. One key difference between the president’s order and these state laws, however, is that the former expressly prohibits any rulemaking that would introduce data localization requirements or require that computing facilities be located within the United States. Instead, the EO reinforces America’s continued support for the “open, global, interoperable, reliable, and secure flows of data across borders.”

Next Steps

Considering that the order is based on emergency powers, it is not surprising that President Biden has tasked national security agencies with writing these rules. However, neither agency is currently tasked with screening international commercial data transfers, which is typically the purview of the Department of Commerce and the Committee on Foreign Investment in the United States (CFIUS). Businesses will want to monitor how the Attorney General will define the term “bulk” sensitive personal data, what mechanisms will be deployed to track such transfers, how onward transfers from third countries to “countries of concern” will be impacted, and how the administration will interpretate the term “sensitive personal data,” such as whether derived data will be in scope for the rule. Additionally, businesses would be wise to review the extent to which “data brokerages, third-party vendor agreements, employment agreements, investment agreements, or other such arrangements” may allow countries of concern to access American sensitive data.