The Executive Action on Sensitive Bulk and Government-Related Data Sales to Adversary Nations

Introduction

On February 28, 2024, the Biden administration issued an executive order (EO) alongside an unofficial signed Department of Justice (DOJ) advance notice of proposed rulemaking (ANPRM) outlining rules to implement that order. These actions represent a sea change in the U.S. approach to data policy by creating an authority to review, restrict, and potentially prohibit transfers of Americans’ data to specific destinations for the first time. According to the White House fact sheet, the action “marks the most significant executive action any President has ever taken to protect Americans’ data security.” 

Content of the Executive Action

The proposed rules regulate data transactions between U.S. persons and “covered persons” involving certain countries of concern, identified as China (including Hong Kong and Macau), Russia, Iran, North Korea, Cuba, and Venezuela. They apply new controls to two kinds of government-related data (geolocation data in certain areas and personal data linkable to military, intelligence, and other kinds of government personnel) and six categories of bulk sensitive personal data:

  1. U.S. persons’ covered personal identifiers
  2. Personal financial data
  3. Personal health data
  4. Precise geolocation data
  5. Biometric identifiers
  6. Human genomic data

For each of the six categories of sensitive personal data, the program will establish certain volume thresholds. The aim is to create new guardrails for transfers of “bulk” data deemed to present enhanced national security risks at greater volumes.

Some classes of transactions will be prohibited entirely, while others will be prohibited unless they comply with additional security requirements. The rules identify two classes of transactions between U.S. persons and countries of concern. Three classes of data transactions—employment, investor, and third-party vendor agreements—would be subject to certain restrictions, such as additional security requirements under development by the Department of Homeland Security. Those additional security requirements could include, for example, security and physical access controls and privacy enhancing technology. The ANPRM also proposes exemptions for companies already subject to regulations (such as financial firms); certain kinds of data (such as personal communications, which are exempt under the International Emergency Economic Powers Act, or IEEPA); and ancillary business operations within multinational companies, federally funded research, and transactions required or authorized by federal law or international agreements.

Risks This Action Seeks to Address

Over the past several years, U.S. policymakers have expressed concerns about national security risks arising from Beijing and other countries’ access to the data of U.S. persons through open commercial channels. Beyond cyber theft and industrial espionage, U.S. policymakers are seeking to address additional risks they perceive to be emanating from Americans’ data flowing to countries of concern in bulk via data brokers or other forms of transactions. According to Director of National Intelligence Avril Haines (as cited in support of Senator Ron Wyden’s proposed bill requiring licenses to export certain personal data to China and other countries), “There’s a concern about foreign adversaries getting commercially-acquired information as well, and [I] am absolutely committed to trying to do everything we can to reduce that possibility.” A November 2023 report by Duke University found that sensitive, non-public information about U.S. military personnel was available for purchase through data brokers for as little as $0.12 per individual. This data includes financial information, religious affiliation, and health data.

Administration officials have emphasized that the new rules aim to protect against national security risks posed by nation-states rather than individual privacy harms. The objective is not to use this rule as a substitute for comprehensive privacy law, for which President Joe Biden has advocated. In fact, the White House fact sheet states, “President Biden continues to urge Congress to do its part and pass comprehensive bipartisan privacy legislation, especially to protect the safety of our children.” Republicans and Democrats have argued that a federal privacy law would protect against both transnational threats by nation states and privacy harms regardless of country of origin, but progress appears to have stalled. Recognizing the political obstacles to privacy law, the administration has indicated their hope that limits on large-scale transfers of data to countries of concern would close off vectors for nation-state data access in the absence of U.S. privacy law.

Despite this not being a privacy action, the rules partly mirror Article 9 of the European Union’s General Data Protection Regulation (GDPR) in applying controls to special categories of data. For example, both Article 9 and the EO identify genetic and biometric data as requiring additional safeguards, although GDPR as a privacy instrument lists categories not subject to the EO such as religious and political beliefs.

How the Rules Will Be Implemented

Although these new rules represent a novel national security instrument, this executive action most closely parallels the executive action on outbound investment. Unlike the Department of the Treasury’s Specially Designated Nationals and Blocked Persons List, this new instrument will not name specific entities and will instead follow the countries-of-concern approach as proposed under the outbound investment regime. In other words, the new data security rules will not center around a case-by-case list.

The DOJ will issue the proposed rule and lead interagency coordination. This marks the first time the DOJ has been given regulatory authority over private sector transactions concerning personally identifiable information. The DOJ is one of the agencies that implements the EU-U.S. Data Privacy Framework and its predecessor, the Privacy Shield, which permits the export of EU data to the United States for commercial purposes, under a finding by the European Union of adequate protections for personal data transferred to the United States. Along with its Team Telecom remit, the DOJ has also participated in reviewing data transactions with national security concerns as part of the Committee on Foreign Investment in the United States (CFIUS).

The Rules’ Statutory Authority

The EO follows a series of national security actions focused on China (e.g., outbound investment restrictions, prohibitions on securities investments in Chinese military firms, securing the information and communications technology supply chain, and evaluating connected software application risk) that derive authority from the IEEPA, which provides the president broad powers to control economic transactions following the declaration of a national emergency.

A long-standing legal and political impediment to basing data controls on the IEEPA is the Berman Amendment. When the IEEPA was signed into law, it granted the president authority to impose wide-ranging sanctions, at the time targeting Iran. Although sanctions carried out under the IEEPA have largely been geographically focused, the act has in recent years been used to target non-geographically focused entities, such as terrorist cells or cyberwarfare enterprises.

When the IEEPA was initially passed, it allowed U.S. persons to exchange “informational materials” with foreigners otherwise subject to sanctions. These informational materials included postal, telegraphic, telephonic, or other personal communication not involving the transfer of anything of value. In 1988, the Berman Amendment to the IEEPA sought to protect information transfers in a bid to allow the dissemination of pro-democracy information abroad. The act was again amended in 1994 to update the definition of informational materials, and today it protects the exchange of “information or informational materials, including but not limited to, publications, films, posters, phonograph records, photographs, microfilms, microfiche, tapes, compact disks, CD ROMs, artworks, and news wire feeds,” granted that these exchanges are not otherwise controlled for purposes of national security related to the proliferation of weapons or terrorism.

Whether curbs on data transfers conflict with the First Amendment or Berman Amendment depends on whether the speech is expressive. For example, burning a draft card is expressive conduct—the burning was not intended simply to turn a card into ashes; it was to express disdain for the draft. In other words, if the conduct is materially expressive, the conduct is protected. Where the conduct is not primarily or even significantly expressive, it would likely not be covered by the First Amendment. The Biden administration maintains that the proposed rule would not contravene the First Amendment or Berman Amendment because the bulk of data transfers are not expressive.

The Impact of the Rules on the Physical Infrastructure through Which Data Flows

According to the EO, the network infrastructure through which data flows presents certain access risks. It identifies risk associated with data that transits through submarine cables “owned or operated by persons owned by, controlled by, or subject to the jurisdiction or direction of a country of concern, or that connects to the United States and terminates in the jurisdiction of a country of concern.” It then states that the same risk of access by a country of concern “is further exacerbated in instances where a submarine cable is designed, built, and operated for the express purpose of transferring data, including bulk sensitive personal data or United States Government-related data, to a specific data center located in a foreign jurisdiction.” Here, the use of the term “foreign jurisdiction,” beyond just specific countries of concern raises questions regarding how far the Department of Justice may extend its purview. As the details of the scope are further refined, the EO makes clear that officials view data security of subsea cables and overseas data centers to be a focal point.

Administration officials have stressed that the goal is not to fragment the internet, and the EO states that the “United States continues to support open, global, interoperable, reliable, and secure flows of data across borders.” It will be important for the final rules to be clear regarding what does and does not fall within its scope regarding cables to ensure that the rules do not undermine these stated objectives.

Likely Implementation and Enforcement Challenges

One concern relates to the enforceability of the rules through third countries. For example, it remains unclear how the rules would handle a data transfer from a U.S. entity to a party in a non-covered third country, such as Myanmar, which could then facilitate a transfer to an entity in a country of concern. The EO classifies transactions based on their inherent characteristics and the probable risk of access by countries of concern or covered persons applying to any “foreign country or national” meeting these criteria. This potentially opens the door to the inclusion of third countries, emphasizing the need for clarity regarding the practical implications of the regulations in such scenarios.

While administration officials have stressed that the new rules are not a form of data localization (i.e., a mandate that Americans’ data be stored on U.S. servers and restricted from overseas transfers), the rules would need to clearly delineate which data can be exported at all, particularly if third-country transfers remain a major concern.

The response from U.S. allies and partners is likely to be mixed. In countries where digital sovereignty has long served as the basis for restrictions on the ability of U.S. firms to export data, the move could be welcomed as long overdue. For example, when the United States Trade Representative (USTR) decided to withdraw from provisions that protect data flows in the World Trade Organization (WTO), a leading Indian think tank lauded the move as likely “to spark a worldwide reassessment of national e-commerce policies.” On the other hand, other commentators stated that the withdrawal “sent shock waves through the trade, tech, human rights, and diplomatic communities.”

In terms of extraterritorial effects on allies and securing partner buy-in, these rules may receive a warmer reception than other proposals, such as the outbound investment proposal. Allies such as the European Union and Japan already maintain robust data protection schemes, which may lend support for a U.S. data control approach. By contrast, some allies may question the effect on long-standing policies supporting the free flow of data for commercial and other purposes.

The United States and Digital Sovereignty

The executive action on data security fits a policy shift in the United States that increasingly puts security and digital rights at the forefront of its digital economy agenda. In October 2023, the USTR withdrew from the Joint Statement Initiative (JSI) as part of the WTO e-commerce talks. This shocked the business community, other parts of the Biden administration, and Democrats and Republicans in Congress. The e-commerce talks, among other outcomes, normalized the use of e-signatures and recognized them as legally valid. Others in the national security community, however, have expressed growing concerns that international commitment to unfettered free data flows presents national security risks, given the ability for commercial channels to act as a vector for nation-states to harvest U.S. personal data, including the whereabouts of military personnel.

WTO rules do permit national security exceptions. Article XXI of the General Agreement on Tariffs and Trade permits countries to pursue policies that otherwise contravene WTO non-discrimination rules when countries can substantiate a deviation based on security concerns. Under the national security exception, the United States would appear to have a defensible case for regulating data brokers that can disclose information such as the whereabouts of U.S. military personnel and government officials.

The administration has indicated that the withdrawal from the JSI and its new limits on bulk data sales are unrelated and that it would have pursued the data security executive action regardless of participation in the JSI. Speculation about internal strategy aside, from the outside view and perhaps to other governments, a series of recent actions reveal a broader trend toward an increasing role for national security and nationality-based restrictions in digital governance. Along with the new limits on data sales, such a trend is evident in the Biden administration’s EO on artificial intelligence (AI), the withdrawal from the JSI, the Department of Commerce’s proposed Know Your Customer (KYC) rules for cloud sales, and limits in that rule on the use of their products for large AI model training. Additionally, the withdrawal from the JSI signals a broader U.S. move away from the WTO, which it regards as hobbled, slow, and generally ineffective in correcting Chinese nonmarket economic practices.

There have been some prior measures to address risks from data brokers. For example, the Foreign Investment Risk Review Modernization Act (FIRRMA), passed in 2018, provides CFIUS with authority to review transactions involving companies with a user base of at least 1 million users. More recently, the Federal Trade Commission has brought enforcement actions against data brokers, requiring them to obtain informed consent from users prior to selling consumer data. This follows the revelation that the second-largest data broker in the United States was selling raw geolocation data without users’ permission.

The United States is now moving toward a new approach toward data governance. This approach, promulgated through an expanded executive branch tool kit, represents ongoing legislative dysfunction in the U.S. Congress, which has failed to pass privacy legislation. In terms of signaling to allies, the administration would benefit from more clearly stating in public that these policies add to a sum total of a new era of U.S. digital governance.

Next Steps

Similar to the executive action on outbound investments, the action on data security will be open for public comment for a period of 45 days. Similar to the evolution of the administration’s outbound investment policies, it is unlikely that the data security measures will be finalized before the end of 2024. The administration will have to address concerns among allies about the potential extraterritorial reach of the proposed rules, particularly at a time when allies and partners are contending with a more restrictive trade tool kit that has not been met with additional market access concessions. The administration will also need to explain clearly its policy toward encouraging “trusted data flows,” especially but not exclusively with U.S. allies, while responding to threats of data flows to countries of concern.

Emily Benson directs the Project on Trade and Technology and is senior fellow with the Scholl Chair in International Business at the Center for Strategic and International Studies in Washington, D.C. Samm Sacks is a senior fellow at Yale Law School’s Paul Tsai China Center, New America, and the senior fellow for China with the Cross Border Data Forum. Peter Swire is professor of law and ethics at the Georgia Tech Scheller College of Business, holds the J.Z. Liang Chair in the Georgia Tech School of Cybersecurity & Privacy, and is the research director of the Cross Border Data Forum.

Image
Emily Benson
Director, Project on Trade and Technology and Senior Fellow, Scholl Chair in International Business

Samm Sacks

Senior Fellow, Paul Tsai China Center, Yale Law School

Peter Swire

Professor of Law and Ethics, Georgia Tech Scheller College of Business