Exploring the White House’s Executive Order to Limit Data Transfers to Foreign Adversaries

On February 28, the White House issued an Executive Order on Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern that seeks to limit outbound data transfers that pose “an unacceptable risk to the national security of the United States.” Though almost all U.S. technology companies transfer personal information across borders, this executive order (EO) could primarily affect the business models of third-party firms known as data brokers, which profit from the bulk collection, aggregation, and sales of a wide spectrum of personal data, including biographical information, internet browsing history, and geolocation. The EO responds to concerns that the unfettered availability of this data for purchase could allow malign actors around the world to target military personnel, politicians, and other U.S. individuals, constituting a national security risk. The EO aims to narrowly address this national security question—it applies to a limited scope of transactions, and features several exemptions designed to prevent interference with the general flow of data across international borders. It also comes amid a broader debate about whether Americans’ data should be for sale at all.

Q1: What limitations does the EO place on data transactions?

A1: The EO directs the Department of Justice (DOJ) to issue regulations restricting U.S. companies from transferring or selling large datasets to “covered persons” who are subject to the jurisdiction of “countries of concern,” which will likely include China, Russia, Iran, North Korea, Venezuela, and Cuba. It also prevents transactions to designated “covered persons” located in third-party countries (such as EU member states) depending on the nature of their relationship with covered countries. However, it does not impose new restrictions on how U.S. technology companies and data brokers aggregate, process, store, and share sensitive personal information with entities located in the United States, regardless of their citizenship status or potential affiliation with a country of concern. While the EO continues to allow U.S. entities to share or sell personal information to most third-party countries that are not designated as “countries of concern,” it is possible that subsequent DOJ regulations could address risks of onward re-exports to prohibited actors. However, it would be difficult to fully prevent leakage of sensitive personal information, especially since data brokers generally do not publicly disclose their clients or buyers. Personal information can be transferred numerous times between entities, and it is unclear how far down the line any legal requirements could extend beyond the initial transaction.

The EO subjects six categories of sensitive data to limitations: (1) precise geolocation, (2) biometric identifiers (including behavioral traits such as gait), (3) human genomic data, (4) personal health data, (5) personal financial data, and (6) personal identifiers (e.g. names linked to advertising IDs). The DOJ is considering categorically prohibiting transactions of human genomic data, while subjecting the other categories to more conditional limitations based on the nature of the transaction. For example, the forthcoming advanced notice of proposed rulemaking considers prohibiting data brokerage transactions that meet this criteria, while permitting those pursuant to vendor agreements, employment agreements, or investment agreements so long as they comply with requirements set by the Cybersecurity and Infrastructure Security Agency. The EO directs the DOJ to establish a threshold of U.S. individuals or U.S. devices subject to these forthcoming restrictions, though it is unclear how EO would prevent the combination of smaller datasets after they have been acquired from multiple sources. Cases involving the data of U.S. government officials will not need to meet the bulk threshold for restrictions to come into effect.

Bulk transfers of data within the six categories of concern would still be permitted in some cases. The EO features a broad carve-out for financial services transactions that are already regulated, including for ecommerce, banking, and risk management. Other exempted practices include data transactions within multinational companies for payroll or business licenses, those required by international law (such as passenger manifest information), personal communications, public records, and data transfers for federally funded health and research activities. The DOJ, in consultation with other federal agencies, will also create a licensing process to allow companies to engage in otherwise prohibited transactions.

Q2: What national security concerns does the EO seek to address?

A2: Even as digital tracking and algorithmic profiling techniques expand in scale and precision, there is currently no comprehensive federal statute that prevents the sale of Americans’ personal information to malign actors. This reflects a gap in U.S. national security policy. Sensitive personal information, such as geolocation or purchase history, has high value as intelligence, and can potentially be for illicit use by countries of concern, including tracking and curbing dissidents, targeting journalists and activists, targeting misinformation at specific groups, and spying on or blackmailing military, intelligence, or government members. Since U.S. companies are subject to fewer privacy regulations compared to other countries and can collect more detailed datasets on internet users, countries of concern could also use this data to train artificial intelligence systems.

Although the full extent of data broker sales to foreign adversaries is not publicly known, China has demonstrated a strategic interest in acquiring U.S. personal information through both voluntary and compelled means. In the past decade, China has hacked personal information related to an estimated 21 million individuals from the U.S. Office of Personnel Management and over 400 million records from Marriott servers. More recently, the Chinese government has also contracted private companies to scrape public-facing posts on Facebook and Twitter (now X) to track political critics and journalists, including some located outside China. Since 2020, Congress and the Trump and Biden administrations have escalated calls to ban or divest TikTok due to concerns that the Chinese government could compel its parent company, ByteDance, to hand over U.S. mobile app information. Although the EO does not specifically address TikTok and excludes public-facing social media data, it could prevent TikTok from transferring certain bulk non-public datasets to its parent company or other businesses within China.

The EO takes targeted steps to prevent U.S. data brokers from sharing Americans’ sensitive personal data with countries of concern, but it does not prevent them from selling the same information to U.S. buyers. In a partially declassified report, the Office of the Director of National Intelligence acknowledged that open market for commercial data in the United States “raises significant issues related to privacy and civil liberties” and “can be misused to cause substantial harm, embarrassment, and inconvenience to U.S. persons.” While the EO does not aim to address domestic privacy concerns, it is possible that Congress or the administration could place guardrails on U.S. government transactions with data brokers through future legislative or executive actions.

Q3: What effect will the EO have on cross-border data flows or international agreements?

A3: The EO will not impact ongoing U.S. commitments to international agreements and other initiatives—including Data Free Flow with Trust, Global Cross-Border Privacy Rules Forum, and EU-U.S. Data Privacy Framework—that aim to sustain the economic benefits of cross-border data flows through promoting interoperability in data privacy frameworks. In April 2022, the United States led 60 countries in signing the Declaration for the Future of the Internet, which acknowledged the “benefits of data free flows with trust based on shared values as like-minded, democratic, open and outward looking partners.” In December 2022, it also joined 37 other Organization of Economic Cooperation and Development countries and the European Union in adopting the Declaration on Government Access to Personal Data Held by Private Sector Entities, which recognized how cross-border data flows benefit not only digital trade, but also fundamental human rights like free expression and open communications.

Despite these commitments, the short- and long-term impacts of the EO on global data flows are not yet clear. Prior to this executive action, U.S. companies had historically faced few restrictions on how they transfer data abroad. While the EO aims to minimize disruption to existing U.S. business activities through targeted exemptions, the long-term effects could depend on how the Department of Justice and other federal agencies choose to implement and enforce them. The economic impacts of this executive action could also depend on the response of non-U.S. governments—if the EO encourages U.S. trade partners to similarly limit data transactions that carry privacy risks, it is possible that some may choose to further limit data transfers to the United States, which has lagged behind other major economies in enacting comprehensive data privacy regulations. While the EO requires the attorney general, in consultation with other agency heads, to submit an economic impact assessment within one year after the implementing regulations come into force, it is possible that their full effects on cross-border data flows and economic competitiveness will require a more long-term outlook.

Furthermore, the EO is the latest in a series of executive actions that could signal a policy shift away from the traditional U.S. unconstrained approach to global data flows. For example, the Committee for Foreign Investment in the United States (CFIUS) has reportedly been undergoing years-long negotiations with TikTok on a possible agreement that could require it to store all U.S. personal information within domestic servers subject to significant federal oversight—which would amount to one of the first known data localization mandates for a major technology company. The White House also endorsed the RESTRICT Act in March 2023, which proposed to grant the Department of Commerce broad authority to block data transfers that posed an undefined amount of risk. If U.S.-China economic, technological, and national security competition continues to intensify, it is possible that cross-border data flows will be subject to greater tension in the future.

Q4: What else are U.S. policymakers doing to address the broader concerns around data brokers?

A4: The Biden administration is exploring guardrails on other facets of data broker activities, including to address domestic privacy concerns. The Federal Trade Commission (FTC) under Commissioner Lina Khan has taken actions against data brokers Kochava and X-Mode for selling sensitive location data, and a recent settlement agreement with X-Mode prohibits the firm from sharing or selling such data, a first for the FTC. After an August 2023 White House roundtable on protections from data brokers, the Consumer Financial Protection Bureau (CFPB) initiated a rulemaking process which could expand the scope of the Fair Credit Reporting Act (FCRA) to limit the ability of data brokers under U.S. jurisdiction to sell or process certain consumer information, potentially even for the purposes of advertising or marketing. The EO explicitly encourages the continuation of this rulemaking process.

Several bills in the 118th Congress have sought to address the problem of data transfer or sale to foreign governments and actors. The Protecting Military Servicemembers’ Data Act proposes to block any sale of military members’ data to U.S. adversaries, and the Protecting Americans' Data from Foreign Surveillance Act aims to create a hierarchy of low-risk and high risk countries for sensitive data transfer. The DATA Act seeks to prevent the transfer of sensitive personal data to China. Along with the RESTRICT Act, it has been understood as a potential mechanism to ban TikTok, which has reportedly continued to share U.S. person data with its Chinese parent company ByteDance despite its ongoing CFIUS negotiations and Project Texas public announcements. None of these bills have advanced out of committee, though the EO addresses many of their stated objectives.

A longstanding concern of the privacy community is the purchase of data by U.S. law enforcement and intelligence agencies. This “data broker loophole” has seen U.S. investigators circumvent Fourth Amendment warrant requirements by purchasing suspects’ data during criminal and national security investigations. The bipartisan Fourth Amendment is Not For Sale Act would close this loophole, and the bill’s prescriptions have also been incorporated into two congressional proposals for FISA Section 702 reform. Comprehensive proposed privacy legislation such as the American Data Privacy and Protection Act would place broader limitations on the collection and transfer of user data to third parties, including data brokers, but this bill from 2022 has not been reintroduced in the current Congress. Because the EO is solely focused on foreign purchases from countries of concern and does not address these domestic privacy concerns, policymakers still need to establish further legislation restricting other types of data broker activities to create a safer ecosystem for sensitive U.S. personal data overall.

Evan Brown is a research intern with the Strategic Technologies Program at the Center for Strategic and International Studies (CSIS) in Washington, D.C. Caitlin Chin-Rothmann is a fellow with the CSIS Strategic Technologies Program. Julia Brock is the program coordinator and research assistant with the CSIS Strategic Technologies Program.