Today, the White House announced that President Biden will sign an executive order designed to protect sensitive data of U.S. persons from exploitation by identified countries of concern. This executive order is expected to be published later today, and to direct the Department of Justice (DOJ) to issue regulations designed to address transactions that involve U.S. persons’ bulk sensitive personal data and countries of concern (and for this reason is referred to for convenience as the “Bulk Data EO”). DOJ has announced that it will issue an Advance Notice of Proposed Rulemaking followed by a Notice of Proposed Rulemaking, and has stated that “Companies and individuals will be required to comply with the regulations only after the final rule becomes effective.”
The Bulk Data EO is expected to be issued on the basis of the authority granted to the President under the International Emergency Economic Powers Act, which is also the basis for most U.S. sanctions programs. The regulations and compliance tools to comply with same are likely to borrow concepts and approaches from U.S. sanctions law. It is expected to work along three primary lines: (1) identify “countries of concern” with whom U.S. person bulk data transactions will be restricted, (2) identify types of sensitive data, and the “bulk” volumes of such data, that will trigger transaction restrictions, and (3) identify the types of transactions that might trigger scrutiny. This post will briefly sketch each of these points.
(1) Countries of Concern and Covered Persons
It is expected that the Bulk Data EO will result in at least six countries of concern being named: China (including Hong Kong and Macau), Russia, Iran, North Korea, Cuba, and Venezuela. Transactions that involve the bulk transfer of U.S. sensitive personal data to covered persons connected to these countries would potentially be restricted. The definition of a “covered person” will be more fulsomely set forth in the Bulk Data EO, as well as in forthcoming DOJ rulemaking. We anticipate covered persons will, at least initially, be defined so it includes “cut-outs” and other entities that could be seen as indirectly facilitating a bulk transfer of sensitive personal data to countries of concern.
(2) Sensitive Personal Data
Sensitive personal data will include genomic data, biometric data, personal health data, geolocation data, financial data, and certain kinds of personally identifiable information – which is anticipated to include online or similar indirect identifiers that can be tied to U.S. persons. Geolocation information on sensitive government sites and information about military members will also be included.
The Bulk Data EO will in more detail spell out (a) the precise types of data that are considered “sensitive,” and (b) the quantity of each type of data at which it is deemed a “bulk” set of sensitive data subject to restriction. The more sensitive the data type, the lower the volume will likely be seen as bulk – e.g. low quantities of genomic data will likely be considered a bulk” set given its sensitivity, while greater quantities of online identifiers may be required to generate a bulk set.
(3) Transactions Subject to Scrutiny
The Bulk Data EO will identify specific types of transactions that may result in scrutiny. DOJ and the Department of Homeland Security are to be tasked with identifying “commercial means, such as data available via investment, vendor, and employment relationships” that can result in sensitive personal data going to countries of concern. The Departments of Health and Human Services, Defense, and Veterans Affairs will be tasked with reviewing “grants, contracts, and awards” that may result in sensitive personal data being provided to covered persons. The Bulk Data EO will exclude certain categories of data transactions, such as those “ordinarily incident to financial services.”
The next steps for the Bulk Data EO are as follows:
- At 3:00pm EST today, the White House is expected to hold an initial briefing on the Bulk Data EO. The full EO should be released around that time.
- Within 24 to 48 hours, DOJ will release an Advance Notice of Proposed Rulemaking (ANPR) to start the rulemaking process under the Bulk Data EO. We expect a lengthy and detailed ANPR, and DOJ has stated to industry participants it welcomes comment. We will follow with a detailed review of the ANPR once it is published.
For additional information, see the White House Fact Sheet and the Fact Sheet published by the Department of Justice.