Background

Ahead of the release of the EO, on February 28, 2024, the White House published a fact sheet, explaining that the EO was created in response to concerns over the sale of Americans' personal and sensitive information through data brokers to countries of concern, thereby raising significant privacy, counterintelligence, blackmail risks, and other national security risks. In light of the above, the EO aims to prevent the large-scale or bulk transfer of Americans' sensitive personal and government-related data to countries that have a track record of collecting and misusing the same and directs government bodies such as the Departments of Justice (DoJ) to issue regulations.

It is worth noting that, as emphasized by the White House, the EO is not intended to stop the flow of information required to enable international commerce and trade nor impose measures aimed at broader decoupling of relationships the US maintains.

Considering the impact on businesses, Mark highlights that "The majority of US businesses are unlikely to engage in the transfer sensitive personal information in bulk to the designated countries (which the DOJ has indicated will be China, Cuba, Iran, North Korea, Russia and Venezuela) which is targeted by this EO. In that respect, the biggest impact will likely be on:

• telecommunications and Big Tech companies who facilitate a lot of data transfers globally; and
• data brokers, who could be expected to ensure the data they sell does not end up in the wrong place.

However, Cybersecurity and Infrastructure Security Agency (CISA) is directed by the EO to issue security requirements for mitigating the risk of access by designated countries, and that could conceivably apply broadly to businesses who host or process sensitive personal information in bulk, even if just in the US or other permissible countries."

Definitions

The EO provides definitions for relevant terms, some of which will be further defined in the regulations issued by the Attorney General (AG). The term 'sensitive personal data' is defined as a combination of various information categories, including personal identifiers, geolocation and related sensor data, biometric identifiers, human 'omic data, personal health data, personal financial data, and others, as specified by future regulations. This data becomes sensitive when it could be linked to an identifiable individual or group of individuals and could be exploited by a 'country of concern', also defined by the EO as a foreign government that poses a substantial risk to US national security due to its history of malicious activities and potential misuse of sensitive personal data. However, publicly available information, personal communications protected by the International Emergency Economic Powers Act (IEEPA), and informational materials within the scope of the IEEPA are excluded from this definition.

Country of concern will be determined by the AG. However, the DoJ has shed some light on 'countries of concern' in its factsheet, stating that it will contemplate identifying six such countries: China (including Hong Kong and Macau), Russia, Iran, North Korea, Cuba, and Venezuela. Importantly, the EO clarifies that the term 'access' will include logical or physical access, including the ability to obtain, read, copy, decrypt, edit, divert, release, affect, alter the state of, or otherwise view or receive, in any form.

Furthermore, the EO defines 'covered person' as individuals or entities under the control of or residing in, countries of concern, including among others, employees, contractors, and individuals designated by the AG as being linked or linkable to these countries. The EO also defines the term 'U.S. Government-related data' as sensitive personal data deemed by the AG at high risk of exploitation by countries of concern. The data can be linked to current/former Government personnel (including military) and used to identify such personnel, as well as linked to sensitive Government geolocations.

Prohibited and restricted transactions

While there are prohibitions and restrictions on certain transactions, as detailed in Section 2 of the EO, the same is subject to further rules. Broadly, we understand that the AG, along with the Secretary of Homeland Security and in consultation with the heads of relevant agencies, will issue regulations ('the Transaction Regulations') that prohibit or otherwise restrict US persons from engaging in certain transactions with foreign countries or their nationals. 'Transaction' refers to persons engaging in any acquisition, holding, use, transfer, transportation, or exportation of, or dealing in, any property in which a foreign country or national thereof has any interest. These restrictions will apply where the transaction:

• involves bulk sensitive personal data or government-related data, as further defined by the Transaction Regulations;
• is a member of a class of transactions that has been determined by the Transaction Regulations, to pose an unacceptable risk to the national;
• was initiated, is pending, or will be completed after the effective date of the Transaction Regulations;
• does not qualify for an exemption provided in, or is not authorized by a license issued pursuant to the Transaction Regulations; and
• is not, as defined by the Transaction Regulations, ordinarily incident to and part of the provision of financial services, or required for compliance with any federal statutory or regulatory requirements.

In relation to the impact of the EO on data transfers, Mark notes that "While the overwhelming majority of overseas transfers and third-party data disclosures should be fine under the EO, a key question to be addressed is whether and to what extent a business may be liable when its sensitive personal data ends up in a country of concern through onward transfers by third parties. In other words, how forcefully will the US Government require businesses to effectively police the transfer and disclosure of sensitive personal data by downstream data recipients?''

Regarding prohibited and restricted transactions, the AG is required to publish the Transaction Regulations, for notice and comment, within 180 days of the publication of the EO. To this end, the Transaction Regulations must, among other things:

• identify prohibited transactions, that meet the criteria specified in the EO (prohibited transactions);
• identify classes of transactions that meet the criteria specified in the EO and for which the AG determines that security requirements adequately mitigate the risk of access by countries of concern or covered persons to bulk sensitive personal or government-related data (restricted transactions);
• identify countries of concern, as appropriate, classes of covered persons, with the concurrence with other agencies ;
• establish, as appropriate, mechanisms to provide additional clarity to persons affected by the EO and any regulations implementing the same;
• establish a process to issue, in concurrence and consultation with the other government bodies and agency heads, as appropriate, licenses authorizing transactions that would otherwise be prohibited or restricted transactions; and
• address the need for, as appropriate, recordkeeping and reporting of transactions to inform investigative, enforcement, and regulatory efforts.

In addition to the above rulemaking and to further implement Section 2 of the EO, the AG, in coordination with the Secretary of Homeland Security and in consultation with the heads of relevant agencies, may, propose one or more regulations, including to identify additional classes of prohibited and restricted transactions and with the concurrence of the Secretary of State and the Secretary of Commerce, to identify new or remove existing countries of concern and, as appropriate, classes of covered persons.

Importantly, the EO explains that the prohibitions promulgated pursuant to Section 2 of the EO, in relation to prohibited and restricted transactions apply notwithstanding any contract entered into or any license or permit granted prior to the effective date of the applicable regulations. According to the EO, any transaction or other activity that has the purpose of evading or avoiding, causes a violation of, or attempts to violate any of the prohibitions, or conspiracy formed to violate any of the prohibitions is prohibited.

Data security

In addition to the Transaction Regulations, security requirements that address the unacceptable risk posed by restricted transactions will be issued by the Secretary of Homeland Security, acting through the Director of the CISA. The security requirements would be based on the Cybersecurity and Privacy Frameworks developed by the National Institute of Standards and Technology (NIST). Here, Mark points out that ''the EO is a big boost for the NIST Cybersecurity and Privacy Frameworks, since businesses may be more directly required to implement those frameworks through the requirements that CISA adopts under the EO. Many businesses are already aligning with these frameworks but should take this EO as a strong indication to accelerate that transition if they haven't done so yet.''

Further, in relation to the security requirements, the Secretary of Homeland Security and the AG will (i) issue interpretive and enforcement guidance; (ii) take actions, including promulgating rules, regulations, standards, and requirements, and employing all other powers granted to the President by the IEEPA and; (iii) establish a mechanism for the AG to monitor whether restricted transactions comply with the security requirements.

Similar to the General Data Protection Regulation (GDPR), the EO does not require data localization per se but imposes security measures, among other obligations on organizations for certain categories of transactions and notably, expressly states that any implementing regulations of Section 2 of the EO must not establish a generalized data localization requirement to store bulk sensitive personal or government-related data within the US or to locate such computing facilities within the US.

Mark explains that ''this is the first significant step in the US around data localization and could lead to expanded requirements in the future. For example, notwithstanding US commitments to the free flow of data, Congress could get more comfortable restricting cross-border data transfers in federal privacy legislation. There may also be more legislation at the state level (for e.g., Florida has already passed a law to keep its resident's health data hosted in the US and Canada)."

The EO also outlines that any regulations implementing Section 2 of the EO must:

• reflect consideration of the nature of the class of transaction involving bulk sensitive personal data or government-related data, the volume of bulk sensitive personal data involved in the transaction, and other factors, as appropriate;
• establish thresholds and due diligence requirements for entities to use in assessing whether a transaction is a prohibited transaction or a restricted transaction;
• account for any legal obligations applicable to the U.S. Government (the Government') relating to public access to the results of taxpayer-funded scientific research, the sharing and interoperability of electronic health information, and patient access to their data; and
• not address transactions to the extent that they involve types of human 'omic data other than human genomic data before the submission of the report described in Section 6 of the EO.

Protecting sensitive personal data

To address concerns regarding access to bulk sensitive personal data and government-related data, the EO mandates that the Committee for the Assessment of Foreign Participation in the U.S. Telecommunications Services Sector (the Assessment Committee) will take specific actions to:

• prioritize, the initiation of reviews of existing licenses for submarine cable systems that are owned or operated by persons owned by, controlled by, or subject to the jurisdiction or direction of a country of concern, or that terminate in the jurisdiction of a country of concern;
• issue policy guidance, regarding the Committee's reviews of license applications and existing licenses, including the assessment of third-party risks regarding access to data by countries of concern; and
• address, on an ongoing basis, the national security and law enforcement risks related to access by countries of concern to bulk sensitive personal data that may be presented by any new application or existing license reviewed by the Committee to land or operate a submarine cable system, with the approval of the Assessment Committee's Advisors.

The EO explains that while the US encourages international collaboration in research and scientific data sharing, additional measures are necessary to be taken, including:

• issuing regulations, guidance, or orders to limit Federal assistance programs that enable access by countries of concern or covered persons to US persons' bulk sensitive personal data, or to impose mitigation measures with respect to such assistance, which may be consistent with the security requirements adopted under Section 2(d) of the EO, on the recipients of Federal assistance to address this threat;
• jointly developing and publishing guidance to assist US research entities in ensuring the protection of their bulk sensitive personal data; and
• submitting a report, within one year of the EO, through the Assistant to the President of the National Security Affairs (APNSA) detailing their progress in implementing the above-mentioned measures.

Furthermore, the EO identifies data brokers as a specific concern due to their role in providing access to bulk sensitive personal and government-related data by collecting, assembling, evaluating, and disseminating such data to countries of concern and covered persons. The EO, therefore, encourages the Director of the Consumer Financial Protection Bureau to leverage its existing authority to address this threat. This may involve strengthening compliance with federal consumer protection laws and continuing efforts to develop regulations aimed at data brokers.

Required actions by government agencies

In addition to the rulemaking powers discussed above, the EO highlights further actions required by various authorities, including assessing the national security risks arising from prior transfers of US persons' bulk sensitive personal data.

Assessing the national security risks arising from prior transfers of US persons' bulk sensitive personal data

In particular, within 120 days of the effective date of the Regulations issued, the AG, the Secretary of Homeland Security, and the Director of National Intelligence, in consultation with the heads of relevant agencies, must recommend to the APNSA appropriate actions to detect, assess, and mitigate national security risks arising from prior transfers of US persons' bulk sensitive personal data to countries of concern. Moreover, within 150 days of the effective date of the Regulations, the APNSA must review these recommendations and, as appropriate, consult with the AG, the Secretary of Homeland Security, and the heads of relevant agencies on implementing the recommendations consistent with applicable law.

Report to the President and Congress

The AG would also be required to, in consultation with the Secretary of State, the Secretary of the Treasury, the Secretary of Commerce, and the Secretary of Homeland Security, within one year of the Transaction Regulation's effective date, a report to the President through the APNSA assessing, to the extent practicable:

• the effectiveness of the measures under the EO in addressing threats to the national security of the US; and
• the economic impact of the implementation of the EO, including on the international competitiveness of US industry (this report must solicit and consider public comments).

In addition, Section 2(m) of the EO states that the AG, in coordination with the Secretary of Homeland Security and in consultation with the heads of relevant agencies, is authorized to submit recurring and final reports to Congress related to the EO, consistent with Section 401(c) of the National Emergencies Act and Section 204(c) of IEEPA.

Assessing risks associated with human 'omic data

Importantly, within 120 days of the date of the EO, the APNSA, the Assistant to the President and Director of the Domestic Policy Council, the Director of the Office of Science and Technology Policy, and the Director of the Office of Pandemic Preparedness and Response Policy, in consultation with the Secretary of State, the Secretary of Defense, the Secretary of Health and Human Services, the Secretary of Veterans Affairs, the Director of the National Science Foundation, the Director of National Intelligence, and the Director of the Federal Bureau of Investigation (FBI), must submit a report to the President, assessing the risks and benefits of regulating transactions involving types of human 'omic data other than human genomic data, such as:

• human proteomic data;
• human epigenomic data; and
• human metabolomic data.

Further, the abovementioned agencies must recommend the extent to which such transactions should be regulated pursuant to Section 2 of the EO, relating to prohibited and restricted transactions.

The report and recommendation must consider the risks to US persons and national security, as well as the economic and scientific costs of regulating transactions that provide countries of concern or covered persons access to these data types.

Conclusion

The EO reflects some of the themes of transfer restrictions imposed by European laws and regulations, including concerns over access to personal data by foreign governments. Considering the implications of the EO on DPF adequacy challenges, Mark highlights that there are ''some strategic alignments here with EU-US Data Protection Framework (DPF), since businesses subject to the GDPR or the DPF program are expected to take appropriate measures to safeguard personal data when:

• disclosing it to third parties (e.g., independent controllers, processors, or sub-processors); or
• transferring it to jurisdictions without adequate data protection laws.

That being said, the EU-US DPF adequacy challenges have primarily revolved around US Government access to personal data of EU/EEA residents, which is not a subject of this EO.''

Finally, concerning company preparation, Mark advises ''In the short term, businesses will want to: (i) understand the scope of personal data covered by the EO in relation to their own data inventories; and (ii) assess whether vendors or third-party data recipients could be transferring data out of the US, and if so, is there a risk of onward transfer (or resale) to countries of concern. In some respects, these assessments may drive further collaboration between teams responsible for cybersecurity, data privacy, sanctions, and export controls."

Madhura Sakharam Bhandarkar Privacy Analyst
[email protected]
Maryam Abass Privacy Analyst
[email protected]

With comments provided by:

Mark Francis Partner
[email protected]
Holland & Knight, New York