LawFlash: President Biden Issues Executive Order on Data Protection and National Security – Key Elements of the Program and Compliance Considerations

President Joseph Biden has taken a significant step towards protecting sensitive personal data of US citizens by issuing an executive order titled “Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern.” This executive order, accompanied by a draft Advance Notice of Proposed Rulemaking (ANPRM) from the US Department of Justice’s National Security Division, aims to establish a program to safeguard sensitive personal data from being transferred to countries identified as posing particular concerns.

Under this new program, companies will face restrictions on business activities that involve the transfer of certain data to designated countries. The focus is on protecting a wide range of sensitive personal data that may be transferred through various means such as data aggregators, investment relationships, vendor agreements, or employment agreements. This initiative represents a significant move towards addressing the risks to data, especially concerning national security interests.

The program draws heavily from existing regulatory processes such as the Committee on Foreign Investment in the United States (CFIUS), the Committee for the Assessment of Foreign Participation in the United States Telecommunications Services Sector (Team Telecom), and efforts to regulate supply chain security for information and communications technology and services. The EO expands on previous authorities to counter the threat posed by certain countries to access and exploit Americans’ sensitive personal data and US government-related data.

Key elements of the program include designating the Department of Justice as the lead agency, establishing rules for specific categories of data transactions, identifying six “countries of concern,” defining covered persons and categories of sensitive personal data, setting threshold amounts for regulation, and outlining compliance and enforcement measures. The program will also involve a process for issuing licenses and advisory opinions, as well as exemptions for certain transactions.

The program aims to enhance existing national security programs related to telecommunications infrastructure, the healthcare market, and consumer protection. It is crucial for companies and stakeholders to engage with the government during the public comment period to provide feedback and help shape the regulations effectively.

Overall, this initiative marks a significant departure from current data privacy rules in the US and underscores the government’s commitment to protecting sensitive personal data from potential threats. The deadline for submitting comments on the ANPRM is 45 days after its publication in the Federal Register, providing an opportunity for industry stakeholders to contribute to the development of the new regulatory regime.