Executive Order to Protect Americans’ Sensitive Personal Data

Executive Order to Protect Americans’ Sensitive Personal Data

March 5, 2024, Covington Alert

Executive Summary

On February 28, 2024, President Biden signed the “Executive Order on Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern” (the “EO”). In tandem, the Department of Justice (“DOJ”) issued a 90-page Advance Notice of Proposed Rulemaking (“ANPRM”) that details the substance of contemplated implementing regulations for the EO and solicits industry feedback. Comments in response to the ANPRM will be due on April 19, 2024 (45 days after the ANPRM was published in the Federal Register).

The EO represents the first time the U.S. government has sought to regulate U.S. personal data for national security reasons—as opposed to privacy or other reasons. It will establish an entirely new regulatory regime, led by DOJ and involving other U.S. government agencies including the Department of Homeland Security (“DHS”), that is potentially sweeping in scope. The ANPRM contemplates not only flat prohibitions on certain transfers of bulk personal data, but also a range of requirements that would apply to companies that engage in certain categories of investment, vendor, and employment transactions—essentially making those companies regulated entities for national security purposes.

The EO was motivated by concerns about U.S. national security risks arising from foreign access to personal data, and a perception that existing U.S. law is not sufficient to address those concerns. Over the last decade, issues related to personal data have featured prominently in numerous transactions reviewed by the Committee on Foreign Investment in the United States (“CFIUS”) and the Committee for the Assessment of Foreign Participation in the United States Telecommunications Services Sector (better known as “Team Telecom”), including a number of transactions that were prohibited on national security grounds. In many other cases, CFIUS and Team Telecom have required as a condition of approval that parties enter into “mitigation agreements” focused on the protection of personal data. Thus, we have seen the U.S. government use existing legal authorities—most notably CFIUS and Team Telcom—to address personal data-related concerns where they arose in the context of specific transactions, but there was no directly appliable authority allowing the government to regulate outside the context of transactions that triggered those processes. The EO seeks to plug that gap.

The ANPRM proposes to use the authority provided by the EO to establish bright line rules to prevent access to certain sensitive personal data of U.S. persons by “countries of concern”—including China and Russia—and thereby mitigate the risk that such data could be exploited or used in ways that would harm U.S. national security. The Biden Administration states that the new authority is meant to be focused narrowly on prohibiting or limiting specific categories of transactions, as opposed to a broad-reaching data protection regime. That said, while it is true that the EO does not contemplate regulations to protect all personal data per se, the ANPRM proposes a new regime that will have wide-reaching effects on transactions across various industries ranging from health care and life sciences to technology, entertainment, and social media, where such transactions have a nexus with China, Russia, and other “countries of concern.”

Importantly, however, no restrictions or requirements will go into effect until the EO is implemented through the rulemaking process. The ANPRM serves as an opportunity for industry to review and provide comments for the Biden Administration to consider as it moves forward with the rulemaking process.

Background—How did we get here?

As explained in the EO and ANPRM, the Biden Administration determined that “certain countries of concern” are using U.S. sensitive personal data to engage in a wide range of malicious activities that harm U.S. national security interests, including by using it for purposes of espionage, influence, kinetic, or cyber operations as well as to identify other strategic advantages over the United States. These activities are bolstered by advancements in technologies, including big-data analytics, artificial intelligence, and high-performance computing, which the Office of the Director of National Intelligence (“ODNI”) has assessed is “increasing the ability of countries of concern to more effectively target and influence, or coerce, individuals and groups in the United States and allied countries.”[1]

Thus, while the EO marks a significant step with respect to regulating Americans’ personal data, it is not the first or only measure by the U.S. government to address increasing concerns around foreign adversary access and exploitation of sensitive personal data—and it is not likely to be the last. In many respects it is the cumulative result of years-long efforts both by the Biden Administration and previous administrations to address a perceived threat to U.S. national security.

Dating back to at least 2018, and the passage of the Foreign Investment Risk Review Modernization Act (“FIRRMA”), the U.S. government signaled that protection of sensitive personal data was a core national security issue by including the collection, maintenance, and storage of U.S. sensitive personal data as a factor informing whether CFIUS has jurisdiction to review certain investments and whether filing was mandatory or voluntary. CFIUS has used its authority on a case-by-case basis to mitigate or even outright block transactions where the Committee is concerned such transactions could result in foreign adversary access to U.S. sensitive personal data. Further underscoring CFIUS’s focus on such transactions, in September 2022, President Biden signed the “Executive Order on Ensuring Robust Consideration of Evolving National Security Risks by the Committee on Foreign Investment in the United States,” which, among other areas of specific risk, formally directed CFIUS to scrutinize transactions involving sensitive personal data.

The Biden Administration has also looked to authorities other than CFIUS to stem the flow of significant volumes of data to foreign adversaries. In 2021 President Biden signed Executive Order 14034, “Protecting Americans’ Sensitive Data from Foreign Adversaries,” which sought to regulate connected software applications designed, developed, manufactured, or supplied by foreign adversaries on the basis that such applications collect significant volumes of sensitive personal data. In June 2023, the U.S. Department of Commerce (“Commerce”) published the Final Rule on Securing the Information and Communications Technology and Services Supply Chain (“ICTS Rule”), which incorporates specific provisions regulating connected software applications as contemplated by the 2021 EO. As a result, Commerce has the authority to review and potentially prohibit certain transactions with countries of concern involving connected software applications that collect U.S. personal data.

At the same time, the U.S. Intelligence Community has been issuing warnings about the transfer of sensitive personal data to foreign adversaries, and China in particular. In 2021, the National Counterintelligence and Security Center under ODNI published an overview of the threat posed by China’s collection of large healthcare data sets from the United States and elsewhere, highlighting in particular the collection of DNA. It noted that the “PRC views bulk personal data, including healthcare and genomic data, as a strategic commodity to be collected and used for its economic and national security priorities”—a concern that underlies the EO. ODNI flagged the “front door” through which countries of concern were directly accessing sensitive data, such as Chinese companies that were licensed to perform genetic testing or genomic sequencing on U.S. patients.

In the last several years, it has become increasingly clear that the U.S. national security community—and DOJ, in particular—viewed existing legal authorities as insufficient to address the significant national security concerns that had been identified in the context of CFIUS reviews and about which ODNI issued warnings. DOJ appears to have leveraged its leadership role within CFIUS related to sensitive personal data transactions and taken the reins to drive the adoption of the EO and implement what will now be much broader-reaching, bright line rules for personal data protection.

Key Elements of the EO and ANPRM

The following are the key elements of the EO, as proposed to be implemented by the ANPRM.

Overall Structure: The EO and ANPRM contemplate a regime that would prohibit or otherwise restrict U.S. persons from engaging in “covered data transactions,” which are certain transactions that involve the transfer of bulk “U.S. sensitive personal data” or “U.S. Government-related data” to “countries of concern.” The regime will not involve a case-by-case analysis or adjudication of transactions but instead will impose outright prohibitions on certain transactions (“Prohibited Transactions”) and presumptively prohibit certain other classes of transactions, unless the transaction parties adopt security practices to be defined by the Cybersecurity and Infrastructure Security Agency (“CISA”), under DHS (“Restricted Transactions”). Parties may seek licenses to engage in transactions that otherwise would be prohibited or restricted, as well as advisory opinions with respect to the application of the rules. Finally, while the ANPRM does not suggest broad-based recordkeeping and reporting will be required, it does contemplate a compliance and enforcement program modeled after the economic sanctions program administered by the Treasury Department’s Office of Foreign Assets Control (“OFAC”). Failure to comply with the regulations may result in civil monetary penalties, following an approach similar to processes utilized by CFIUS and OFAC.

Key Terms:

• Countries of Concern: China (including Hong Kong and Macau), Russia, Iran, North Korea, Cuba, and Venezuela.
• Covered data transaction: Any transaction that involves bulk U.S. sensitive personal data or government-related data and that involves: (1) data brokerage; (2) a vendor agreement; (3) an employment agreement; or (4) an investment agreement.
• Covered Persons: An entity owned by, controlled by, or subject to the jurisdiction or direction of a country of concern; a foreign person who is an employee or contractor of such an entity; a foreign person who is an employee or contractor of a country of concern; a foreign person who is primarily resident in the territorial jurisdiction of a country of concern; or any person designated by the Attorney General as being owned or controlled by or subject to the jurisdiction or direction of a country of concern, as acting on behalf of or purporting to act on behalf of a country of concern or other covered person, or as knowingly causing or directing, directly or indirectly, a violation of the EO or its implementing regulations.
• U.S. Sensitive Personal Data: The ANPRM contemplates six categories that comprise U.S. Sensitive Personal Data, which includes the following and any combination thereof:
  • Covered personal identifiers, which may include, for example, demographic information linked to another listed identifier (e.g., device-based or hardware-based identifier, IP address, or account-authentication data (such as account username, password, or security question answer)).
  • Geolocation and related sensor data, which for the first rulemaking would be defined as limited to precise geolocation data (i.e., data, whether real-time or historical, that identifies the physical location of an individual or device to specific level of precision based on electronic signals or inertial sensing units).
  • Biometric identifiers, meaning measurable physical characteristics or behaviors used to recognize or verify the identity of an individual, including facial images, voice prints and patterns, retina and iris scans, palm prints and fingerprints, gait, and keyboard usage patterns that are enrolled in a biometric system and the templates created by the system.
  • Human ‘omic data, which is defined in the EO to mean data generated from humans that characterizes or quantifies human biological molecule(s), such as human genomic data, epigenomic data, proteomic data, transcriptomic data, microbiomic data, or metabolomic data. DOJ explains in the ANPRM that it intends for its first rulemaking to regulate covered data transactions involving human ‘omic data only to the extent that such transactions involve human genomic data. Human genomic data in turn is defined in the EO as data representing the nucleic acid sequences that constitute the entire set or a subset of the genetic instructions found in a cell. The ANPRM provides that human genomic data includes the result or results of an individual’s “genetic test”—defined via cross-reference to 42 U.S.C. § 300gg-91(d)(17)) to mean “an analysis of human DNA, RNA, chromosomes, proteins, or metabolites, that detects genotypes, mutations, or chromosomal changes,” subject to certain exceptions—and any related human genetic sequencing data.
  • Personal health data, which means “individually identifiable health information,” regardless of whether such information is collected by a “covered entity” or “business associate,” as those terms are defined in the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and the HIPAA Privacy Rule. Accordingly, individually identifiable health information is information, including demographic information, that: (1) is created or received by a health care provider (among others); and (2) relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual; and (i) that identifies the individual; or (ii) with respect to which there is a reasonable basis to believe the information can be used to identify the individual.
  • Personal financial data, defined as an individual’s credit, charge, or debit card, or bank account, including purchases and payment history; data in a bank, credit, or other financial statement, including assets, liabilities and debts, and transactions; or data in a credit or “consumer report” (as defined under 15 U.S.C. § 1681a).
• Bulk Data Thresholds: The ANPRM proposes to establish volume-based thresholds, i.e., bulk thresholds, for each category of U.S. sensitive personal data and for combined datasets. The following are the bulk thresholds the ANPRM contemplates adopting:

  

  These thresholds can be satisfied by data in any format, including anonymized, pseudonymized, de-identified, or encrypted data. The ANPRM also contemplates aggregating the transfer of such data across multiple transactions within the preceding 12 months, meaning that even if a single transaction does not surpass the defined bulk threshold, the threshold may nevertheless be triggered across multiple transactions.

• United States Government-Related Data: Sensitive personal data that, regardless of volume, is linkable to categories of current or former employees, contractors, or officials of the U.S. government, is linked to or could be used to identify current or recent former employees or contractors, or former senior officials, of the U.S. government, or is linked or linkable to certain sensitive locations. The ANPRM suggests this will include precise geolocation data and sensitive personal data, regardless of volume, that is marketed as linked or linkable to current or recent former employees or contractors, or former senior officials, of the U.S. government. The term also includes any precise geolocation data, regardless of volume, for any location within any area enumerated on a list of specific geofenced areas associated with military, other government, or other sensitive facilities or locations. This definition could create issues for the U.S. sales of vehicles by covered persons, if there is no way to mitigate whether a U.S. government employee will drive one and assuming such vehicle can identify precise geolocation.[2]

Regulated Activities:

• Prohibited Transactions: The ANPRM contemplates that two classes of transactions between U.S. persons and countries of concern or covered persons would be categorically prohibited: (1) data brokerage transactions and (2) any transaction that provides a country of concern or covered person with access to bulk human genomic data or human biospecimens from which the human genomic data can be derived.
  • Data Brokerage Transactions—Data brokerage transactions include the sale of, licensing of, access to, or similar commercial transactions involving the transfer of any data from any person to any other person where the recipient did not collect or process the data directly from the individuals linked or linkable to the collected or processed data. As an example, the ANPRM suggests that a U.S. company that sells bulk U.S. sensitive personal data to an entity headquartered in a country of concern would be prohibited. Similarly, if a U.S. company enters into an agreement that gives a covered person a license to access government-related data held by the U.S. company, such a transaction would also be prohibited.

  The ANPRM also states that DOJ is considering prohibiting U.S. persons from engaging in a covered data transaction involving data brokerage with any foreign person (not just a “covered person”), unless the U.S. person contractually requires that the foreign person refrain from engaging in a subsequent covered data transaction involving the same data with a country of concern or covered person. The ANPRM notes this is the only instance contemplated where the program would regulate third-country covered data transactions.

  • Human Genomic Data Transactions—The ANPRM contemplates a prohibition that would be specific to address risks posed by covered data transactions that involve access by countries of concern or covered persons to bulk human genomic data and biospecimens from which that data can be derived. This could involve, for example, covered data transactions with laboratories owned or operated by covered persons. Importantly, because the contemplated prohibition also includes aggregating the transfer of such genomic data and biospecimens across multiple transactions within a set time period, DOJ may consider several transactions between the same transaction parties to determine whether the bulk threshold has been met.

  Notably, the ANPRM suggests by way of example that, unless part of federally funded research, if a U.S. hospital contracts with a foreign laboratory that is a covered person, hires a researcher that is a covered person, and gives the laboratory and researcher access to human biospecimens and human genomic data in bulk, the contract with the foreign laboratory and the employment of the researcher would be a prohibited covered data transaction.

• Restricted Transactions: In addition to the outright prohibitions discussed above, the ANPRM contemplates that three other classes of covered data transactions—vendor agreements, employment agreements, and investment agreements—would be presumptively prohibited, unless certain security measures are implemented as prescribed by CISA to mitigate the risks relating to such transactions.
  • Vendor agreements would include, among other types, agreements for technology services and cloud service agreements. More specifically, the examples suggest that such agreements could include software development services provided by a covered person in support of a U.S. company that develops software that collects bulk sensitive personal data on U.S. persons, at least to the extent those software development services would involve access to bulk U.S. sensitive personal data or government-related data. Such agreements could also include back-end IT services provided under a contract by a covered person to a U.S. medical facility with bulk personal health data, where such IT services could involve access to such data.
  • Employment agreements would include those arrangements where an individual, other than an independent contractor, performs work or job functions in exchange for consideration. In general, this could include, for example, employment on a U.S. company’s board or committee, as well as employment at the operational level, where the U.S. company collects and maintains bulk sensitive data on U.S. persons and the employee is a covered person. More specifically, this is meant to address employing individuals in a country of concern where those individuals’ job allows them to access U.S. sensitive personal data, manage the systems that store U.S. sensitive personal data, or serve at a management level that would allow them to direct access for themselves.
  • Investment agreements would be any agreements or arrangement in which any person, in exchange for consideration, obtains direct or indirect ownership interests in or rights in relation to (1) real estate located in the United States or (2) a U.S. legal entity. This means that certain greenfield investments could be captured by the restrictions, as illustrated by an example in the ANPRM that suggests a transaction involving a covered person providing capital to support the construction of a data center that will store bulk U.S. sensitive personal data could be covered by the regulations. Other investments that could be covered include minority investments in companies that collect or maintain bulk U.S. sensitive personal data, such as those that develop mobile games or other applications. In a hypothetical example included in the ANPRM, DOJ explains that even an investment agreement that explicitly forbids the foreign company from accessing sensitive personal data of U.S. users would still be a restricted transaction. DOJ explains that whether the specific investment agreement poses a risk of access does not affect whether the agreement is restricted.

  The ANPRM indicates DOJ is considering excluding certain types of investment agreements and potentially setting equity thresholds or defining a category of rights that would be required for the investment agreement to be restricted under the regulations.

• Security Requirements for Restricted Transactions: The security requirements that would have to be adopted in order for the above-described restricted transactions to proceed will be based on existing performance goals, guidance, practices, and controls, such as CISA Cybersecurity Performance Goals and the National Institute of Standards & Technology (“NIST”) Cybersecurity Framework. Specifically, the ANPRM sets out the following framework for the security requirements:
  • Implement the Basic Organizational Cybersecurity Posture requirements;
  • Conduct the covered data transaction in compliance with the following four conditions: (a) data minimization and masking; (b) use of privacy preserving technologies; (c) development of information-technology systems to prevent unauthorized disclosure; and (d) implementation of logical and physical access controls; and
  • Satisfy certain compliance-related conditions, such as retaining an independent auditor to perform annual testing and auditing of the requirements above, for so long as the U.S. person relies on compliance with those conditions to conduct the restricted covered data transaction.

The identified security measures are frequently included in CFIUS mitigation agreements, and it is clear the ANPRM is drawing on the government’s years of experience crafting mitigation agreements and attempts to standardize the preferred data security standards across industries. It is notable that CISA, rather than NIST, which sits within Commerce, is responsible for developing the security requirements, another signal that the national security community will carry significant weight in this rulemaking and the ultimate implementation of the rules.

The ANPRM suggests that DOJ does not intend to regulate Restricted Transactions until the security requirements are published, available to the public, and become effective by incorporation in any final rule.

Exemptions: DOJ is considering an OFAC-like process that will explicitly exempt certain categories of data transactions from the scope of the ANPRM’s prohibitions and restrictions. These include the following:

• Transactions involving certain kinds of data—This would include transactions involving personal communications (such as postal or telephonic information that does not involve the transfer of anything of value) as well as information materials (such as publications, posters, photographs, and artwork that are not otherwise controlled under certain export controls).
• Official business transactions—This would include (1) conduct of official business of the U.S. government; (2) authorized activity of any U.S. government department or agency; or (3) transactions conducted pursuant to grant, contract, or other agreement entered into with the U.S. government.
• Financial services, payment-processing, and regulatory-compliance-related transactions—Any transaction that is ordinarily incident to and part of the provision of financial services (including payment processing, banking, capital markets, and financial insurance services) or required for compliance with any federal statutory or regulatory requirements.
• Intra-entity transactions incident to business operations—Transactions that are between a U.S. person and its subsidiary or affiliate located in a country of concern and ordinarily incident to and part of ancillary business operations (such as, for example, sharing employees’ covered personal identifiers for human resources purposes).
• Transactions that are required or authorized by U.S. federal law or international treaty—The latter category could include, for example, exchanging passenger manifest information and INTERPOL requests.

Licenses: In addition to the exemptions noted above, DOJ is considering the creation of a licensing regime that would be modeled on OFAC’s licensing program, incorporating both general and specific licenses. Such licenses could authorize covered data transactions that otherwise would be prohibited or restricted. This proposed licensing process would create a mechanism for parties to bring specific concerns to DOJ, and to provide DOJ with flexibility to address marginal or unique cases or categories of cases.

• General licenses—DOJ is considering a regime involving general licenses that would apply to certain types of covered data transactions. Such general licenses will include requirements to file reports or statements as instructed, and failure to do so may nullify authorization under a license and/or result in a violation subject to enforcement action (see below).
• Specific licenses—DOJ is further considering imposing certain requirements on persons who receive specific licenses. These requirements may include 1) an ongoing obligation to provide reports regarding transactions authorized under the license, and 2) for licenses that apply to transactions involving bulk U.S. sensitive personal data or government-related data, assurances that such transferred data can be recovered or permanently deleted.

Interpretive Guidance: The ANPRM, as directed by the EO, contemplates that DOJ will create a program to provide guidance via written advisory opinions, similar to processes used by OFAC and BIS related to sanctions and export controls, and by DOJ with respect to the Foreign Corrupt Practices Act (“FCPA”) and the Foreign Agents Registration Act (“FARA”). The contemplated program would permit any U.S. person engaging in covered data transactions regulated by the program to request an interpretation of any part of these regulations from the Attorney General. Guidance can be requested regarding, among other topics, whether a particular transaction is covered, whether it is prohibited or restricted, whether a license will likely be granted, and whether a party falls under the definitions of the proposed regulations.

Compliance and Enforcement: The ANPRM suggests that DOJ does not intend to impose broad-based recordkeeping, auditing, or reporting requirements or require U.S. companies to adopt specific compliance programs, but instead contemplates that companies will be required to adopt a risk-based framework to ensure compliance with the regulations.

The ANPRM notes that a compliance program’s suitability to a particular U.S. person will be based on the company’s size and sophistication, products and services, customers and counterparties, and geographic locations. Although the appropriate compliance and due-diligence program will be fact-specific to the U.S. person, DOJ is considering certain consequences for failure to develop an adequate program should a violation occur, including treating the failure as an aggravating factor in potential enforcement actions.

While DOJ is not contemplating imposing general due-diligence and recordkeeping requirements, it is considering imposing such requirements as a condition of engaging in restricted covered data transactions or as a condition of general or specific licenses for restricted or prohibited transactions. DOJ is also considering imposing additional reporting requirements in “certain narrow circumstances” to identify attempts to engage in prohibited covered data transactions. This may include:

• U.S. persons that are (a) engaged in restricted transactions involving cloud computing services or licensed transactions involving data brokerage or cloud-computing services and (b) are 25 percent or more owned by a country of concern or a covered person through any contract, arrangement, understanding, or relationship; or
• U.S. persons who have received and affirmatively rejected an offer to engage in a prohibited transaction involving data brokerage.

Similarly, the ANPRM contemplates auditing requirements for U.S. persons engaging in restricted transactions, whether or not subject to a license, or prohibited transactions subject to a license. These requirements may include annual audits of the effectiveness of applicable security requirements or conditions of the license, the results of which would be provided to DOJ.

DOJ notes that it is considering establishing civil penalties for violations of the regulations, similar to those imposed by OFAC and CFIUS, although the EO itself authorizes DOJ to investigate violations and pursue civil and criminal remedies. The contemplated penalty mechanisms would include a pre-penalty notice, opportunity to respond, and a final decision, and could be based on noncompliance with the rule; making material misstatements or omissions; or making false certifications or submissions. Penalties for violations would depend on the specific facts of the violation, including with respect to efforts undertaken by the company at issue to comply with the regulations.

Coordination with CFIUS: While the ANPRM does not anticipate significant overlap between the new regulations and existing authorities, it does contemplate certain potential overlap with transactions subject to CFIUS jurisdiction, particularly with respect to investment agreements. Under the proposed approach, DOJ would independently regulate, as “covered data transactions,” “investment agreements” that are also subject to CFIUS jurisdiction unless and until CFIUS takes certain qualifying actions with respect to the transaction which may include (i) the issuance of an interim order by CFIUS; (ii) a determination by CFIUS to conclude action based on an order or mitigation agreement related to data-security risks; or (iii) an agreement of voluntary abandonment of the covered transaction.

The ANPRM suggests that DOJ’s regulations will cover certain gaps in CFIUS’s jurisdiction, such as investment agreements that do not constitute CFIUS covered transactions; risks that cannot readily be mitigated through the CFIUS process because they do not “arise[] as a result of the covered transaction,” as required by the CFIUS regulations; and risks that exist in the time window between the parties entering into an investment agreement but before a potential CFIUS action is finalized. To be clear, however, the ANPRM also suggests that where CFIUS does have authority or jurisdiction to act but either elects not to review a particular transaction or does not require mitigation to approve a transaction, DOJ’s authorities to separately prohibit or restrict a transaction involving sensitive personal data will not be displaced.

Additional Impact on Laws and Regulation: In addition to mapping out the core framework for how DOJ will regulate sensitive personal data transactions, the ANPRM also makes certain recommendations and seeks specific comments with respect to the interplay of the future rulemaking with other proposed regulations, as well as existing regimes, including requirements under U.S. government contracts.

More specifically, the ANPRM seeks comments on the relationship between it and potential consumer-reporting rulemaking under the Fair Credit Reporting Act that the Consumer Financial Protection Bureau is considering. That regulation, generally, would prohibit the sale of certain data by data brokers that qualify as consumer reporting agencies without the written instructions of the consumer or another permissible purpose.

The ANPRM further requests that certain U.S. government agencies evaluate other vectors through which sensitive data could be exploited and consider appropriate measures, including suggesting that Team Telecom prioritize a review of submarine cable licenses owned or operated by, or that land in, a country of concern.

Finally, while DOJ’s ANPRM specifically exempts government contracts and grants, the ANPRM also directs the Departments of Defense ("DoD”), Health and Human Services (“HHS”), and Veterans Affairs (“VA”), and the National Science Foundation (“NSF”) to “consider taking steps” to prohibit using funding to enable access to sensitive bulk personal data such as human genomic data. The agencies are also directed to publish guidance to assist U.S. research entities in protecting bulk sensitive data. Given that the agencies are only required to “consider taking steps” and the likely forthcoming prohibitions under separate legislation (the Biosecure Act), which would overlap in subject matter, it is not clear at this time whether DoD, HHS, VA, and NSF will seek to impose additional restrictions on government contractors and grantees.

Conclusion

The Administration has stated that the EO is not intended to create a full-fledged data regulation regime in the United States. The EO affirms that, for example, the United States “supports open scientific data and sample sharing to accelerate research and development through international cooperation and collaboration,” and is committed to “supporting a vibrant, global economy by promoting cross-border data flows required to enable international commerce and trade.” At the same time, given the broad scope of transactions DOJ is contemplating prohibiting or restricting, ranging from data brokerage to vendor agreements, there is no question that the EO, once implemented, will impact a sizeable percentage of companies across a range of industries. Companies that are potentially affected will want to follow the rulemaking process and take steps to plan for the ultimate implementation of the EO.

*           *           *

If you have any questions concerning the material discussed in this client alert, please contact the members of our CFIUS practice.