By Elizabeth Carroll

On February 28, 2024, President Biden signed Executive Order 14117[1] on “Preventing Access to Americans’ Bulk Sensitive Data and United States Government-Related Data by Countries of Concern.”  The Executive Order delegates authority to the Department of Justice to create regulations that restrict access by “countries of concern” to Americans’ bulk sensitive personal data that would pose “an unacceptable risk to the national security of the United States.”[2]  The countries of concern will likely include China, Russia, Iran, North Korea, Venezuela, and Cuba.[3]  The Executive Order aims to curtail the use of Americans’ sensitive personal data for malicious purposes, such as spying, blackmail, and cyber-operations against the United States, which can occur when the data lands in the hands of foreign intelligence services or foreign companies.[4]  These countries of concern could permit the targeting of military personnel, politicians, and other U.S. citizens, which create a national security risk for the United States.[5]

President Biden signed the Executive Order in response to the proliferation of the commercial data brokerage industry, which profits off the collection, aggregation, and sale of people’s personal data to third-party individuals.[6]  The data brokerage industry heavily relies on highly sensitive personal data, such as geolocation and internet browsing history.[7]

The obligations under the Executive Order strike a balance between regulating the data brokerage industry while preventing the interference of a general flow of data internationally by defining a narrow scope of transactions that are at issue and creating exemptions.[8]  The six categories of sensitive data subject to limitations include (1) precise geolocation, (2) biometric identifiers, (3) human genomic data, (4) personal health data, (5) personal financial data, and (6) personal identifiers.[9]  In its advanced notice of proposed rulemaking, the Department of Justice prohibits data brokerage transactions that meet this criteria, but permits those pursuant to vendor agreements, employment agreements, or investment agreements, subject to heightened cybersecurity requirements.[10]  The Executive Order also carves out exemptions, such as permitting data transactions within multinational companies for payroll or business licenses, those required by international law, personal communications, public records, and data transfers for federally funded health and research activities.[11]  The Executive Order also prohibits only the “knowing” engagement in a prohibited transaction, as opposed to a strict liability standard.[12]

The Executive Order creates compliance obligations for these data brokerage firms, requiring them to restructure their internal business practices.[13]  Data brokers will have to cease transactions with the covered countries of concern.[14]  These firms will need to establish risk-based and reasonable compliance programs and exercise affirmative due diligence, reporting, and record-keeping.[15]

This Executive Order is only the beginning of the Biden Administration’s regulation of data broker activities.  This year, the FTC took action against two data brokers, Kochava and X-Mode for selling geolocation data that allowed individuals to be traced to and from sensitive locations.[16]  The Consumer Financial Protection Bureau (CFPB) initiated a rule-making process to expand the scope of the Fair Credit Reporting Act[17] to include data brokers.[18]  Lastly, Congress introduced several bills to address the sale and transfer of data to foreign governments, such as the Protecting Americans’ Data from Foreign Surveillance Act of 2023.[19]  The data brokerage industry will need to prepare themselves for not only increased compliance obligations, but also future legal challenges.

[1] Exec. Order No. 14117, 89 Fed. Reg. 15421 (2024).

[2] Hope Anderson, et al., New Executive Order Seeks to Protect Americans’ Sensitive Personal Data, White & Case (Mar. 4, 2024), https://www.whitecase.com/insight-alert/new-executive-order-seeks-protect-americans-sensitive-personal-data.

[3] Id.

[4] Alexis Early et al., White House Executive Order Seeks to Protect Americans’ Sensitive Personal Data and US Government-Related Data in Cross-Border Transactions, JDSupra (Mar. 7, 2024), https://www.jdsupra.com/legalnews/client-alert-white-house-executive-9979133/.

[5] Evan Brown et al., Exploring the White House’s Executive Order to Limit Data Transfers to Foreign Adversaries, CSIS (Feb. 29, 2024), https://www.csis.org/analysis/exploring-white-houses-executive-order-limit-data-transfers-foreign-adversaries.

[6] See Fact Sheet, President Biden Issues Executive Order to Protect Americans’ Sensitive Personal Data, White House (Feb. 28, 2024), https://www.whitehouse.gov/briefing-room/statements-releases/2024/02/28/fact-sheet-president-biden-issues-sweeping-executive-order-to-protect-americans-sensitive-personal-data/ (providing a breakdown of the actions that federal agencies will be taking in response to the E.O.).

[7] Brown et al., supra note 4.

[8] Id.

[9] Fact Sheet, President Biden Issues Executive Order to Protect Americans’ Sensitive Personal Data, White House,(Feb. 28, 2024), https://www.whitehouse.gov/briefing-room/statements-releases/2024/02/28/fact-sheet-president-biden-issues-sweeping-executive-order-to-protect-americans-sensitive-personal-data/.

[10] National Security Division; Provisions Regarding Access to Americans’ Bulk Sensitive Personal Data and Government-Related Data by Countries of Concern, 89 Fed. Reg. 15780, 15783 (Mar. 5, 2024).

[11] Id. at 15794.

[12] Jason Chipman et al., Biden Executive Order to Protect Americans’ Sensitive Personal Data and Related Rulemaking Could Impose Significant Restrictions on Certain Transfers of Sensitive Personal Information, WilmerHale (Mar. 1, 2024), https://www.wilmerhale.com/insights/client-alerts/20240301-biden-executive-order-to-protect-american-sensitive-personal-data-and-related-rulemaking-could-impose-significant-restrictions-on-certain-transfers-of-sensitive-personal-information.

[13] Id.

[14] Id.

[15] Id.

[16] Brown et al., supra note 4.

[17] See Fair Credit Reporting Act, 15 U.S.C. §1681 (2023) (insuring that consumer reporting agencies exercise “fairness, impartiality, and a respect for the consumer’s right to privacy”).

[18]  Brown et al., supra note 4.  

[19] H.R. 4108, 118th Cong. (2023).