March 6, 2024
On February 28, 2024, President Joe Biden signed an executive order to protect America's bulk sensitive personal data. This executive order provides an overview of upcoming regulations to limit foreign countries' access to the bulk sensitive personal data of United States persons and the United States Government when such access poses an unacceptable security risk. These regulations aim to balance the unacceptable risks associated with bulk data flow and the need to support secure data flow across borders for legitimate economic, scientific, and trade purposes.
The order defines sensitive personal data as covered personal identifiers, geolocation and related sensor data, biometric identifiers, human ‘omic data, personal health data, personal financial data, or any combination thereof, as further defined in regulations issued by the Attorney General pursuant to Section 2 of the order, and that could be exploited by a country of concern to harm United States national security if that data is linked or linkable to any identifiable United States individual or to a discrete and identifiable group of United States individuals. It requires the Attorney General, in coordination with the Secretary of Homeland Security and consultation with the heads of relevant agencies, to create regulations that outline the class of prohibited bulk personal data transactions, exceptions to these prohibitions, identities of new or existing countries of concern, and, if appropriate, classes of covered persons. The regulations shall govern any transaction that:
The regulations must also establish a process to issue, modify, or rescind licenses for transactions that would otherwise be impermissible, establish mechanisms to provide clarity to impacted parties, coordinate with the Committee on Foreign Investment in the United States and other stakeholders, and develop a process for record keeping, as appropriate.
The order also requires the Attorney General to, within 120 days of the effective date of the regulations, recommend appropriate actions to mitigate national security risks with respect to prior transactions of a United States person's bulk sensitive personal information data to the countries of concern. The Secretary of Homeland Security, acting through the Director of Cybersecurity and Infrastructure Security, will draft regulations and seek public comments on security requirements designed to address the unacceptable risks posed by the transactions that the Attorney General identifies. Additionally, Section 5 of the order requires a report to the president within one year of the effective date of the regulation. This report will include an update on the effectiveness and economic impact of the regulations. This report to the president will provide another opportunity for the public to comment on the impact of the regulation. Additionally, the Departments of Health and Human Services, Defense, and Veterans Affairs must ensure that Federal grants, contracts, and awards are not used to facilitate access to Americans’ sensitive health data by countries of concern, including via companies located in the United States and the Committee for the Assessment of Foreign Participation in the United States Telecommunications Services Sector (often called “Team Telecom”) must consider the threats to Americans’ sensitive personal data in its reviews of submarine cable licenses.
While the threshold amount of data that constitutes, “bulk” data will be set by the regulations, companies involved in collecting, selling, and transmitting large amounts of sensitive personal data should begin to understand where and how their data is controlled and shared. Specifically, companies involved in the transmission of bulk sensitive personal data to countries, or businesses closely aligned with countries of concern with a track record of misusing data to infringe upon privacy and human rights will need to ensure that the data is used in a way that is not detrimental to United States national security.
Copyright © Finnegan, Henderson, Farabow, Garrett & Dunner, LLP. This article is for informational purposes, is not intended to constitute legal advice, and may be considered advertising under applicable state laws. This article is only the opinion of the authors and is not attributable to Finnegan, Henderson, Farabow, Garrett & Dunner, LLP, or the firm’s clients.
Lecture
Patent Protection for Software-Related Inventions in Europe and the USA Training Course
June 5, 2024
Hybrid
Webinar
May 9, 2024
Webinar
Workshop
Life Sciences Workshop: Updates and Key Trends in Pharmaceutical and Biotechnology IP Law
May 2, 2024
Cambridge
Due to international data regulations, we’ve updated our privacy policy. Click here to read our privacy policy in full.
We use cookies on this website to provide you with the best user experience. By accepting cookies, you agree to our use of cookies. Please note that if you opt not to accept or if you disable cookies, the “Your Finnegan” feature on this website will be disabled as well. For more information on how we use cookies, please see our Privacy Policy.
Finnegan is thrilled to announce the launch of our new blog, Ad Law Buzz, devoted solely to breaking news, developments, trends, and analysis in advertising law.