The White House Issues Executive Order to Protect American Residents’ Sensitive Personal Data

Overview of Executive Order

On February 28, 2024, the White House issued an executive order to block data brokers and other companies from providing “countries of concern” with sensitive personal data about American residents that can be used to carry out unusual or extraordinary threats against national security or foreign policy. President Biden directed the U.S. Department of Justice (DOJ) to issue regulations to prevent the large-scale transfer of Americans’ sensitive personal data through data brokerages, third-party vendor agreements, employment agreements, investment agreements, or other such arrangements. This sensitive personal data includes genomic data, biometric data, personal health data, geolocation data, and financial data.  In a call with reporters on February 27, 2024, a senior administration official identified the “countries of concern” as China (including Hong Kong and Macau), Russia, North Korea, Iran, Cuba and Venezuela.

The “Countries of Concern” and Nefarious Activity

The order is designed to help prevent “countries of concern” from utilizing advanced technologies, including artificial intelligence (AI), to analyze and manipulate bulk sensitive personal data to engage in espionage, influence, kinetic or cyber operations or to identify other potential strategic advances over the U.S. These countries of concern may also access bulk data sets to fuel the creation and refinement of AI and other advanced technologies to exploit the underlying data and exacerbate national security and foreign policy threats. The administration is concerned that “countries of concern” may leverage their access to bulk data to engage in a variety of nefarious activities, including cyberattacks, espionage, blackmail, intimidation, and curtailing of freedom of expression and political dissent.

The proliferation of these incidents can be seen in the suspected cyberattack by Blackcat, also known as ALPHV, on UnitedHealth Group’s technology unit, Change Healthcare. The cyberattack targeted Change Healthcare’s information technology systems and led to the shutdown of more than a hundred Change Healthcare services, including impacted prescription deliveries and pharmacy disruptions. Microsoft and OpenAI also recently identified China, Russia, North Korea and Iran in a series of schemes that used AI for nefarious purposes.

Call to Action

The White House has stressed that Congress should still continue to pass comprehensive bipartisan privacy legislation, especially with regards to the safety of American children.
Under the new order, the DOJ will be tasked with developing and soliciting public feedback for proposed regulations that will establish “clear protections” to protect adversarial foreign governments from accessing and exploiting Americans’ sensitive personal data. The DOJ will also be focused on creating rules to provide “greater protections” for sensitive government-related data, including geolocation data on sensitive government websites and information on military members.

The directive will require the DOJ and U.S. Department of Homeland Security to work together to “set high security standards” to block such countries’ ability to obtain Americans’ data through “other commercial means,” (including investment, vendor and employment relationships). 

The Committee for the Assessment of Foreign Participation in the U.S. Telecommunications Services Sector will consider threats to Americans’ sensitive personal data in its reviews of submarine cable licenses.

The Biden administration also acknowledged that the intent of the executive order is not to stop the free flow of vital data, and that any regulations drafted will contain carveouts for data transfers that are necessary for carryout out routine activities, such as processing of financial transactions, payroll obligations and compliance with law enforcement investigations.

Enforcement, Skepticism, and the Future Landscape

In terms of enforcement, the DOJ will investigate any violations of the new data regulations once they come in effect, and the agency will seek “civil and criminal remedies.” 

Some privacy professionals and technology industry stakeholders are skeptical that the executive order adequately accounts for the subsequent sales of sensitive data by various data brokers around the world and the enforcement challenges that they will impose.

In the meantime, companies should continue to be cognizant of any nefarious cyber activities and strengthen their cybersecurity protocols, enhance employee training and foster a culture of cybersecurity awareness to safeguard against data breaches and preserve the confidentiality and integrity of their sensitive personal data.