Executive Order: Securing Sensitive Personal Data Transfers in the US

In recent years, data protection has become a national emergency in the US, especially without a Federal Data Privacy and Protection Bill. The widespread sharing of US personal and sensitive data has been seen as exploitative, particularly from “countries of concern.” To address this glaring problem, the Biden Administration has issued an Executive Order (EO) to prevent those countries from accessing Americans’ sensitive personal data.

What is the Sensitive Personal Data Protection Order: A Glimpse

On February 28, 2024, President Biden signed Executive Order 14117, “Preventing Access to Americans’ Bulk Sensitive Personal Data and U.S. Government-Related Data by Countries of Concern” (the EO). The executive order marks the president’s most significant executive order to protect America’s data security. The EO authorizes the Attorney General to prevent massive transfers of Americans’ data to countries of concern and safeguards to prevent access to American’s sensitive data. The EO focuses on Americans’ most personal and sensitive information, including genomic data, biometric data, personal health data, geolocation data, financial data, and certain types of personally identifiable information.

Here are some essential aspects of the sensitive and personal data protection executive order:

Countries of Concern

The EO doesn’t call out specific countries, but senior administrators are identifying those countries as China, Russia, North Korea, Iran, Cuba, and Venezuela. TikTok, a subsidiary of Chinese technology firm ByteDance Ltd, is a significant point of contention, as it boasts over 150 million American users — which U.S. leaders have been most vocal about over the last few years. The Biden administration is worried about TikTok trafficking sensitive data. White House press secretary Karine Jean-Pierre stated, “We do have concerns — that’s why we put out” the executive order.

Security Risks, Privacy Rights, and Civil Liberties

A major motivating factor behind the EO is the ability of artificial intelligence (AI) to leverage large datasets for problematic reasons (or to build new AI models) that could harm the American public. Any organization processing personal and sensitive data must understand how AI impacts risks and may potentially expose the business to regulatory investigation.

The EO represents a growing effort by the administration to police data transactions that could empower hostile foreign powers to weaponize data and utilize AI to target Americans. The tracking of Americans potentially enables intrusive surveillance, scams, blackmail, privacy violations, and security risks – especially for those in the military or involved in the national security community.

Another area of concern is the ability of these countries to access sensitive personal data to collect information on journalists, activists, political personalities, and marginalized groups to intimidate, create dissent, alter the political landscape, or limit America’s freedoms and civil liberties.

Government Agencies Directed to Protect Data

The Executive Order enables federal agencies to issue regulations that prevent large-scale transfers of certain types of sensitive data from “countries of concern.” To protect Americans’ sensitive personal data, the Biden administration is directing:

• The Department of Justice will issue regulations that protect Americans’ sensitive data from access and exploitation. The data protection will consist of biometric data, personal health data, genomic data, geolocation data, financial data, and specific personal identifiers. The DOJ will prevent the large-scale transfer of that data —which is known to be collected and misused. Additionally, the DOJ must extensively protect sensitive government-related data, specifically geolocation information on sensitive government sites and information about military members.
• The Departments of Justice and Homeland Security will work together to set high-security standards to prevent data access to Americans’ data through commercial means, such as data availability through investments, vendors, and employment relationships.
• The Departments of Health and Human Services, Defense, and Veterans Affairs will help ensure that contracts, grants, and awards do not facilitate access to sensitive health data by countries of concern, including through companies in the United States.
• The Consumer Financial Protection Bureau will act with existing legal authorities to protect Americans from data brokers selling extremely sensitive data illegally.

Restrictions on Certain Transfers of Personal Information

The Executive Order should continue the flow of information necessary for financial services, consumer, economic, scientific, and trade relationships with other countries. The EO insists there will be consistency with the US’s support for the trusted free flow of data.

In addition to the EO, the DOJ released an Advance Notice of Proposed Rulemaking (ANPRM), which defines its plan to implement these regulations. The DOJ is directed to regulate and restrict transactions involving data brokerages, bulk sensitive data transfers, or US Government-related data. The ANPRM may also impose notable security requirements and restrictions on three bulk data transaction types: vendor, employment, and investment agreements.

Data Brokers & Bulk Data Sales

In the US, data brokers can legally collect personal information to build profiles on the American public that can then be rented or sold. It is relatively common practice for data brokers to sell and resell information, but they can legally sell data to countries of concern or controlled by those countries. Data brokers create a gap in the nation’s national security protection when data can quickly end up in the hands of foreign intelligence agencies, militaries, or companies owned by foreign governments.

Compliance and Enforcement

The ANPRM currently doesn’t provide strict liability for violations of the new regulation. However, the DOJ is considering imposing civil penalties with mechanisms for pre-penalty notices, responses, and final decisions. Additionally, there is an expectation to establish risk-based compliance programs; when a violation occurs, the DOJ, in any enforcement action, would consider the compliance program.

How BigID Helps Organizations Protect Personal & Sensitive Data

The Executive Order aligns with several global initiatives to safeguard the flow and transfer of information across countries. The EO highlights the importance of companies understanding what data they collect, how it is used, and potential use by third parties.

BigID enables organizations to meet the EO requirements by identifying, managing, monitoring, and protecting all personal and sensitive data – including cross-border transfers and data access requirements. With BigID, organizations can:

• Discover Data: Discover and catalog your sensitive data, including structured, semi-structured, and unstructured – in on-prem environments and across the cloud.
• Gain Complete Visibility: Automatically classify, categorize, tag, and label sensitive data with unmatched accuracy, granularity, and scale to build a cohesive data inventory to prepare for regulatory audits from the DOJ.
• Mitigate Data Access Risk: Proactively monitor, detect, and respond to unauthorized internal exposure, use, and suspicious activity around sensitive data.
• Validated Data Transfers: Create policies and assign residency to data sources and individuals’ data to enforce data residency requirements and monitor and alert on data transfers.
• Streamline Remediation: BigID helps to define the remediation actions to provide audit records with integration to ticketing systems like Jira for seamless remediation workflows.
• Achieve Compliance: Automatically meet security, privacy, and AI compliance and frameworks globally, wherever data resides.

Schedule a demo with our experts to see how BigID can help your organization secure access and protect personal sensitive data to align with the new executive order requirements.