On Feb. 28, President Joe Biden issued what has been called “a groundbreaking Executive Order (EO)” addressing national security threats posed by countries attempting to access Americans’ personal and government data. Titled “Preventing Access to Americans’ Bulk Sensitive Personal Data and U.S. Government-Related Data by Countries of Concern,” the EO is the first of its kind directing the Justice Department to establish national-security programming to address ongoing threats.
The EO requires the Justice Department to issue regulations prohibiting certain data transactions that pose a potential risk to national security. In accordance with the EO, the Justice Department’s National Security Division has identified China, Russia, Iran, North Korea, Cuba and Venezuela as countries of concern.
“Our adversaries are exploiting Americans’ sensitive personal data to threaten our national security,” said Attorney General Merrick B. Garland. “They are purchasing this data to use to blackmail and surveil individuals, target those they view as dissidents here in the United States and engage in other malicious activities. This Executive Order gives the Justice Department the authority to block countries that pose a threat to our national security from harvesting Americans’ most sensitive personal data—including human genomic data, biometric and personal identifiers, and personal health and financial data.”
In addition to the new program, the EO will take additional steps to enhance the Justice Department’s existing authorities to address data-security risks in the health care and consumer markets.
The National Security Division will issue an Advance Notice of Proposed Rulemaking (ANPRM) describing transactions involving bulk sensitive personal data and U.S. Government data as outlined within the EO while seeking public comment on items the Department of Justice is considering to regulate.
As noted in the initial Feb. 27 press release, the purpose of the ANPRM is to provide transparency about the scope of the program and to solicit public input. The Justice Department welcomes comments on the ANPRM from industry, society and advocacy groups with expertise in data security and cybersecurity. Written comments may be submitted within 45 days on regulations.gov.
The Justice Department stated it “is committed to protecting Americans from countries that seek to collect and weaponize sensitive data.” They are “committed to ensuring this program remains carefully calibrated and is consistent with the United States’ longstanding commitments to cross-border data flows, an open and secure internet, and scientific research through international collaboration.”
The EO does not authorize the Justice Department to establish data-localization requirements and will allow low-risk commercial activity to continue unimpeded to minimize economic impacts on businesses and markets.
You can read the full press release here.