Biden order bars data broker sale of Americans’ sensitive data to adversaries

Covered persons: The program will be defined categorically to include certain classes of entities and individuals subject to the jurisdiction, direction, ownership, or control of countries of concern, if data to these persons will place that data within the reach of the countries of concern. The EO defines four categories of covered persons:

• “An entity owned by, controlled by, or subject to the jurisdiction or direction of a country of concern”
• “A foreign person who is an employee or contractor of such an entity”
• “A foreign person who is an employee or contractor of a country of concern” and
• “A foreign person who is primarily resident in the territorial jurisdiction of a country of concern”

According to the EO and the ANPRM, the categories of covered persons would not include anyone who is a US citizen, national, or lawful permanent resident, anyone admitted to the United States as a refugee or granted asylum, any entity organized solely under US laws or jurisdiction, and any person located in the United States.

The EO also authorizes DOJ to supplement these categories of covered persons by designating specific entities or individuals as covered persons if they meet certain criteria, such as being owned or controlled by or subject to the jurisdiction or direction of a country of concern or acting on behalf of a country of concern or another covered person.

Sensitive personal data: The EO defines “sensitive personal data” to mean covered personal identifiers, geolocation, and related sensor data, biometric identifiers, personal health data, human genomic data, personal financial data, or any combination thereof that could be exploited by a country of concern to harm United States national security if that data is linked or linkable to any identifiable United States individual or a discrete and identifiable group of United States individuals.

The DOJ plans to refine the scope of these sensitive personal data categories further in its rulemaking. Sensitive personal information will not include data that is a matter of public record, such as court or other government records, that is lawfully and generally available to the public or personal communications.

Bulk thresholds and US government-related data: The DOJ’s program will generally regulate the specified categories of data transactions in the six categories of sensitive personal data only if the transactions exceed prescribed bulk volumes (i.e., a threshold number of US persons or US devices). However, those bulk volumes would not apply to transactions involving certain US government-related data. The program will regulate data transactions involving sensitive personal data on US government personnel or locations regardless of the volume of such data.

For government-related personnel data, the ANPRM will contemplate focusing on sensitive personal data that a transacting party (such as a data broker) markets as linked or linkable to current or recent former employees or contractors or former senior officials of the federal government, including the intelligence community and military. For US government-related data on locations, the ANPRM will contemplate focusing on geolocation data that is linked or linkable to certain sensitive locations within geofenced areas that the Department would specify on a public list.

Covered data transactions: The forthcoming ANPRM contemplates identifying two categories of prohibited data transactions between US persons and countries of concern or covered persons: