In the space of a month, two branches of the U.S. government have put forward ambitious measures to protect Americans’ personal data from exploitation by adversarial regimes. Although they take different paths, these measures share similar goals and are rooted in the same national security concerns.
This confluence of executive and legislative action is striking. These measures come at a time when Congress cannot agree on either comprehensive privacy legislation or on how to reauthorize a crucial surveillance authority in a manner that enhances privacy safeguards. The apparent convergence suggests a growing consensus on a crucial point: protecting Americans’ data is essential for national security.
It may be tempting to think of these actions as narrow privacy measures, and compare them with sectoral Federal privacy laws, the expanding number of state privacy laws, or comprehensive privacy regimes such as the European Union’s General Data Protection Regulation (GDPR). That would be a mistake. These are national security measures and are best understood in the national security context.
On their own terms – as targeted measures focused on specific threats – they hold promise for shoring up the country’s cyber defenses, making it more difficult for adversaries to accomplish their goals, and providing certain privacy protections in the process. But to be truly effective, such measures need to form part of a comprehensive, all-of-government data protection campaign focused on defending personal data from malicious exploitation. We have a National Security Strategy, a National Intelligence Strategy, and a National Cybersecurity Strategy. The threats these measures aim to address highlight the need for a National Data Protection Strategy as well.
An Overview of the Recent Measures
On Feb. 28, 2024, President Joe Biden issued Executive Order 14117 on Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern (Bulk Data Order). Its ambitious goal is to protect the personal data of Americans from exploitation by “countries of concern.” The Order directs the Department of Justice (DOJ) to issue implementing regulations. A few days later, DOJ kicked off that process by publishing an advance notice of proposed rulemaking (ANPRM) spanning 23 pages of dense legal text, with detailed proposals, examples, and requests for public input. Key elements include:
- DOJ would prohibit or restrict certain transactions involving “sensitive personal data.” DOJ proposes defining this term to apply to (1) specifically listed categories and combinations of covered personal identifiers (not all personally identifiable information); (2) precise geolocation data; (3) biometric identifiers; (4) human genomic data; (5) personal health data; and (6) personal financial data. Generally, the regulations will only apply if the sensitive personal data involved exceeds certain bulk thresholds (the exception is for transactions involving sensitive personal data on U.S. government personnel or locations).
- The regulations would cover transactions with “covered persons”; i.e., entities and individuals subject to the jurisdiction, direction, ownership, or control of countries of concern. DOJ proposes defining “countries of concern” by reference to a Department of Commerce regulation (discussed further below), which identifies “foreign adversaries” as consisting of China, Russia, Iran, North Korea, Cuba, and Venezuela. The ANPRM suggests this is a closed list, without a defined process for changing it.
- DOJ proposes prohibiting two categories of transactions—data brokerage transactions and the transfer of bulk human genomic data—and restricting three other categories: vendor agreements, employment agreements, and investment agreements. There are several broad exemptions, such as transactions that are ordinarily incidental to financial services (e.g., banking) or ancillary to business operations (e.g., human resources and payroll). Also exempt are transactions involving information and informational materials and personal communications (see 31 CFR Section 560.210).
Contemporaneously, the Department of Commerce published its own ANPRM, focusing on information and communications technology (ICT) used in connected vehicles. The ANPRM solicits public input on addressing the risk of foreign adversaries using ICT-equipped vehicles for nefarious purposes, including the collection of Americans’ sensitive personal data.
Soon thereafter, on March 20, 2024, the House of Representatives unanimously passed a bill intended to prohibit “data brokers” from making available “sensitive data of a United States individual” to foreign adversary countries (China, Russia, Iran and North Korea).
The National Security Threat Picture
Many in government received a rude wakeup call a decade ago when they learned that a huge volume of highly sensitive—and highly personal—background investigation records at the Office of Personnel Management (OPM) had been hacked. The OPM intrusion, along with similar cyber intrusions of Equifax, Marriott, and Anthem health insurance, was later attributed to the government of the People’s Republic of China (PRC). Earlier this year, the government published a cybersecurity advisory assessing that “People’s Republic of China (PRC) state-sponsored cyber actors [referred to as Volt Typhoon] are seeking to pre-position themselves on IT networks for disruptive or destructive cyberattacks against U.S. critical infrastructure in the event of a major crisis or conflict with the United States.”
These attacks contribute to the threat landscape that the IC has been warning about with growing urgency. The ANPRM quotes from the 2023 Annual Threat Assessment of the U.S. Intelligence Community for the proposition that “[o]ur adversaries increasingly view data as a strategic resource. They are focused on acquiring and analyzing data—from personally identifiable information on U.S. citizens to commercial and government data—that can make their espionage, influence, kinetic and cyber-attack operations more effective; advance their exploitation of the U.S. economy; and give them strategic advantage over the United States.”
In February of this year, the Director of National Intelligence (DNI) released the 2024 version of the annual threat assessment, which warns that
“China remains the most active and persistent cyber threat to U.S. Government, private-sector, and critical infrastructure networks. Beijing’s cyber espionage pursuits and its industry’s export of surveillance, information, and communications technologies increase the threats of aggressive cyber operations against the United States and the suppression of the free flow of information in cyberspace.”
It points out that “[i]f China believed that a major conflict with the United States were imminent, it would consider aggressive cyber operations against U.S. critical infrastructure” to “imped[e] US decisionmaking, inducing societal panic, and interfering with the deployment of U.S. forces.”
What about the other “countries of concern”? The threat assessment warns that Russia poses “an enduring global cyber threat,” viewing “cyber disruptions as a potential foreign policy lever to shape other countries’ decisions,” and maintaining “its ability to target critical infrastructure” in the U.S. and allied countries. The assessment also highlights Russia’s “wide-ranging efforts to try to divide Western alliances, undermine U.S. global standing, and sow domestic discord” through malign influence operations. Iran is called out for its “growing expertise and willingness to conduct aggressive cyber operations,” and North Korea for its “ongoing cyber campaign, particularly cryptocurrency heists” and similar criminal operations.
The assessment does not identify comparable cyber threats from Cuba or Venezuela, though on March 5, 2024 President Biden extended for another year the declaration of a national emergency with respect to Venezuela. In addition, a 2021 Intelligence Community Assessment on Foreign Threats to the 2020 US Federal Elections found that Cuba and Venezuela “took some steps to attempt to influence the election.”
In addition, the IC has warned more generally about digital repression. In a National Intelligence Council (NIC) Assessment issued in 2022, the NIC reported that “foreign governments are increasingly using digital information and communication technologies to monitor and suppress political debate domestically as well as in their expatriate and diaspora communities abroad.” The NIC further noted that “[g]rowing use of social media platforms with global reach will offer autocrats increasingly enriched user data to target select groups,” and highlighted a report that “China-based ByteDance—the parent company for TikTok, the most popular social media platform worldwide—had a plan to use the application to monitor and surveil US citizens.”
According to the 2024 Annual Threat Assessment, “Digital technologies have become a core component of many governments’ repressive toolkits even as they continue to engage in physical acts of transnational repression, including assassinations, abductions, abuse of arrest warrants and familial intimidation.” One of these “digital technologies” is, of course, artificial intelligence (AI). According to the 2024 assessment, “China is pursuing AI for smart cities, mass surveillance, healthcare, drug discovery, and intelligent weapons platforms,” and “Russia is using AI to create deepfakes and is developing the capability to fool experts.”
The Role of Personal Data
The ANPRM lays out how, in the government’s view, “[u]nrestricted transfers of bulk sensitive personal data and government-related data to countries of concern, through commercial transactions or otherwise, present a range of threats to U.S. national security and foreign policy.”
It may be helpful to think of these general categories:
- Malicious cyber-enabled activity. Personal data can help hostile actors access systems for the full range of harmful purposes that cybersecurity efforts are designed to guard against, such as disabling critical infrastructure, stealing money, and misappropriating intellectual property. While the Order and ANPRM do not provide specific examples, cybersecurity experts repeatedly warn about how bad actors use social engineering techniques (such as masquerading as a trusted acquaintance or colleague) to obtain login credentials or induce the installation of malware.
- Identifying and targeting individuals with access to sensitive systems or data. Related to the above, information about government employees—obtained directly or derived indirectly—could facilitate further access to sensitive data and could also reveal the location of previously unknown sensitive facilities.
- Malign influence campaigns. Personal information can improve the effectiveness of malign influence campaigns, enabling the creation of credible synthetic content, improving the ability to craft and target messaging for malicious purposes and the like.
- Digital repression. Access to personal data could help regimes identify dissidents and their supporters around the world.
- Advanced technology. Artificial intelligence drives the need for more data to improve capabilities while making access to data more useful operationally, as regimes can better and more rapidly sift through large quantities of data to serve the malicious purposes described above.
Existing Efforts to Protect Personal Data from National Security Threats
To respond to these threats, the executive branch has been pulling the legal levers available to it in three general streams of responsive effort. For our purposes, it may be easiest to start with the Committee on Foreign Investment in the United States (CFIUS). The CFIUS process represents a concerted effort to review foreign investments for threats to national security. In 2018, Congress passed the Foreign Investment Risk Review Modernization Act of 2018 (FIRRMA), updating and enhancing CFIUS authorities.
Notably, FIRRMA included a “sense of Congress” that the CFIUS process should consider “the extent to which a covered transaction is likely to expose, either directly or indirectly, personally identifiable information, genetic information, or other sensitive data of United States citizens to access by a foreign government or foreign person that may exploit that information in a manner that threatens national security.” In 2020, the Department of Treasury issued regulations implementing FIRRMA (31 CFR part 800), including detailed provisions on “sensitive personal data.”
President Biden followed up on these measures with Executive Order 14083, Ensuring Robust Consideration of Evolving National Security Risks by the Committee on Foreign Investment in the United States (September 15, 2022). The Order found that “[d]ata is an increasingly powerful tool for the surveillance, tracing, tracking, and targeting of individuals or groups of individuals, with potential adverse impacts on national security.” It directed CFIUS to consider whether a covered transaction “involves the transfer of United States persons’ sensitive data to a foreign person who might take actions that threaten to impair the national security of the United States as a result of the transaction.”
However, the CFIUS process is designed to cover only proposed investment transactions, and leaves open other ways in which foreign governments could gain access to data. CFIUS, in essence, closes only one of several entry points to Americans’ data, leaving others open, such as the purchase or licensing of data from data brokers.
A second stream of responsive effort stems from Executive Order 13873, Securing the Information and Communications Technology and Services (ICTS) Supply Chain (May 15, 2019). In that Order, President Donald Trump found that
“foreign adversaries are increasingly creating and exploiting vulnerabilities in information and communications technology and services, which store and communicate vast amounts of sensitive information, facilitate the digital economy, and support critical infrastructure and vital emergency services, in order to commit malicious cyber-enabled actions, including economic and industrial espionage against the United States and its people.”
The Order seeks to prohibit certain information and communications technology transactions with “foreign adversaries” that the Secretary of Commerce determines—in consultation with other agencies—pose unacceptable national security risks.
It is pursuant to this authority that Commerce has taken two actions of relevance here. First, in reliance on this authority, Commerce issued the connected vehicles ANPRM discussed above. Second, Commerce issued a regulation (15 CFR 7.4) defining “foreign adversaries” under the ICTS executive order as the People’s Republic of China, including the Hong Kong Special Administrative Region; Republic of Cuba; Islamic Republic of Iran; Democratic People’s Republic of Korea (North Korea); Russian Federation (Russia); and Venezuelan politician Nicolás Maduro (Maduro Regime). In DOJ’s ANPRM for the bulk data executive order, it proposes defining “countries of concern” by reference to this regulation, and thus consisting of the same governments.
A third stream of effort is rooted in Executive Order 13913, Establishing the Committee for the Assessment of Foreign Participation in the United States Telecommunications Service Sector (April 4, 2020). That Order creates an interagency committee (referred to as Team Telecom, an entity which existed informally for decades prior to its codification in 2020) “to assist the [Federal Communications Commission (FCC)] in its public interest review of national security and law enforcement concerns that may be raised by foreign participation in the United States telecommunications services sector.” DOJ chairs this committee.
What are we to make of these streams? For one thing, the drafters of the bulk data order are intimately familiar with their capabilities—and limitations—and have crafted the new order to close gaps. As stated in DOJ’s fact sheet:
Our existing national-security authorities, like Committee on Foreign Investment in the United States (CFIUS) and Team Telecom, allow us to review and address these data-security risks on a case-by-case basis for discrete kinds of activities. However, no existing laws comprehensively and prospectively address the national security risks posed by access by countries of concern or covered persons subject to their jurisdiction or control to sensitive personal data through commercial transactions. This targeted new program will be designed to address this gap in our national security authorities.
Relatedly, a team of experienced officials is already in place to administer the new Order, though more are certainly now needed. Within DOJ, responsibility for implementing the Order rests with the National Security Division’s Foreign Investment Review Section (FIRS). FIRS also houses DOJ’s CFIUS, Team Telecom, and supply-chain security experts, thus positioning it to implement and enforce these authorities—in consultation with other agencies such as Commerce—in an integrated manner.
Note that these issuances have all come relatively quickly in the past few years, based primarily on executive, rather than legislative, action. This indicates an increasing concern about the threat, and a desire to act now using available authorities rather than wait for Congress to enact new legislation. However, relying on existing authorities within the Executive Branch raises issues of its own.
Executive Order 14117—A Necessary Step, but Is It a Sufficient One?
As psychologist Abraham Maslow once said, “it is tempting, if the only tool you have is a hammer, to treat everything as if it were a nail.” If the Executive Branch is to act on its own to counter a growing threat, it will need to use the legal authorities at its disposal and rely on its existing pool of experts to deploy those tools. The new Order and accompanying ANPRM demonstrate the experience and expertise of those experts. These measures are, in many ways, natural extensions of the existing work being done by the relevant interagency teams with provisions designed to fill gaps they have identified in their existing authorities. Many issues remain to be resolved—and the long list of thoughtful questions in the ANPRM demonstrates the government’s willingness to consider public input before it proceeds to the next step (the deadline for submitting comments is April 19, 2024).
As dramatic as the new Order appears to be, it can be seen as an incremental, albeit an ambitious, step forward. Viewed alongside Commerce’s connected vehicles ANPRM, it is apparent that the government is taking a tactical approach, targeting specific transactions and technologies that pose heightened risks. (Indeed, DOJ’s fact sheet explicitly characterizes the program as “targeted” four different times.)
The desire to focus on the most serious threat areas is understandable, particularly considering the government’s desire to “minimize[e] the impact on economic and other activities” and to “safeguard the continued cross-border data flows that are vital to our economy and communities.”
That said, this raises the question of future “targets” for regulation, along the following dimensions.
- Countries of concern. The list of countries of concern is currently presented as a static one. Those countries, however, present markedly different risk profiles, in terms of both intentions and capabilities. Moreover, it is easy to conceive of other countries becoming sources of risk. It would be helpful to have a dynamic process that more finely calibrates the designation of “countries of concern” to match threats.
- Categories of transactions. A more difficult question is presented by the categorization of transactions. Which transactions should be prohibited, restricted, licensed, or exempted may well require nuanced determinations involving a wide range of considerations. For example, which companies meet the “data broker” definition? Do all those companies present the same national security risk profile? The ANPRM takes a thoughtful, nuanced approach, but it is not clear how sustainable these categories will be over time.
- Sensitivity of data. Similarly, determining which data is “sensitive” for purposes of the regulation (and at what “bulk” thresholds) is itself a moving target. AI and other technological advances will make it possible to derive increasingly rich inferences from seemingly non-sensitive data. How will the regulations address such capabilities?
- Internet of Things. The connected vehicles ANPRM highlights the growing threat of foreign adversaries using technology to gather personal data. It goes without saying that such technology appears in a wide range of consumer products. As IC leaders have warned, “the surge of Internet connected devices and the delegation of more and more decisions to machines offers the potential for rich new targets for our adversaries, and raises the potential consequences when they gain access to our digital systems.” What consumer devices might come next?
A National Data Protection Strategy
Answering the above and related questions will be difficult for existing interagency processes to address, even if buttressed with additional hiring. To confront a major challenge like this, it is important to think strategically. What is the overall nature of the threat? What existing legal authorities can be marshaled in response? What new authorities are needed? What elements of national power can best be deployed, and how? Which agencies must be involved?
Importantly, developing a national strategy requires careful consideration of the overall effectiveness of contemplated measures in light of ever-changing technologies and a rapidly evolving threat landscape. Indeed, it is hard to think of how any response can be sustainable over the long term without a holistic approach recognizing the value of personal data, and the range of ways in which that data can be used, abused, and misused, by a range of actors. The threat to personal data is not limited to “covered persons” who are subject to the jurisdiction of “countries of concern.” Criminals and other bad actors seek personal data for their own harmful purposes.
Elements of such a strategy would include extensive public and congressional engagement, not focused solely on a specific proposed rule, but on the broader questions of how to best protect personal data from national security threat actors. It would also involve working with our partners and allies abroad, to ensure that like-minded democracies are acting together to ensure that data can continue to flow to those we trust, with comparable measures deployed to protect data from exploitation by those we distrust.
This approach highlights the need for comprehensive federal privacy legislation providing basic, standardized, nationwide privacy safeguards for companies to follow. By ensuring that our own government accesses commercially available personal information pursuant to a transparent and clear legal framework, the United States could position itself as a leader (and distinguish itself from its adversaries) in the realm of privacy and civil liberties.
In short, a national strategy would better position the United States to follow through on the promise of the new Order: to protect personal data as a national security imperative.