On February 28, 2024, President Joe Biden issued a landmark Executive Order titled “Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern” (the “Order”). The regulations stemming from the Order are far from final or effective, but the Order itself and the DOJ’s recently published advanced notice of proposed rulemaking (“ANPRM”) provide insight into the potential risks and compliance obligations of the Order’s data protection mandates for the business community.
Overview of the Executive Order and ANPRM
The Order seeks to restrict “countries of concern” and “covered persons” from accessing bulk sensitive personal data and U.S. Government-related data where such access would pose “an unacceptable risk to the national security of the United States” due to the potential use of such data for illicit purposes, such as blackmail or espionage. Accordingly, the Order empowers the DOJ to implement regulations effecting that goal.
In the ANPRM, the DOJ lays out a tentative regulatory framework that generally prohibits a “United States person” from “knowingly” engaging in a “covered data transaction” with a “country of concern” or “covered person.” The relevant definitions that the DOJ is considering are listed below: Read more
