Biden Administration Takes New Steps to Address National Security Risks of Foreign Access to U.S. Data

The Biden Administration is taking new steps to address national security threats posed by foreign access to U.S. data. The clear focus of these measures is China. Building on prior Executive Orders — Executive Order 13873 (Securing the Information and Communications Technology and Services (“ICTS”) Supply Chain) and Executive Order 14034 (Protecting Americans’ Sensitive Data from Foreign Adversaries) — President Biden issued a new Executive Order on Preventing Access to Americans’ Bulk Sensitive Personal Data and U.S. Government-related Data by Countries of Concern. The Executive Order directs various U.S. agencies including the Departments of Justice, Homeland Security, Health and Human Services (“HHS”), and the Committee for the Assessment of Foreign Participation in the United States Telecommunications Services Sector (“Team Telecom”) to take measures to protect access to U.S. data through new regulations and existing authorities.

Consistent with the concerns articulated in the Executive Orders, the Biden Administration also directed the Commerce Department to investigate, and take action to respond to national security risks posed by, connected vehicles (“CVs”) with technology from countries of concern, in particular, China. The Commerce Department issued an advanced notice of proposed rulemaking seeking comment on regulations to protect against “foreign adversary ICTS in CVs.”

Both actions reflect ongoing national security threats posed by foreign, in particular, Chinese, access to U.S. data. Though protections have long been in place to protect individual personal data (for example, the Health Insurance Portability and Accountability Act (“HIPAA”) protects the confidentiality of medical data), advancements in technology, particularly in artificial intelligence, have raised concerns of new avenues of potential exploitation of U.S. personal data by malicious actors, even if anonymized and de-identified. The precise scope of restrictions imposed by these new executive actions will emerge from the implementing regulations. We expect to see further actions by the U.S. Government as technology advances and tensions with adversaries, in particular, China, continue to mount.

New Executive Actions to Protect U.S. Data

Executive Order:

The Executive Order aims to address the national security threat posed by efforts of foreign countries of concern to access Americans’ sensitive personal data or U.S. Government-related data and then use AI and other advanced technologies to analyze and manipulate the data for nefarious purposes, including espionage, influence, and cyber operations. The data of concern includes genomic data, biometric data, personal health data, geolocation data, and financial data.

Though China is not called out expressly in either the Executive Order or the accompanying White House statement, references in the Executive Order leave little doubt as to the origin of the threats articulated in the Executive Order, including “a country of concern may have cyber, national security, or intelligence laws that, without sufficient legal safeguards, obligate [entities and individuals subject to its jurisdiction] to provide that country’s intelligence services access to Americans’ bulk sensitive personal data and United States Government-related data.”

To address the identified national security threats, the Executive Order directs federal agencies to take the following actions:

• Department of Justice: Issue regulations to prohibit or restrict U.S. persons from engaging in a class of transactions involving bulk sensitive personal data or U.S. Government data.
• Departments of HHS, Defense, and Veterans Affairs: Publish guidance and regulations to ensure federal financial assistance is not used to facilitate access to Americans’ bulk sensitive health data, including personal health data or human genomics data. This could result in the first ever set of regulations in the United States broadly prohibiting or restricting the cross-border transfer of sensitive personal data to certain jurisdictions or persons.
• Team Telecom: Review licenses for submarine cable systems owned or operated by persons subject to the jurisdiction of a country of concern to assess risks to sensitive data transiting the submarine cables.

CVs ANPRM:

The Biden Administration’s related action concerning CVs is intended to address the national risks posed by the ability of ICTS integral to CVs to collect data about U.S. citizens and infrastructure, including the threat of remote access and vehicle disablement. Through the ANPRM, the Commerce Department seeks input on how types of ICTS transactions related to CVs present national security risks and whether mechanisms can be implemented to mitigate such risks.

Unlike the Executive Order, the investigation and regulatory process explicitly identifies China as the source of the threat. While that threat is ostensibly one of national security, the White House’s statements also indicate concern for the U.S. auto industry, noting “China is determined to dominate the future of the auto market, including by its unfair practices. China’s policies could flood our market with its vehicles, posing risks to our national security.”; and “As President I vowed to do right by auto workers and middle-class families that depend on the auto industry for jobs. With this and other actions, we’re going to make sure the future of the auto industry will be made here in America with American workers.”

This memorandum is a summary for general information and discussion only and may be considered an advertisement for certain purposes. It is not a full analysis of the matters presented, may not be relied upon as legal advice, and does not purport to represent the views of our clients or the Firm. Greta L. Nightingale, an O’Melveny partner licensed to practice law in the District of Columbia; David J. Ribner, an O’Melveny partner licensed to practice law in the District of Columbia and New York; Scott W. Pink, an O'Melveny special counsel licensed to practice law in California and Illinois; and Shruti Kannan, an O’Melveny associate licensed to practice law in the District of Columbia and New York, contributed to the content of this newsletter. The views expressed in this newsletter are the views of the authors except as otherwise noted.

© 2024 O’Melveny & Myers LLP. All Rights Reserved. Portions of this communication may contain attorney advertising. Prior results do not guarantee a similar outcome. Please direct all inquiries regarding New York’s Rules of Professional Conduct to O’Melveny & Myers LLP, Times Square Tower, 7 Times Square, New York, NY, 10036, T: +1 212 326 2000.