DOJ addresses National Security risks and Data Security from groundbreaking Executive Order

Listen to this article

On Wednesday, President Biden issued a groundbreaking Executive Order addressing “the extraordinary and unusual national security threat posed by the continued effort of certain countries of concern to access Americans’ bulk sensitive personal data and certain U.S. Government-related data.”

The first of its kind, the Executive Order — “Preventing Access to Americans’ Bulk Sensitive Personal Data and U.S. Government-Related Data by Countries of Concern,” directs the Justice Department to establish, implement and administer new and targeted national-security programming to address the threat, according to Justice Department officials.

The order requires the Justice Department, in consultation with other agencies, to issue regulations that prohibit, or otherwise restrict, certain categories of data transactions that pose an unacceptable risk to national security.

“Our adversaries are exploiting Americans’ sensitive personal data to threaten our national security,” said Attorney General Merrick B. Garland.

“They are purchasing this data to use to blackmail and surveil individuals, target those they view as dissidents here in the United States, and engage in other malicious activities. This Executive Order gives the Justice Department the authority to block countries that pose a threat to our national security from harvesting Americans’ most sensitive personal data—including human genomic data, biometric and personal identifiers, and personal health and financial data,’ Garland said.

Americans’ data not for sale

“Today, we make clear that American citizens’ sensitive and personal data is not for sale to our adversaries,” said Deputy Attorney General Lisa Monaco.

“The Justice Department has long focused on preventing threat actors from stealing data through the proverbial back door. This executive order shuts the front door by denying countries of concern access to Americans’ most sensitive personal data,” Monaco added.

Bulk data collection

“Hostile foreign powers are weaponizing bulk data and the power of artificial intelligence to target Americans,” said Assistant Attorney General Matthew G. Olsen of the Justice Department’s National Security Division.

“Today’s announcement fills a key gap in our national security authorities, affording the Justice Department a new and powerful enforcement tool to protect Americans and their most sensitive information from being exploited by our adversaries,” Olsen added.

In addition to this new program, the order takes additional steps to enhance the Justice Department’s existing authorities to address data-security risks, including with respect to telecommunications infrastructure, the health care market, and consumer protection.

According to Justice Department officials, under existing transaction-specific authorities, the Department closely scrutinizes data-security risks, including as the chair of the interagency committee known as Team Telecom that reviews foreign participation in the U.S. telecommunications sector; as a co-lead agency for investments reviewed by the Committee on Foreign Investment in the United States (CFIUS); and in other roles addressing counterintelligence risks through the U.S. Government’s supply-chain authorities. The Department, including the FBI, also works closely with the Intelligence Community to share information with the private sector about the threats facing their sensitive data and systems.

In accordance with the Executive Order, the Justice Department’s National Security Division will implement its provisions on behalf of the Attorney General, and contemplates identifying China, Russia, Iran, North Korea, Cuba, and Venezuela as countries of concern under this program. The National Security Division will issue an Advance Notice of Proposed Rulemaking (ANPRM) describing the initial categories of transactions involving bulk sensitive personal data or certain U.S. Government-related data as outlined in the E.O. and seeking public comment on items the Department of Justice contemplates regulating, including prohibitions on data brokerage and transfers of genomic data, and restrictions on vendor, employment, and investment agreements.

The purpose of the ANPRM is to provide transparency and clarity about the intended scope of the program and to solicit input from the public before it goes into effect.

“The Department welcomes comments on the ANPRM from industry, civil society, and advocacy groups with expertise on data security and cybersecurity, organizations and entities affected by the proposed regulations, and anyone else with an interest in the proper administration of the Executive Order’s directions to prohibit or restrict certain transactions involving Americans’ bulk sensitive personal data or U.S. Government-related data with countries of concern or persons subject to their jurisdiction. Written comments on the ANPRM may be submitted within 45 days on regulations.gov. The ANPRM will be followed by proposed regulations at a later date,” officials said.

“The Department is committed to protecting Americans from countries that may seek to collect and weaponize their most sensitive data. As the nation’s lead law enforcement and domestic counterintelligence agency, the Department is a key line of defense. The Department undertakes law enforcement and counterintelligence investigations and prosecutions to disrupt and deter state-sponsored malicious cyberactivity that seeks to exfiltrate sensitive data from U.S. victims for intelligence collection and economic espionage,” officials noted.

“The Justice Department is committed to ensuring that this program remains carefully calibrated and is consistent with the United States’ longstanding commitments to cross-border data flows with trust, an open and secure internet, and open scientific research through international cooperation and collaboration. This program is a targeted national security measure, focused on transactions with a handful of identified countries of concern or covered persons subject to their jurisdiction. The E.O. does not authorize — and indeed specifically prohibits — the Department from establishing data-localization requirements as part of this targeted new program. The E.O. and contemplated program also exempt certain categories of data transactions, such as those ordinarily incident to financial services, in order to allow low-risk commercial activity to continue unimpeded and to minimize unintended economic impacts on businesses and markets,” officials added.

In closing officials said, “The Department looks forward to continuing to receive and consider public input through the rulemaking process.”