Given that I was not able to cover some of the developments over the previous six weeks in the depth I normally would have, I will be going back to examine some of the higher profile items from June. Today, I want to dive into Executive Order 14034, “Protecting Americans’ Sensitive Data From Foreign Adversaries,” given my particular interest in the issue. As I explained in great detail, it is almost a certainty that foreign intelligence services are accessing the oceans of personal data siphoned off from Americans every day. As a result, there are national security implications, and the United States (U.S.) government would be wise to take steps to address the flow of data to other nations, especially the People’s Republic of China (PRC), the Russian Federation, Iran, North Korea, and others.
In its fact sheet, the Biden Administration makes the impetus for the executive order (EO) very clear:
The Biden Administration is committed to promoting an open, interoperable, reliable and secure Internet; protecting human rights online and offline; and supporting a vibrant, global digital economy. Certain countries, including the People’s Republic of China (PRC), do not share these values and seek to leverage digital technologies and Americans’ data in ways that present unacceptable national security risks while advancing authoritarian controls and interests.
And, the Biden Administration is right. The PRC is trying to get its hands on as much personal data as possible while trying to protect its own (as evidenced by the recently proposed Personal Information Protection Law (PIPL), the PRC’s first data protection law.)
This EO builds on the Trump Administration’s Executive Order 13873, “Securing the Information and Communications Technology and Services Supply Chain” that was intended “to protect the security, integrity, and reliability of information and communications technology and services provided and used in the United States” through the declaration of a national emergency. The EO bars U.S. entities from buying or using the information and communications technology and services (ICT) from “foreign adversaries” if a determination is made that doing so would sabotage or subvert U.S. ICT, place U.S. critical infrastructure or its digital economy at “undue risk,” or “poses an unacceptable risk” to national security or safety. On the last day of the Trump Administration, per the EO, the Department of Commerce (Commerce) issued an interim final rule, and the agency explained:
- These regulations create the processes and procedures that the Secretary of Commerce will use to identify, assess, and address certain transactions, including classes of transactions, between U.S. persons and foreign persons that involve information and communications technology or services designed, developed, manufactured, or supplied, by persons owned by, controlled by, or subject to the jurisdiction or direction of a foreign adversary; and pose an undue or unacceptable risk. While this interim final rule will become effective on March 22, 2021, the Department of Commerce continues to welcome public input and is thus seeking additional public comment. Once any additional comments have been evaluated, the Department is committed to issuing a final rule.
- On November 27, 2019, the Department of Commerce (Department) published a proposed rule to implement the terms of the Executive Order. (84 FR 65316). The proposed rule set forth processes for (1) how the Secretary would evaluate and assess transactions involving ICTS to determine whether they pose an undue risk of sabotage to or subversion of the ICTS supply chain, or an unacceptable risk to the national security of the United States or the security and safety of U.S. persons; (2) how the Secretary would notify parties to transactions under review of the Secretary’s decision regarding the ICTS Transaction, including whether the Secretary would prohibit or mitigate the transaction; and (3) how parties to transactions reviewed by the Secretary could comment on the Secretary’s preliminary decisions. The proposed rule also provided that the Secretary could act without complying with the proposed procedures where required by national security. Finally, the Secretary would establish penalties for violations of mitigation agreements, the regulations, or the Executive Order.
- In addition to seeking general public comment, the Department requested comments from the public on five specific questions: (1) Whether the Secretary should consider categorical exclusions or whether there are classes of persons whose use of ICTS cannot violate the Executive Order; (2) whether there are categories of uses or of risks that are always capable of being reliably and adequately mitigated; (3) how the Secretary should monitor and enforce any mitigation agreements applied to a transaction; (4) how the terms, “transaction,” “dealing in,” and “use of” should be clarified in the rule; and (5) whether the Department should add record-keeping requirements for information related to transactions.
- The list of “foreign adversaries” consists of the following foreign governments and non-government persons: The People’s Republic of China, including the Hong Kong Special Administrative Region (China); the Republic of Cuba (Cuba); the Islamic Republic of Iran (Iran); the Democratic People’s Republic of Korea (North Korea); the Russian Federation (Russia); and Venezuelan politician Nicolás Maduro (Maduro Regime).
However, not all of the previous administration’s PRC directives were maintained. The Biden EO rescinds three Trump Administration Eos aimed squarely at the PRC:
- Executive Order 13942 of August 6, 2020 (Addressing the Threat Posed by TikTok, and Taking Additional Steps To Address the National Emergency With Respect to the Information and Communications Technology and Services Supply Chain);
- Executive Order 13943 of August 6, 2020 (Addressing the Threat Posed by WeChat, and Taking Additional Steps To Address the National Emergency With Respect to the Information and Communications Technology and Services Supply Chain); and
- Executive Order 13971 of January 5, 2021 (Addressing the Threat Posed by Applications and Other Software Developed or Controlled by Chinese Companies).
Consequently, the Office of Management and Budget (OMB) and federal agencies are directed to suspend all activities related to these EOs.
The legality of the TikTok and WeChat EOs were challenged in U.S. court to the effect that the Trump Administration could not enforce them. However, given the last administration’s emphasis on optics, as long as it was seen as trying to fight the PRC, the actual results were less important. The Biden Administration filed motions in court allowing it more time to determine how it would address these EOs, and this is the denouement of these orders. As for the third EO, it was likely not even implemented because of the late date it was issued.
Under the new EO, Commerce, in coordination with virtually all the national security and ICT stakeholder agencies, is directed to draft recommendations within two months (i.e. by early August) for National Security Advisor Jake Sullivan “to protect against harm from the unrestricted sale of, transfer of, or access to United States persons’ sensitive data, including personally identifiable information, personal health information, and genetic information, and harm from access to large data repositories by persons owned or controlled by, or subject to the jurisdiction or direction of, a foreign adversary.” Additionally, “the Director of National Intelligence shall provide threat assessments, and the Secretary of Homeland Security shall provide vulnerability assessments, to the Secretary of Commerce to support development of the report.” And so, the Office of the Director of National Intelligence (ODNI) and the Department of Homeland Security (DHS) have deliverables Commerce will need before it can draft and submit its recommendations.
Additionally, within three months of issuance of the EO (early September), Commerce will also need to submit a report to Sullivan “recommending additional executive and legislative actions to address the risk associated with connected software applications that are designed, developed, manufactured, or supplied by persons owned or controlled by, or subject to the jurisdiction or direction of, a foreign adversary.”
And so, the heart of this EO is to develop recommendations regarding personal data and software applications, meaning the Biden Administration will not be taking immediate action and will instead await reports. Moreover, once the reports have been submitted, the White House, and specifically the National Security Council, will probably not act in the short term, but if and when they do, there may be another EO or directives to agencies to press whatever levers of power they possess. Some of the recommendations may take the form of legislative language the Congress should enact to give the executive branch more authority to address foreign adversary access to U.S. personal data.
Of course, Commerce’s remit is to make recommendations on transfers to or access by a foreign adversary, but this seems to omit such an adversary from accessing these data in a third nation. Consequently, even if all goes according to plan, the PRC or other nations may still be able to access U.S. personal data through a third country.
Moreover, under this EO, Commerce must:
- evaluate on a continuing basis transactions involving connected software applications that may pose an undue risk of sabotage or subversion of the design, integrity, manufacturing, production, distribution, installation, operation, or maintenance of information and communications technology or services in the United States;
- pose an undue risk of catastrophic effects on the security or resiliency of the critical infrastructure or digital economy of the United States; or otherwise pose an unacceptable risk to the national security of the United States or the security and safety of United States persons.
The EO continues “[b]ased on the evaluation, the Secretary of Commerce shall take appropriate action in accordance with Executive Order 13873 and its implementing regulations.”
There is interest in the national security facets of personal data on Capitol Hill, as I discussed in my Lawfare article:
Democratic Sen. Ron Wyden of Oregon recently released a discussion draft of the Protecting Americans’ Data from Foreign Surveillance Act, a bill he claims “would create new safeguards against exporting sensitive personal information to foreign countries if doing so could harm U.S. national security.” The bill would append a new section to the existing export control statute regarding the export of certain personal data. This bill would provide an impetus and framework for the Biden administration to begin addressing the unimpeded flow of U.S. personal data. Presumably this bill would bar data brokering for clients in or associated with nations such as the PRC, Russia, Iran, North Korea and others.
Under Wyden’s proposal, the Department of Commerce would need to establish an interagency process to determine (a) which categories of personal data would be covered by the export control system, (b) the threshold above which the export of specified categories of personal data would be controlled, (c) the nations for which one would need a license of other authorization to transfer, export, reexport, or do in-country transfers of covered data, and (d) a list of those nations for which one would not need such a license of authorization.
The bill further provides that this interagency process would focus on the categories of personal data that could be exploited to the detriment of national security and would need to name these categories within one year of enactment. Also within one year, these agencies would need to set a threshold between 10,000 and 1,000,000 U.S. residents above which an entity’s proposed transfer of covered categories of personal data may entail obtaining a license or authorization. As noted above, the agencies would create a list of nations to whom the export of covered personal data is likely to harm national security. And any proposed transfers to these nations would require the exporting party to make the case that national security would not be harmed (the interagency process must review all such applications).
Certain transfers would be exempted in Wyden’s bill. For example, a person sending her personal data would not need an export license. Likewise, if a person is performing a service for another and the transfer of strictly necessary personal data is required, no license would be needed. (This language is tightly written to avoid the outcome where this exception nulls the rule that one needs an export license by stipulating it upon necessity.) Moreover, the bill provides that if the personal data is encrypted to certain standards, an export license may not be needed. And to protect the data from foreign adversaries, the interagency process would also need to set the length of time each category of covered personal data must be encrypted.
Violations would be punished under the current export control regime, and some people whose personal data is transferred in violation of the act would be able to sue. Notably, only those physically harmed, detained or imprisoned in a foreign jail as a result of the violation would have a private right of action. And five years after the bill’s enactment, unintentional transfers to nations identified as national security risks could be punished unless the data is encrypted or is delivered by a third party that said the data would not transit or end up in a prohibited nation.
Incidentally, Wyden and co-sponsors also introduced the Fourth Amendment Is Not for Sale Act this month, a bill that would largely bar data brokers from selling or sharing location data and other personal data to U.S. law enforcement and intelligence agencies unless approved by a court.
It is possible that the recommendations submitted to the National Security Advisor seek to leverage existing authorities under the U.S. export control regime or the Committee on Foreign Investment in the United States (CFIUS), or these may be requests to Congress for even more authority. Time will tell.
© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2021. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.