What Cos. Can Do Ahead Of Upcoming Sensitive Data Regs

In this article for Law360, Kirkland attorneys Mario Mancuso, Anthony Rapa, Luci Hague and Jeremy Iloulian discuss how the Biden administration's executive order establishing the contours for a new regulatory framework to protect U.S. persons' personal data will impact U.S. companies.

On June 9, President Joe Biden signed an executive order that establishes the contours for a new regulatory framework to protect U.S. persons' personal data.

Notably, Executive Order No. 14034 revoked three previous executive orders issued by former President Donald Trump that had prohibited certain dealings with TikTok, WeChat and other China-based mobile apps.

While the ultimate impacts of the executive order will depend on the nature and scope of any implementing regulations that may result from a series of reports it requires, the executive order demonstrates continued U.S. government concerns about the risks to national security that can arise from access by foreign adversaries to U.S. persons' data.

The View From Washington

In the past several years, Democrats and Republicans alike have expressed significant concerns about potential foreign access to U.S. persons' sensitive data, including health and financial information.

In 2019 and 2020, the Trump administration took several actions to address these concerns, including (1) issuing Executive Order No. 13873, which intended to help secure the U.S. information and communications technology and services, or ICTS, supply chain; and (2) issuing Executive Order No. 13942 addressing TikTok, Executive Order No. 13943 addressing WeChat, and Executive Order 13971 attempting to impose restrictions and prohibitions on China-based software applications.

The regulations for the latter three executive orders were never implemented, due to court challenges and the fact that they were issued shortly before Biden took office. While Biden's recent executive order replaces these three executive orders, it reflects the concerns that they addressed and builds upon their initial legal framework.

What the New Executive Order Does

Biden's recent executive order requires the drafting of two reports over the next six months that will provide guidance to the White House on regulations to implement and legislation to propose. The executive order does not require public release of these reports.

Revokes the Trump Administration Executive Orders

Likely in an effort to limit further legal challenges, the new executive order revokes the three Trump executive orders intended to impose restrictions on TikTok, WeChat and Chinese software applications, as well as related executive actions.

The TikTok and WeChat executive orders essentially were nonoperational after plaintiffs challenging the orders obtained preliminary injunctions enjoining their implementation. The Biden administration never promulgated any regulations to implement the terms of the Chinese software executive order.

Directs U.S. Agencies to Develop a Policy Foundation for Protecting Sensitive Data and Restricted Transactions

Within 120 days of the date of Biden's June 9 executive order, the U.S. Department of Commerce, in consultation with select other agencies, will issue a report that will list recommendations to protect against harm "from the unrestricted sale of, transfer of, or access to [U.S.] persons' sensitive data … [and] access to large data repositories by persons owned or controlled by, or subject to the jurisdiction or direction of, a foreign adversary."

The new executive order does not provide a full definition of what constitutes sensitive data, but lists examples including personally identifiable information, personal health information and genetic information. As a parallel, the regulations implementing Trump's ICTS executive order list sensitive personal data as financial data, information normally included in an application or health insurance, and biometric data, among others.[1]

Notably, the new executive order does not set a quantity threshold for sensitive data — i.e., potential forthcoming restrictions could apply to any transactions involving sensitive data that have a nexus with a foreign adversary, even though the ICTS regulations focus on sensitive personal data of greater than one million U.S. persons.[2] Further, the new executive order makes clear nonsensitive data in large quantities could still be subject to any restrictions.

Directs U.S. Agencies to Identify National Security Risks Associated With Connected Software Applications

Within 180 days of the date of the executive order, Commerce will issue the second report — the connected software applications report — which will include recommendations addressing "the risk associated with connected software applications that are designed, developed, manufactured, or supplied by persons owned or controlled by, or subject to the jurisdiction or direction of, a foreign adversary."

Potential eventual restrictions regarding designers, developers, manufacturers and suppliers of such connected software could implicate entire supply chains associated with connected software applications, depending on how the restrictions are crafted.

The new EO defines "connected software application" as software that is designed for end users to use on an end-point computing device and that "collect[s], process[es], or transmit[s] data via the internet." This would potentially include mobile applications as well as computer games. The definition is nearly identical to that of the Chinese software executive order.

Lays a Foundation for Defining Foreign Adversaries

The new executive order focuses on "persons owned or controlled by, or subject to the jurisdiction or direction of, a foreign adversary," but does not identify or designate any foreign adversaries or describe what it means to be subject to the jurisdiction or direction of a foreign adversary.

It seems highly likely that China will be considered a foreign adversary given that the introductory text to the executive order cites the ICTS executive order's designation of China as a foreign adversary under the ICTS regulations. Notably, the ICTS regulations also list Cuba, Iran, North Korea, Russia and Venezuela as foreign adversaries.

Further, by way of comparison, the ICTS regulations contain a broad interpretation of who is "owned or controlled by, or subject to the jurisdiction or direction of, a foreign adversary." This includes (1) "any corporation … organized under the laws of a nation-state controlled by a foreign adversary," and (2) "any corporation … wherever organized or doing business, that is owned or controlled by a foreign adversary."

If a comparable definition is used here, it could capture all entities located in China — even if not ultimately owned by a Chinese entity or headquartered in China — and all entities owned or controlled by China or the Chinese government.

Provides a Basis for Interim Enforcement via the ICTS Regulations

The new executive order directs Commerce to evaluate "on a continuing basis transactions involving connected software applications" and whether they pose an undue risk to U.S. information and communications technology or services, or critical infrastructure, or unacceptable risk to U.S. national security — language that mirrors the criteria in the ICTS regulations.

Next Steps

By Aug. 8, the Office of the Director of National Intelligence and the U.S. Department of Homeland Security must prepare and submit individual assessments to Commerce. These likely will provide Commerce with guidance as to which types of personal data — e.g., financial data, medical data — could be subject to forthcoming restrictions, as well as any other factors that may influence the restrictions.

By Oct. 7, Commerce must issue the sensitive data report to the national security adviser.

By Dec. 6, Commerce must issue the connected software applications report to the national security adviser.

There is currently no deadline for Commerce to issue regulations to implement the executive order. However, certain media reports have indicated that Commerce may issue subpoenas to certain Chinese companies to collect information that could inform the reports.

How Companies and Investors Should Respond

Companies and investors should continue to monitor developments with respect to the executive order, as the takeaways from the reports — and any potential restrictions — likely will become apparent in the next four to six months.

Investors should ensure that due diligence for corporate transactions covers potential impacts of the executive order on investment targets' value chains and businesses. For example, does the target business produce a connected software application in China or Russia, or does it rely on connected software applications for other purposes, for example marketing or internal communications

Companies should examine any data-sharing agreements to determine if they provide for sharing of any sensitive data, or large quantities of data more generally, with persons in China or Russia. To the extent that this is the case, companies should consider whether modifications to the scope of any such agreement may be warranted — or, depending on the outcome of future implementing regulations, required.

Software companies should assess their supply chains and data storage for exposure to China or Russia, including via any entities headquartered in other Asian or European countries that supply components or source code from facilities based in China or Russia.

The new executive order provides further guidance on transactions that could be subject to the ICTS regulations, indicating transactions involving connected software applications that could be subject to heightened risks of control. Companies engaged in such transactions should consider whether any prudential changes to their business models would be warranted — for example, shifting away from reliance on Chinese or Russian connected software applications to alternate suppliers — in light of this guidance.