On February 28, 2024, the Biden administration announced the creation of a new national security regulatory regime that will prohibit or restrict certain transactions involving bulk sensitive US personal data or government-related data and specified “countries of concern.” The Biden administration announced the regime in a new executive order, Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern (EO 14117), which was accompanied by an advance notice of proposed rulemaking (ANPRM) issued by the National Security Division (NSD) of the Department of Justice (DOJ), the component and agency with primary responsibility for implementing and enforcing the forthcoming regulations. The White House and DOJ also published fact sheets regarding the new regime.

Executive branch officials and members of Congress have long been concerned about the lack of a national security regulatory regime covering the transfer of sensitive US personal data to countries of concern, particularly China. As explained in EO 14117, such data has the potential to be used for a variety of nefarious purposes, including surveillance, extortion, and influence campaigns targeting US government employees and members of the US military, among others. The order highlights that such risks have become more acute due to the rapid advancement of artificial intelligence (AI) and its ability to analyze and manipulate data sets. Bulk sensitive personal data can also be used in the creation and refinement of AI models and other advanced technologies.

According to the White House, the EO is “the most significant executive action any President has ever taken to protect Americans’ data security.”

The public may submit comments on the ANPRM through April 19, 2024 and will likely have an additional opportunity to comment on the language contained in a proposed rule, once issued.

Although intended to be tailored in its scope, our initial assessment is that the new regulatory scheme, once fully implemented, will likely have a profound impact on a number of industries and entities around the world. At a minimum, it seems certain that regulatory compliance costs could be substantial, particularly on entities that have not previously focused on building out a risk-based compliance program in this or other related areas.Continue Reading Biden Administration to Implement New National Security Rules Targeting Personal Data

On September 9, 2021, the long-awaited recast of the EU Dual-Use Regulation (the Regulation) will enter into force. It provides for new rules on cyber-surveillance technology, the provision of technical assistance, as well as export restrictions for reasons of public security and human rights considerations. Additionally, the new Regulation provides for large project authorizations as well as two new EU General Export Authorizations.
Continue Reading Revised EU Dual-Use Regulation to Enter into Force

In 2015, the People’s Republic of China (PRC) enacted the first part of its comprehensive data security regime with the promulgation of the State Security Law, which provided a statutory basis for the construction of a nationwide network and information security system.  The Cybersecurity Law (CSL), which followed in 2017, addressed cybersecurity protection and introduced the concept of a “Critical Information Infrastructure Operator” (CIIO).  Subsequently, other laws, regulations, and rules have been promulgated addressing the requirements of China’s digital economy, related state security matters, and personal information privacy rights. Among those, the Data Security Law (DSL) became effective on September 1, 2021, and the Personal Information Protection Law (PIPL) will go into effect on November 1, 2021.  After subsidiary regulations and rules addressing implementation of the DSL and PIPL have entered into force, China’s new data security architecture should be largely complete.
Continue Reading China Builds Out Data Security Architecture With New Regulations on Cross Border Data Transfers

On September 18, 2020, the US Commerce Department announced the prohibited transactions (which would be effective as of September 20, subject to a court-ordered suspension discussed below) aimed at limiting the use of WeChat (and possibly also TikTok) within the United States. These prohibitions may have some effect outside the United States as well. Technology companies, Internet infrastructure companies, financial institutions, and other companies that support these apps should take particular note since the prohibitions are directed at business-to- business engagement, as opposed to individual users of these apps. However, users should consider that their ability to continue to use WeChat in particular within the United States may become severely restricted, and perhaps eventually eliminated. The Commerce Department’s September 18 announcement explains that these prohibitions are intended to “protect users in the U.S. by eliminating access to these applications and significantly reducing their functionality.”

As background, on August 6, President Trump issued Executive Orders 13942 and 13943, directing the Secretary of Commerce to identify, within 45 days, specific types of prohibited transactions related to ByteDance Ltd. (including TikTok) and WeChat. See our earlier blog post for more detail. In two Notifications issued on September 18 (the WeChat notice is available here, and the ByteDance / TikTok notice is here), the Commerce Department identified a broad set of business-to-business transactions involving WeChat and ByteDance / TikTok that would be prohibited under US law.

Importantly, the timing for these prohibitions is different for each of the two Notifications.

  • The WeChat prohibitions were to take effect on September 20. However, they were temporarily blocked by a preliminary injunction issued by a US federal magistrate judge on September 19. The outcome of this litigation remains uncertain.
  • The limited ByteDance / TikTok prohibitions that were slated to take effect on September 20 were suspended by the Commerce Department until September 27 at 11:59 p.m. eastern. In a press release issued after the Notifications themselves, the Commerce Department stated that this delay was provided “in light of recent positive developments . . . at the direction of President Trump.” The effective date of most of the ByteDance / TikTok prohibitions as stated in the Notification is not until November 12, 2020, which would align with the 90-day period for divestment of TikTok in the United States that was ordered by the President on August 14. A proposed divestment or other type of partnership to operate TikTok within the United States is currently under review by the Committee on Foreign Investment in the United States (CFIUS). President Trump stated that he has given the most recent proposed deal for TikTok his “blessing,” but the CFIUS process is not yet complete; nor has the deal closed. Commerce’s press release states that “the President has provided until November 12 for the national security concerns posed by TikTok to be resolved. If they are, the prohibitions in this order may be lifted.” The Chinese government has also indicated that any such deal would be subject to its approval as well.

Continue Reading US Commerce Department Identifies Prohibited Transactions Involving WeChat and TikTok

On August 6, 2020, the White House issued a pair of Executive Orders (EOs) (available here and here) under the International Emergency Economic Powers Act (IEEPA) that could limit US users’ access to mobile apps from China’s Tencent Holdings Ltd. (Tencent) and ByteDance Ltd. (ByteDance). The EOs, which direct the Commerce Department to identify prohibited transactions within 45 days, could also limit other transactions involving US-origin goods, technology, and software to the companies and certain subsidiaries.

The two EOs build on the IEEPA national emergency declared in EO 13873 of May 15, 2019, Securing the Information and Communications Technology and Services Supply Chain, which, among other things, directs the Commerce Department to restrict the “acquisition, importation, transfer, installation, dealing in, or use of any information and communications technology or service” that is “designed, developed, manufactured, or supplied, by persons owned by, controlled by, or subject to the jurisdiction or direction of a foreign adversary.”

(Click here to read Steptoe’s earlier blog post on EO 13873.)Continue Reading Executive Orders Aim to Restrict US Dealings with Chinese App Makers TenCent, ByteDance within 45 Days

In the past two months, the federal government has issued several cybersecurity-related regulations that are or will be directly or indirectly applicable to a wide variety of federal contractors and subcontractors.  Additional rules (including a blanket FAR provision) are expected, but the three rules below present an interrelated set of requirements and standards that federal

Yesterday, the European Commission (EC) adopted its long-awaited decision endorsing the EU-US privacy shield. This is the latest milestone in restoring a stable legal basis for transatlantic flows of personal data, since the Court of Justice of the EU annulled the EU-US Safe Harbor program in its judgment in the Schrems case in October 2015.
Continue Reading European Commission Endorses EU-US “Privacy Shield”

Last month, Turkey’s new “Law on the Protection of Personal Data” entered into force.  It provides a framework similar to the European Union’s data protection regime.  The law applies to personal data processed “wholly or partly by automatic means” and to non-automatic processing of personal data “which form part of a filing system.”  The law also requires the establishment of a Data Protection Authority and a Data Protection Board by October 7, 2016 to oversee its provisions, including establishing and maintaining a registry of active data controllers, which must register with the Board.

The law defines “personal data” as any information relating to an identified or identifiable living individual.  It defines “sensitive data” (on which additional processing obligations are imposed) as information that reveals racial or ethnic origin; political opinions; religious or philosophical beliefs; appearance; memberships in unions, associations or foundations; as well as information about health, sexual life, criminal records, punitive measures, and biometric and genetic data.
Continue Reading Turkey Enacts Data Protection Law