In February, President Biden announced an Executive Order on Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern. To implement the Executive Order (EO), the Justice Department issued an Advance Notice of Proposed Rulemaking to restrict the transfer to “countries of concern” of sensitive personal data in bulk. Sensitive personal data is information that can identify a person (like social security numbers, financial and health data, etc.), and sensitive government data includes personally-identifiable information about members of the military and contractors and about military locations.

Comments on the ANPRM were due on April 19. Proposed rules must be published by DOJ by August 28 after coordination with the Department of Homeland Security, and the State and Commerce Departments must concur on which countries raise concern. Currently, DOJ is contemplating China, Russia, Iran, North Korea, Cuba, and Venezuela.

The EO cites the International Emergency Economic Powers Act and National Emergencies Act as authority, making it yet another example of the Biden administration’s penchant for identifying “emergencies” to impose new or increased regulation. In further support, the EO notes that it builds on three previous EOs, including one from the Trump administration, which formalized the interagency Committee for the Assessment of Foreign Participation in the U.S. Telecommunications Services Sector—informally called Team Telecom—and required standardized mitigation measures for subsea cables originating or landing in the U.S.

The EO may have been inspired by data brokers, but it also covers several other sectors, including operators of submarine cables used to transfer bulk sensitive personal data. Subsea cables carry the vast majority of intercontinental internet traffic—over 90%. With the rising use of artificial intelligence and large language models, demand for the transfer of data will substantially increase, and so will the demand for subsea capacity.

The federal government’s focus on that infrastructure is understandable. As the EO points out, the risk that our adversaries can access personal data is exacerbated when U.S. data is transmitted via cables that are owned or operated by entities controlled by “countries of concern” or is transferred to such countries. As the DOJ notes, buying personal data is currently legal in the U.S. And as we heard in the recent debate over FISA reauthorization, U.S. intelligence agencies want to keep their access to such data. But they don’t want “countries of concern” to have such access. Today’s technology allows foreign actors to collect and analyze a substantial amount of information on Americans’ daily lives.

Currently, the executive branch requires a network security agreement with the owner and operators of subsea cables landing in the U.S. before it allows the FCC to grant a license. Typically, mitigation measures ensure that licensee personnel who access U.S. subsea infrastructure are citizens, require data-security protocols and related training, and include other protections. Additional security measures are needed, but there is already a huge backlog of pending subsea cable applications before the FCC. Any new regulation will increase the time to market, hampering American competitiveness in analyzing and carrying the world’s data.

The EO directs Team Telecom to review existing subsea licenses that not only are owned or operated by persons from or controlled by adversaries, but that terminate in such countries. Team Telecom is also directed under the EO to issue policy guidance and update as necessary its Memorandum of Understanding between the agencies on the mitigation it may impose. Possible new measures could include requiring U.S. cable operators to obtain agreements from customers in non-adversarial countries not to re-export U.S. sensitive data to “countries of concern”.

DOJ has a challenging task to develop new regulations that can effectively prevent access to and misuse of our sensitive data by our adversaries, while not harming the competitiveness of U.S. operators of digital infrastructure.

Patricia Paoletta is a partner at the law firm of HWG LLP. The views expressed above are hers and do not necessarily reflect the views of her partners or HWG clients.

Note from the Editor: The Federalist Society takes no positions on particular legal and public policy matters. Any expressions of opinion are those of the author. We welcome responses to the views presented here. To join the debate, please email us at [email protected].