White House issues executive orders to protect sensitive American data from foreign adversaries
On June 9, 2021, President Biden signed an Executive Order to protect Americans’ sensitive data from foreign opponents (the “EO” or “Biden EO”). Biden’s PO explains measures to address the national emergency related to the information technology supply chain declared in 2019 by the Trump administration in Executive Order 13873. At the same time, the Biden EO is also revoking three orders from the Trump administration (Executive Orders 13942, 13943 and 13971) that seek to prohibit transactions with TikTok, WeChat, their parent companies and certain other “Chinese-related software applications”. In their place, the Biden EO provides for (1) cabinet-level assessments and future recommendations to protect against foreign threats (a) access to sensitive data of US individuals and (b) involvement in the provision and development of software applications; and (2) the ongoing assessment of transactions involving related software applications that threaten US national security.
Under the PO, “foreign adversary” is defined as any foreign government or non-governmental entity involved in a long-term pattern or serious conduct that significantly affects the US national security or the security of US persons.
The PO directs the Secretary of Commerce to continuously evaluate transactions involving related software applications that pose an unreasonable risk of sabotage or subversion of US information and communications technology, critical infrastructure, the digital economy, or national security. The PO claims that potential indicators of risk for related software applications include:
- Property, control, or management by anyone who supports the military, intelligence, or proliferation activities of a foreign adversary;
- Use technology to conduct surveillance that enables espionage, including by accessing sensitive personal, government, or business information;
- Ownership or management involvement in malicious cyber activity;
- Lack of reliable third-party verification;
- The extent and sensitivity of the data collected; and
- The potential of identified risks that need other measures to be addressed.
The PO also directs:
- The Minister of Commerce, in consultation with the Ministers of State, Defense, Health and Social Affairs and Homeland Security, the Attorney General, the Director of the National Intelligence Service and other heads of authorities, a report with recommendations for protection against damage caused by, e.g., the unrestricted sale or unrestricted access to sensitive data of US persons by companies owned, controlled by, or under the jurisdiction or direction of foreign adversaries;
- The Director of National Intelligence and the Secretary of Homeland Security to provide threat and vulnerability assessments to support the above report; and
- The Minister of Commerce in consultation with e.g., To recommend to State, Defense and Homeland Security Ministers, the Attorney General and the Director of the Office of Administration and Budget, additional executive and legislative action to address the risks of related software applications designed, developed, manufactured or deployed by companies in the Owned by, controlled by, or under the jurisdiction or direction of foreign opponents.
In particular, the PO notes that the US “seeks to promote accountability for those who commit serious human rights abuses” and that the US, in acts separate from the PO, can impose consequences on those who own, control or administer serious related software applications Commit or facilitate human rights abuses.