The Lawfare Podcast: Devin DeBacker and Lee Licata on the Biden Administration’s New Executive Order on Preventing Access to Americans' Bulk Sensitive Personal Data

[Audio Excerpt]

Devin DeBacker

The program would not regulate, for example, videos that users post. It wouldn't regulate the text messages and emails that people send, and it wouldn't regulate academic research that's published. It also wouldn't include data that's lawfully publicly available from government records or widely distributed media. And hopefully what folks can see is that we're trying to target the regulations to the national security risks we see, rather than broadly trying to address any information that could be thought of as private.

[Main Podcast]

Stephanie Pell

I'm Stephanie Pell, Senior Editor at Lawfare, and this is the Lawfare Podcast, March 13th, 2024.

On February 28th, the Biden administration issued an Executive Order, or EO, entitled “Preventing Access to Americans Bulk Sensitive Personal Data and United States Government Related Data by Countries of Concern.” I sat down with Devin DeBacker and Lee Licata, the Chief and one of the Deputy Chiefs of the Foreign Investment Review Section in the National Security Division at the Department of Justice to talk about this new EO and the ways in which it attempts to prevent certain countries of concern from accessing American sensitive personal data. We talked about the types of data transactions the EO is intended to regulate, what it is not intended to regulate, and the forthcoming rulemaking process that the DOJ will run.

It's the Lawfare Podcast, March 13^th: Devin DeBacker and Lee Licata on the Biden Administration's New Executive Order on Preventing Access to Americans’ Bulk Sensitive Personal Data.

Devin and Lee, you are both attorneys from the National Security Division at the Department of Justice. Can you start by telling us a bit about what you do at DOJ and how your work relates to the new executive order on preventing access to Americans’ bulk sensitive personal data and United States government related data by countries of concern?

Devin DeBacker

Happy to. So, to most people, the image of a DOJ lawyer probably suggests a prosecutor or a litigator who civilly or criminally enforces the law and holds accountable those who violate it. Many listeners will be familiar with the National Security Division's use of these tools to investigate, prosecute, and disrupt, for example, state-sponsored malicious cyber activity that tries to exfiltrate sensitive personal data from U.S. victims or to hold accountable those who engage in espionage or transnational repression. What's perhaps less familiar to listeners is the significant role that DOJ has on the front end in addressing data security risks. That's where the office that I head in the National Security Division comes in. So the Foreign Investment Review Section, or FIRS as we call it, is responsible for regulating and mitigating data security risks through a variety of interagency, transaction-specific authorities, like the Committee on Foreign Investment in the United States, or Team Telecom, or a range of other authorities for securing technology supply chains.

At a high level, each of these authorities operates similarly. So we examine a particular transaction or proposed license that involves specific companies to see if it poses national security risks. If it does, we enter into an agreement with conditions that are designed to mitigate those risks. And then we closely monitor corporate compliance with those obligations, including taking enforcement action if needed. And across these authorities, and in particular, in DOJ's role as the lead domestic counterintelligence agency and law enforcement agency, one of the key areas that we prioritize is closely scrutinizing data security, meaning the risks that adversaries can get access to and weaponize our data and communications against us. So, for example, as a member of CFIUS, DOJ is frequently the lead agency on cases involving national security risks that arise from access to sensitive personal data by foreign adversaries. DOJ chairs Team Telecom, which is a similar interagency committee that addresses data security and other risks for foreign involvement in our telecom infrastructure and services. We work with FBI and our IC colleagues to help provide defensive threat briefings to companies about their sensitive data and systems and so on.

What these transaction-specific authorities have underscored for us, particularly over the past few years, is that data security risks, particularly those involving capable foreign adversaries, are systemic. Adversaries can acquire access to data through a variety of commercial relationships in completely lawful ways, including buying it in the open market. It's purely happenstance as to whether those commercial relationships happen to arise in contexts like an investment that's subject to our case-by-case authorities. And you can't fix a systemic problem with case-by-case solutions. So the EO is designed to fix that.

Stephanie Pell

And this EO was issued last Wednesday, February 28th, and was accompanied also by something called an advance notice of proposed rulemaking, or ANPRM, that was issued by DOJ. And so you've talked about some of the concerns with the sale of sensitive data. Can you talk a little bit about the specific purpose and goals of the EO?

Lee Licata

Sure. So the executive order was really about allowing us to find a more holistic or systemic way of addressing this kind of national security risk. So think something a little bit more like our OFAC sanctions regime or our export controls regime, rather than the case-by-case work that Devin described. And so this work began in late 2021. We started to contemplate this idea of a more categorical approach. And a lot of that was driven by a recognition of CFIUS cases where we were mitigating this type of risk or Team Telecom reviews where we were identifying and mitigating this type of risk. And essentially there was a recognition by DOJ and the administration that we needed to try something different. And that got us to this executive order that was signed last week.

Stephanie Pell

And before we delve deeper into the specifics of the executive order and the ANPRM, can you tell us about how we got here? For those listeners who may not be familiar with the U.S. government's interagency process, how is an EO like this produced, and what was its path through the so-called interagency?

Devin DeBacker

So I may have a somewhat unique perspective on this process. I've been involved in both policy and legal roles from the perspective of an agency that's a participant in these processes, from the White House, and from the Office of Legal Counsel, which are the three major players in the process. The process can differ from administration to administration, but the basics tend to remain the same. Some problem or challenge is identified that needs solving. The White House coordinates an interagency policy process to decide whether and how to address that problem. Now, for matters that are about national security and foreign affairs, the National Security Council, or NSC, conducts a formal interagency policy process that develops and recommends options to more senior leadership. It's really a whole of government process that brings together policymakers, experts, and lawyers across agencies, and that have relevant expertise and equities. It's rigorous and it's designed to account for and balance different equities like national security risk, economic impact, and international partnerships.

So if one of the recommendations to solve a problem is the exercise of the president's own authority through the issuance of an executive order, NSC will coordinate the preparation of that order, including rounds of comments, edits, and analysis from all of the interagency participants. At some point, NSC will recommend the executive order to senior leadership who will then decide whether to recommend it to the president and recommend that he issue it. And if the president decides to do so, then before he does issue it, the Office of Legal Counsel, or OLC, in the Department of Justice, will closely review the proposed executive order for form and legality. Now, once OLC approves the EO for form and legality, the president then issues it. All of these processes that I've mentioned, the policymaking process, the form and legality review, the senior leadership decision making, are iterative. And so it can take a long time. As Lee mentioned, the development of this executive order started more than two years before its issuance.

Now, I'll just quickly, to turn to this EO, maybe, maybe it makes sense to talk about DOJ's role in this EO. So there are several different parts to this EO. The cornerstone that we're focused on discussing today is the new data security regulatory program under the International Emergency Economic Powers Act or IEPA. DOJ and specifically our office in the National Security Division will be responsible for implementing that, similar to the way that Treasury's Office of Foreign Assets Control implements sanctions and Commerce's Bureau of Industry and Security implements export controls. As the EO indicates, we'll be doing that with robust interagency consultation that includes important roles for other agencies like CISA in developing certain security requirements that Lee will talk about later. Now there are other parts to the EO, too. Those parts look to enhance existing authorities that are related to protecting data, like federally funded health and medical research. One of those parts is about Team Telecom and that part directs Team Telecom, which DOJ chairs, to issue certain guidance about data security risks for subsea cables, and Lee can get into that in more detail later.

Stephanie Pell

So, I think it's important to note that this EO has been issued under something called IEPA, the International Emergency Economic Powers Act, and as you noted, that's the president with authority to deal with extraordinary threats to national security that have their source in whole or in part outside of the United States. So is it fair to say then that although we often think about the sale of American sensitive data as a privacy issue, this executive order is approaching the problem as a national security issue and the government is bringing some of its national security tools to bear to that problem?

Devin Debacker

I think that that's exactly right. I think the default framing for how to think about the challenges associated with data today tends to be privacy. Look, privacy is an incredibly important broader conversation to have. It's one lens through which to view data, but it's not the only one. And I think that privacy is the wrong lens through which to view this executive order. The privacy challenge of personal data at its core is fundamentally focused on individuals, the rights of individuals to control the use of their data, reducing harm to individuals by minimizing the collection of data on the front end, and so on. National security, though, is focused on collective risks and externalities that may result from how individuals and businesses choose to sell and use their data, including in completely lawful ways. So think about it in the context of export controls or sanctions. We don't let U.S. businesses choose to export advanced semiconductors to China. We don't let U.S. businesses choose to send funding to certain activities in sanctioned countries or to sanctioned persons. And the same idea is true when it comes to data. So you're right that the EO is not trying to solve the broader privacy challenges associated with data. It's a national security authority, and because it's focused on the national security risks of adversary access to data, there are certain things it doesn't try to address.

Stephanie Pell

And one of those things is concerns, and these concerns have been raised about how U.S. law enforcement and the intelligence community may purchase and use American sensitive data. This, EO has nothing to say about that.

Devin DeBacker

That's right. This EO has nothing to say about that. I think that's part of a broader privacy conversation that is ongoing on the Hill, in the public, and certainly with the administration. It also doesn't try to solve a related problem, which is the pure domestic collection and processing and use of data in the U.S., except to the extent that we end up determining that the domestic transaction of sensitive personal data is being conducted by someone who's a stand-in for a country of concern. If we make that determination, then the ANPRM contemplates that we could treat that person as a covered person. But short of that, we're not trying to solve the broader privacy challenges associated with data.

Stephanie Pell

So, turning specifically then to the national security goals of the executive order and the advance notice of proposed rulemaking, can you talk about the countries of concern that you anticipate this final process will cover?

Lee Licata

Sure. So, the advance notice of proposed rulemaking identifies six countries: the People's Republic of China, Russia, Cuba, Venezuela, Iran, and North Korea. And I'll note that this is the same list that was identified in the Commerce Department's regulations implementing their supply chain executive order, 13873. But what's important to note here is when we think about threat actors, particularly nation-state threat actors, we think about intent and capability. So these are six countries that we've said we believe have the intent and capability to leverage the commercial relationships that this executive order gets at, and it means to undermine our national security through having access to this sensitive data.

Stephanie Pell

And what specifically will the program regulate?

Lee Licata

Sure. So what the program contemplates is establishing these categorical, transparent, and predictable rules for engaging in certain types of transactions that involve bulk sensitive personal data or government-related data that pose an unacceptable risk of access by countries of concerns or covered persons. What the EO actually does is it authorizes DOJ to set up a new program and essentially to use the rulemaking process to implement regulations that would prohibit or restrict certain types of these commercial transactions or commercial relationships between a U.S. person on one hand and a country of concern or a covered person on the other, where the transaction would afford the country of concern with access to bulk sensitive personal data or government-related data. And I'll note that the commercial transactions, which we'll talk about in a moment, are all of the fact patterns we regularly see in our CFIUS and Team Telecom work. And that's what got us to what ended up in the ANPRM.

Stephanie Pell

And I want to break down some of what you've just talked about. Can you start by talking about why it was important to focus on the data transactions themselves, because that's what I understand you to be saying that the program will regulate.

Lee Licata

That's correct. So as we've mentioned, a lot of our approach up until this executive order looked at case-by-case reviews, which is often a somewhat unsatisfactory way of trying to address a fairly big national security risk. So oftentimes we can mitigate the risk within the jurisdictions that come before us through CFIUS, through Team Telecom, the ICTS authority. But that gets at a very, very small portion of where this risk is. As Devin mentioned, this is a systemic threat, and it requires a systemic response. And so this, by looking at those commercial transactions more directly, gets us to that approach that takes us out of case-by-case reviews as a means of mitigation.

Stephanie Pell

And you also talked about the concept of a covered person. There are covered persons who will be regulated, or whose, I should say, whose transactions will be regulated. Who is a covered person and who is not?

Devin DeBacker

Let me start with why we care about covered persons at all. Countries of concern, as Lee mentioned, have legal and political systems that allow them to compel or coerce companies and individuals under their jurisdiction to provide access to data to assist their government and their intelligence services and so on. So the risks are not just limited to the countries and the governments themselves, but also those who are subject to their compulsion or coercion. Now, the ANPRM lays out several categories of covered persons. Anyone who falls into one of these categories would automatically qualify as a covered person whose data transactions are regulated. So there are four categories. The first is any company that's 50 percent or more owned by a country of concern or organized under the laws of a country of concern or headquartered there. The second is any foreign person that's primarily resident in the territory of a country of concern. The third is any foreign person who works for a country of concern government or for a covered entity. And the last is any entity that's 50 percent or more owned by another covered person.

Importantly, those categories would not include any U.S. persons. That means anyone who is in the United States is not categorically treated as a covered person. U.S. citizens, dual citizens, nationals, lawful permanent residents, those granted refugee or asylum status, wherever they are, are not categorically treated as covered persons. And U.S. companies that are headquartered or organized in the United States are not categorically treated as covered persons. That's important because this isn't about the national origin of these individuals or these companies. This is about the risks of who is actually subject to the kinds of compulsion and coercion that these countries can exercise.

Now, the program contemplates that DOJ would not rely just on the categories alone, but also would be able to supplement those categories by publicly designating anyone, including a U.S. person, that we determine is acting on behalf of a country of concern, or if they're subject to the jurisdiction or ownership or control of a country of concern, or if they're knowingly causing violations of the regulations. That supplemental designations list would function much like Treasury sanctions list.

Stephanie Pell

The program seeks to protect two buckets of data, bulk sensitive personal data and government-related data. Can you explain these categories and the rationale behind them and maybe talk a bit about the types of data that are specifically excluded from these categories?

Lee Licata

Sure. So we'll start with the first bucket, which is the bulk sensitive personal data. Within that bucket, there are six types of data that are covered under the executive order: precise geolocation data; biometric identifiers, so think of facial images, voice prints and patterns, eye scans, fingerprints; personal financial data, personal health data; human genomic, and other similar biological data; and specific types of personal identifiers. And I note with the personal identifiers, that's not all PII. That's not the “phone book” as we like to sometimes call it. We're talking about specific identifiers that could be linked or linkable to an individual's identity. So think of like a name plus an IP address, or a name and an advertising ID, or an IP address and a physical address. So the types of information that are specific enough that you could, within a dataset, figure out who the person is, or something about them, like where they're located, for example.

The second bucket is the government related data, and there's two pieces to this. The first is sensitive personal data about current or recent U.S. government employees or contractors, so think members of the military and veterans, members of the intelligence community. And the second is precise geolocations around certain sensitive locations. And those locations will be publicly listed in the regulations, similar to what's in the CFIUS regulations for real estate.

One thing that's important to notice that for the bulk sensitive personal data is that there are also thresholds above which the regulations become operative, and those thresholds get lower as we see the risk or sensitivity of the type of data increasing. So you can imagine, genomic data, which we might see as most sensitive, has the lowest proposed threshold, whereas personal identifiers have the highest. But for the government-related data, there are no thresholds, so the regulations apply regardless of the size of the dataset. And those datasets and those thresholds are calculated based on number of U.S. persons or devices, for example, for geolocation data.

One thing I'll mention is the rationale for how we got to this calculus. There are two important factors we were thinking about in coming up with this construct. The first was information about someone that in a dataset would allow us to identify who they are. And the second was types of data that would tell us something sensitive or innate about a person, whether it's physical something through like genomic data, or whether it's something like your financial history or medical history that may carry sensitivity to it. And so what we actually did was we laid those factors against our CFIUS cases where we've mitigated this risk, malicious cyber activities where we've seen these datasets targeted by a nation-state, the Federal Trade Commission's data breach settlements that are public, we essentially laid that casework over the type of factors that we were thinking about and that got us to the construct you'll see.

Stephanie Pell

The thresholds that you talk about, is there the ability, going forward, to adjust them as appropriate as there's more knowledge about risks or impact of certain sensitive categories of data.

Lee Licata

Absolutely. And that's the benefit of creating this program through the rulemaking process, was that as we identify additional risks, we could make adjustments by promulgating new rules that would adjust those thresholds in either direction. And it's also part of the reason why the public input in the rulemaking process becomes important because that provides us with data that lets us consider how this can be operationally effective for the private sector.

Devin Debacker

And I think it's important to take a step back and think about the problem that we're trying to solve with each of these categories, with bulk sensitive personal data on one hand and with government-related data on the other hand. So they're slightly different national security contexts. With bulk sensitive personal data, the risks that we're trying to address include things like the aggregated insights that countries of concern can get that might reveal sensitive information or pattern of life information from large troves of data. Obviously, as technology advances, as big data analytics advance, as there's changes in the kinds of data that are collected, some kinds of data which were less sensitive before might become more sensitive and might justify lowering the thresholds, or vice versa, it might justify raising the thresholds.

Government-related data, on the other hand, is addressing a somewhat different concern, which is the concern that this data can be used to micro-target key U.S. government individuals or senior officials in the military or so on. And for that, it doesn't really matter whether the data is on one key individual or many key individuals. We don't want countries of concern, for example, to be able to acquire the geolocation data or health or financial data of senior military officials or to use geolocation data around government facilities and activities to map those locations or identify the people who are associated with them.

Stephanie Pell

And are there types of data that are specifically excluded from the categories that you both have just discussed?

Devin DeBacker

Yes. There are several important types of data that we don't contemplate regulating. And I'll just highlight a few. Let me start with the category of covered personal identifiers, which Lee mentioned is not all PII. But it's only certain combinations of listed identifiers. So as we're thinking about it now, and as we're trying to target this program to what we see as some of the key national security risks, those listed identifiers would not include things like job or educational history, or organizational memberships like Facebook groups and trade unions, or criminal history, or web browsing history. There are also several affirmative exclusions from covered personal identifiers, and I'll just highlight two. So as Lee said, we don't intend to cover the phone book, the national security risk associated with getting the White Pages is not that not that high. And so there's an exception for demographic and contact data that's linked together with nothing else. There's also an exception for datasets that consist of only identifiers that are used in combination to make things like the internet work. So network-based identifiers like IP addresses, account authentication data like usernames and passwords, and call detail data. When that's combined for the purpose of providing telecom or networking or similar services, that's also exempted.

And more broadly, when we talk about sensitive personal data in this national security context, we're not talking about expressive information, we're not talking about personal communications. And so the program would not regulate, for example, videos that users post. It wouldn't regulate the text messages and emails that people send, and it wouldn't regulate academic research that's published. It also wouldn't include data that's lawfully publicly available from government records or in widely distributed media. And hopefully what folks can see is that we're trying to target the regulations to the national security risks we see, rather than broadly trying to address any information that could be thought of as private.

Stephanie Pell

So let's drill down a bit more on the covered data transactions. As I understand it, there will be categories of prohibited data transactions and restricted data transactions. Can you explain each one of these?

Devin DeBacker

Happy to, and I'll start by describing what the categories are. So for the prohibited transactions, we're considering two categories, and these are categories of data transactions that are between U.S. persons on the one hand, and countries of concern or covered persons on the other hand. The first is data brokerage transactions, and the second are genomic data transactions. So for data brokerage, the regulations would prohibit. U.S. persons from selling or licensing access to or engaging in similar commercial transactions that involve the transfer of that bulk sensitive personal data or government-related data to a country of concern or covered person. Think about the first- or third-party sale of data as the prototypical example. For genomic data, the regulations would prohibit U.S. persons from engaging in transactions with a country of concern or covered person that involve the transfer of bulk human genomic data or biospecimens from which that data could be derived. One example would be a U.S. company that outside of any federally funded activity or agreement contracts with a foreign laboratory that's a covered person and transfers bulk genomic data or biospecimens to the laboratory for analysis.

Now we're also contemplating restricting three categories of data transactions, again, between U.S. persons and countries of concern or covered persons. Those are vendor agreements, employment agreements, and investment agreements. And those would be allowed only if they comply with security requirements that are being designed by our colleagues at CISA. And Lee, why don't you talk about what those security requirements are designed to do and what they might include.

Lee Licata

So ultimately, the notion of the restricted transactions was to allow these types of commercial relationships to continue only when there could be some security assurance that the country of concern or covered person can't actually access the sensitive data at risk. And so these measures contemplate four pieces. The first is cyber security posture requirements, so think the NIST Cyber Framework or CISA's Cyber Performance Goals. The second is physical and logical access measures, so measures that are meant to ensure data can't be accessed in certain ways, whether it's in physical print or it digitally exists. The third is data masking and minimization. So think of things like tokenization methods or geolocation fuzzing, techniques like that. And the final is privacy preserving or privacy enhancing technologies. And that may include things like certain levels of encryption. And so what CISA's going to do is to also make public their proposal for those measures for public input, timed around our proposed rule, such that they can seek public input about feasibility of those measures. And then ultimately, we'll finalize those to allow us to then regulate the restricted transactions.

Stephanie Pell

There are also exempt data transactions and to be clear, these transactions would be exempt across the board. Can you talk about these categories and why it was important to identify them up front?

Devin DeBacker

It was very important to make clear that we're not trying to regulate the kinds of routine commercial transactions that present low risks of adversaries using them to access sensitive personal data, especially relative to their commercial value. So while there are certainly kinds of transactions, like data brokerage and genomic data transfers, that we very much intend to affect because of the risks they pose, these exemptions are designed to help minimize the unintended effects on markets and businesses. And they underscore that this is a targeted national security regime, not a broader privacy regime like the EU's GDPR or a commercial regulation of data flows.

So we're considering at least five categorical or across the board exemptions. And those include exemptions for data transactions that are ordinarily incident to financial services activities, like banking activities, or the provision of financial information for the sale of goods and services, like e-commerce or certain regulatory compliance activities. It also includes things like a carve-out for data transactions within multinational companies to share data for ancillary business operations, like payroll or human resources; a carve out for certain investments that are passive and don't convey the rights or influence that ordinarily pose the risk of access to sensitive personal data; a carve-out for data transactions that are required or authorized by federal law or international agreements, think flight passenger manifest information exchanges or public health surveillance; and a carve-out for activities of the federal government and its contractors and grantees, including federally funded health and research activities. That last one's important because we don't want to subject our grantees and contractors to dual regulation under this program and under their grants and contracts. And particularly given the importance of that research and those activities, the EO takes the approach of rather than having this program regulated, the underlying agencies will create bespoke conditions that help address data security risks in those contexts.

Stephanie Pell

The EO and the advance notice of proposed rulemaking also anticipate a licensing and advisory opinion process. Can you talk about those processes and what you foresee them involving?

Lee Licata

Sure. So licenses and advisory opinions are both hallmark tools of our OFAC sanctions regime and BIS's export controls regime. So licenses generally come in two flavors. First, you have general licenses, which allow broad exemptions from the requirements of the regulations. We often see that used for orderly wind down. So companies need some additional time to get into compliance with a certain regulatory requirement. We can issue a general license to create an exemption for a defined period of time. Specific licenses allow a particular company or person to seek an exemption for a particular transaction. So they have the right to ask the government to essentially waive the regulatory requirements when they could be negatively impacted in a certain way by consummating a transaction that would be covered here.

Advisory opinions are a way for the public to seek some level of certainty from the government about how, for example, a particular transaction may be treated under these regulations or whether a certain person or entity is considered a covered person or a country of concern for the purposes of these regulations. So it provides a level of clarity about how we apply this somewhat complex framework. And ultimately the hope is, like those other regimes, that we have the opportunity to make those public so that the broader public can see how we're interpreting this as it's built out.

Stephanie Pell

So throughout this conversation we've been talking about a proposed rulemaking process and indeed you have issued with the executive order an advance notice of proposed rulemaking. I'd like to have you talk about that rulemaking process and what is contemplated under the executive order. What do you want our listeners to know about it and how is DOJ approaching it?

Lee Licata

Sure. So the executive order requires that we issue our proposed rule within 180 days from the date of the EO, so from February 28th, which means the clock has already started. The ANPRM was made available to the public on March 4th, and the original comment period began on March 5th, which means there's now 45 days for the public to get to provide responses to the ANPRM, and the ANPRM has 100-plus questions with which we are seeking input. So up until April 19th, the public can weigh in on the docket through the Federal Register. At that point, what we'll do is need some time to digest all the input that we will get, and we think will be significant, to have some time to digest that and to essentially incorporate it into the proposed rule. And then in order for us to meet the 180-day deadline, we would be looking to release the proposed rule to the public, let's say, potentially by the end of the summer. Once we do that, that would begin another 45-day comment period with a more mature rule with which we can now seek again public input. Once that period lapses, again, we'll take some time to digest the public input and begin working to issuing the final rule. And the goal from DOJ is potentially to have this finalized within, say, a year. And just last thing I'll just note is what we really want people to take from this is weigh in through the public process. That's why we're doing this through rulemaking is to allow us to get the feedback that from the government we don't have at our disposal.

Stephanie Pell

And there will not be actual obligations or requirements under this process until that final rule is issued?

Lee Licata

Correct. So nothing changed on day one when the EO was signed. Nothing will happen until we issue that final rule and for certain types of pieces of this EO, like the restricted transactions, also when the security measures are finalized as well.

Stephanie Pell

And that will give entities who will fall under this regulation the opportunity to plan and prepare in advance of the final rule because they'll see the way the winds are blowing, so to speak.

Lee Licata

Correct.

Stephanie Pell

So, I want to give you the opportunity to address some of the criticisms of the executive order. The fact sheet that the Department of Justice put out says, “The proposed regulations will be targeted to address national security risks, while minimizing the impact on economic and other activities and will be designed to safeguard the continued cross-border data flows that are vital to our economy and communities.” Now, critics claim that what the Department of Justice calls “targeted regulations” are, quote, “unlikely to work against a capable and determined adversary--but more concerning, the new order, taken together with other similar administration initiatives, would create new risk to national security as the U.S. retreats from global commerce.” And I will, I will just credit this critique to Peter Swire and Sam Sacks in a piece that they published about the forthcoming EO in Lawfare. But what is this critique getting at and how would you respond to it?

Devin DeBacker

So Peter and Sam are wonderful commentators and I always look forward to reading their thoughts. I know we've spoken to them several times about this executive order before its issuance and since its issuance. I think that that critique misunderstands the point of the program. This is designed to close the front door of lawful access to sensitive data by adversaries. That's just one vector, though. It's just one way in which adversaries can access sensitive personal data. Now, it's a particularly low cost and uncomplicated vector for adversaries to exploit. If you're a country of concern and you have laws and means to compel companies under your jurisdiction to give you access to sensitive data, why opt for more complicated hacking or cyber operations? And why bother with the trouble of compelling and coercing a company when you can just buy the data on the open market? This is one tool in the toolkit. And it's one tool that's designed to make it more difficult, more expensive, and more complicated for countries of concern to acquire our sensitive personal data and weaponize it against us. That doesn't mean, though, that we should ignore the rest of the tools in the toolkit. And it doesn't mean that we should not continue investing resources in addressing the other vectors like hacking and other illicit means as well.

Stephanie Pell

So Peter and Sam also argue that countries may use the executive order as an excuse to justify their own restrictions on data flows, enhancing essentially their own data localization efforts. Why should we be worried about data localization efforts? And do you think the EO could be used, fairly or not, to enable those efforts?

Lee Licata

So the one thing I'll start with is to note that the EO and the ANPRM go to great lengths to ensure that this is not data localization. In fact, it's prohibited under both of those documents in the operative provisions. As we would say, this is really about cross-border data flows with trust. This is a targeted set of requirements at a certain set of countries and persons that we believe to present an unacceptable security risk. This is far narrower than what other countries with data localization requirements often implement. So we use the example in China. Genomic data cannot leave China at all. If you look at what we're proposing, even in our prohibition on genomic transfers, it’s far more narrowly targeted than that. So I think that we are far less concerned that this will result in more data localization requirements when the ones that already exist on the books in other countries, including many of the countries of concern, are far more robust than this.

Stephanie Pell

Are there any other major criticisms you've seen that you'd like to address?

Lee Licata

I'll just flag the one that Devin mentioned earlier, which is the privacy argument, and I think we've heard this a lot from civil society, which is wouldn't this problem be better addressed through comprehensive federal privacy legislation? So to Devin's point, we're solving a much more acute national security problem, and we're using a national security authority to do it. The second is that would still require an act of Congress, and Congress has not passed such legislation, so as policymakers, we often have to use the tools at our disposal.

Stephanie Pell

So, I hear you're saying you are not against Congress stepping in and actually enacting broad based privacy legislation, that it could work in tandem to what you were trying to do.

Devin DeBacker

I think that's exactly right. I think in the issuance of the executive order, the president and the White House took great pain to make clear that this doesn't obviate the need for broader privacy legislation. And as I've discussed and others have discussed with members on the Hill and publicly, the privacy and national security when it comes to data are complementary pieces of the puzzle. Neither one is a substitute for the other because they're trying to solve different challenges.

Stephanie Pell

You mentioned that the process for this executive order started approximately two years ago. Was there a part of this process that developed or was part of the purpose to address a problem that Congress wasn't addressing?

Devin DeBacker

I think that's true insofar as there is no authority on the books that provides a comprehensive categorical approach to prospectively addressing these risks. The tools that Congress has given us are these case-by-case authorities, CFIUS and Team Telecom, certain supply chain authorities. And the only tool that we have at our disposal is IEPA, which works very well for the problem that we're trying to address, which is why it was the basis of the executive order. But Congress has not stood up its own regulatory program so far to address those risks.

Stephanie Pell

Anything else that you'd like to share with our listeners?

Lee Licata

So one other thing I'll flag that is a particular priority for the Department of Justice, which is the part of this executive order that speaks to subsea cables. It's not a space that people normally associate with this kind of national security risk, but in Devin’s and my world, it's very important part of what we do every day. As I mentioned, when this process started, part of the thinking was around certain reviews we were doing of subsea cable systems that were predominantly connecting across the Pacific that raised this kind of data risk. And so what we tried to do was to come up with a more prospective approach for how to deal with this risk. And so that provision does three things. It asks Team Telecom, which is the body that DOJ chairs that reviews cable landing licenses, to initiate reviews of cables that have country of concern owners that land in country of concern territory, and it asks Team Telecom to issue guidance about how to address this risk in subsea cable operations. In other words, how should cable operators be thinking about addressing the risk to their sensitive data of these kinds of countries, whether it's through more traditional espionage or it's through cyber-related activities. And so it's an area that we have in the past spoken publicly through our recommendations to the FCC, but now it has a presidential level importance for DOJ and Team Telecom to move out on.

Stephanie Pell

We'll have to leave it there for today. Thank you both so much for joining me.

The Lawfare Podcast is produced in cooperation with the Brookings Institution. You can get ad-free versions of this and other Lawfare podcasts by becoming a Lawfare material supporter through our website lawfaremedia.org/support. You'll also get access to special events and other content available only to our supporters. Please rate and review us wherever you get your podcasts.

Look out for our other podcasts, including Rational Security, Chatter, Allies, and The Aftermath, our latest Lawfare Presents podcast series on the government's response to January 6th. Check out our written work at lawfaremedia.org.

The podcast is edited by Jen Patja and your audio engineer this episode was Cara Shillenn of Goat Rodeo. Our music is performed by Sophia Yan.

As always, thank you for listening.