Privacy & Information Security Law Blog

On June 9, 2021, President Biden signed an Executive Order on Protecting Americans’ Sensitive Data from Foreign Adversaries (the “EO” or “Biden EO”). The Biden EO elaborates on measures to address the national emergency regarding the information technology supply chain declared in 2019 by the Trump administration in Executive Order 13873. Simultaneously, the Biden EO also revokes three Trump administration orders (Executive Orders 13942, 13943 and 13971) that sought to prohibit transactions with TikTok, WeChat, their parent companies and certain other “Chinese connected software applications.” In their place, the Biden EO provides for (1) cabinet-level assessments and future recommendations to protect against risks from foreign adversaries’ (a) access to U.S. persons’ sensitive data and (b) involvement in software application supply and development; and (2) the continuing evaluation of transactions involving connected software applications that threaten U.S. national security.

Under the EO, “foreign adversary” is defined as any foreign government or non-government entity engaged in a long-term pattern or serious instances of conduct significantly adverse to the national security of the U.S. or the security or safety of U.S. persons.

The EO directs the Secretary of Commerce to continually evaluate transactions involving connected software applications that pose an undue risk of sabotage or subversion of U.S. information and communications technology, critical infrastructure, digital economy or national security. The EO asserts that potential indicators of risk for connected software applications include:

• Ownership, control or management by persons that support a foreign adversary’s military, intelligence or proliferation activities;
• Use of the technology to conduct surveillance enabling espionage, including through access to sensitive personal, governmental or business data;
• Ownership or management involvement in malicious cyber activities;
• A lack of reliable third-party auditing;
• The scope and sensitivity of collected data; and
• The potential for identified risks to be addressed by other measures.

The EO also directs:

• The Secretary of Commerce, in consultation with the Secretaries of State, Defense, Health and Human Services and Homeland Security, the Attorney General, the Director of National Intelligence and other agency heads, to issue a report with recommendations for protecting against the harm from, e.g., the unrestricted sale of or access to U.S. persons’ sensitive data by entities owned by, controlled by or subject to the jurisdiction or direction of foreign adversaries;
• The Director of National Intelligence and Secretary of Homeland Security to, respectively, provide threat and vulnerability assessments to support the aforementioned report; and
• The Secretary of Commerce, in consultation with, e.g., the Secretaries of State, Defense, and Homeland Security, the Attorney General and the Director of the Office of Management and Budget, to recommend additional executive and legislative actions to address the risks from connected software applications designed, developed, manufactured or supplied by entities owned by, controlled by or subject to the jurisdiction or direction of foreign adversaries.

Notably, the EO states that the U.S. “seeks to promote accountability for persons who engage in serious human rights abuse” and that the U.S. may impose, in actions separate from the EO, consequences on those who own, control or manage connected software applications that engage in or facilitate serious human rights abuses.