ARTICLE
12 March 2024

Data Security Policy: Comparing Leading Legislative And Regulatory Proposals

GT
Greenberg Traurig, LLP

Contributor

Greenberg Traurig, LLP logo
Greenberg Traurig, LLP has more than 3000 attorneys across 51 locations in the United States, Europe, the Middle East, Latin America, and Asia. The firm’s broad geographic and practice range enables the delivery of innovative and strategic legal services across borders and industries. Recognized as a 2025 BTI “Best of the Best Recommended Law Firm” by general counsel for trust and relationship management, Greenberg Traurig is consistently ranked among the top firms on the Am Law Global 100, NLJ 500, and Law360 400. Greenberg Traurig is also known for its philanthropic giving, culture, innovation, and pro bono work. Web: www.gtlaw.com.
Explore Firm Details
On February 28 President Biden issued an Executive Order "to protect Americans' sensitive personal data from exploitation by countries of concern."
United States Privacy
Robert Mangas

On February 28 President Biden issued an Executive Order "to protect Americans' sensitive personal data from exploitation by countries of concern." (EO 14117, "Preventing Access to Americans' Bulk Sensitive Personal Data by Countries of Concern.")

On March 5 the National Security Division of the Department of Justice (DOJ) published an advanced notice of proposed rulemaking (ANPRM) to regulate "U.S. government-related data or bulk U.S. sensitive personal data." (89 Fed. Reg. 15780 – 15802.) The proposed rule has a relatively short comment period ending on April 19.

Congress has also been considering legislation to regulate data brokerage transactions, which have been accelerating at a rapid pace. On March 7 the U.S. House Energy and Commerce Committee reported the Protecting Americans' Data from Foreign Adversaries Act (H.R. 7520) by a vote of 50 to 0. The legislation could be debated on the House floor in the weeks ahead.

The DOJ regulation and H.R. 7520 differ in several key respects, including the following:

Regulator: DOJ (ANPRM) v. the Federal Trade Commission (H.R. 7520).

Data Categories: The ANPRM sets forth six categories of covered data; H.R. 7520 includes 16 categories.

Prohibitions: The ANPRM defines data brokerage, vendor, employment, and investment agreements. It bans transfers under any of these four types of agreements of any volume of data relating to certain government facilities and personnel, or bulk volumes of human genomic data. It also bans transfers by data brokers (but not under the other three types of agreements) of bulk volumes in five other sensitive personal data areas. H.R. 7520 focuses on data brokerage agreements. It bans transfers by data brokers of any volume of sensitive personal data in any of the 16 data categories.

Additional Restrictions: The ANPRM contains restrictions on transfers of bulk sensitive personal data under vendor, employment, or investment agreements by requiring that certain security requirements to be in place. It also contemplates the creation of "general or specific licenses" to create exceptions for the transfer of certain data. H.R. 7520 has no comparable provisions.

Countries of Concern: The ANPRM covers individuals and entities related to six countries; H.R. 7520 covers data recipients in four countries.

Click here for a detailed side-by-side comparison of the two proposals

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Authors
Photo of Robert Mangas
Robert Mangas
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More