Biden's Executive Order on Personal Data and National Security: The Implications for AI

March 1, 2024
Authored by
Osman Gazi Güçlütürk
Legal & Regulatory Lead in Public Policy at Holistic AI
Biden's Executive Order on Personal Data and National Security: The Implications for AI

On 28 February 2024, President Biden issued the Executive Order on Preventing Access to Americans' Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern, a strategic measure aimed at fortifying data protections and safeguarding the nation's informational assets.

This executive order was issued in response to the mounting threats that the US is facing as adversaries seek unauthorized access to vast stores of sensitive personal and governmental data. These incursions not only represent a challenge to cybersecurity and national security but also threaten individual privacy and the bedrock principles of democratic governance.

Given that AI systems are trained on and use vast amounts of data, which may cross geographical borders, the Executive Order will have important implications for the monitoring and assessment of AI systems developed and used in the US.

Key Takeaways:

  • The Executive Order safeguards the privacy and national security of the people and entities in the US by regulating the collection and processing of their bulk sensitive data.
  • The Executive Order will affect the development, monitoring, and deployment of AI within the US as it prohibits or otherwise restricts transactions involving the processing of bulk sensitive personal data, which is a significant component for many AI systems.
  • There is no requirement for data localization or broad online transaction bans within the Order. Instead, the Order specifies targeted restrictions to address national security concerns.
  • The Order sets a general legal framework and allocates the Attorney General with the task of fleshing out the details through further regulations.
  • Rules concerning the practical application of the Order, including identifying countries of concern and defining covered transactions and entities, will be issued within 180 days.
  • Surveillance and evaluation measures for data infrastructures and submarine cable licenses will be implemented.
  • Federal agencies are tasked with collaborative efforts to prevent unauthorized access to sensitive personal health data.
  • The data brokerage industry is called upon to strengthen compliance to protect consumer data privacy.
  • Enhancements in security measures are necessary for assessing and mitigating the national security risks associated with data transfers.

What is the aim of the Executive Order on personal data?

The Executive Order primarily addresses the handling and misuse of both bulk sensitive personal information of US citizens and government-related data by foreign entities. This exploitation, which includes cyber operations, espionage, and actions that undermine civil liberties, poses a significant threat to national security. There are multiple mechanisms for gaining unauthorized access to data, which range from data brokerage to third-party agreements, as well as certain employment practices, and all are directly targeted by the provisions of the Executive Order.

The core strategy of the Executive Order is to impose prohibitions or limitations on transactions involving the processing and exploitation of sensitive data by foreign adversaries. Through this, the Executive Order aims to uphold human rights and the core tenets of democracy. Moreover, it strives to strike an equitable balance between necessary restrictions and the United States' advocacy for a global framework that supports open and secure data flows across international boundaries.

How does the Executive Order define sensitive personal data?

The Order outlines a comprehensive definition of sensitive personal data, which includes but is not limited to personal identifiers, biometric and geolocation data, sensor outputs, genomic information, health records, financial details, or any aggregation of these data categories.

There are two critical dimensions to this definition:

  • The breadth of this definition allows for flexibility and adaptability, granting the Attorney General the authority to refine the scope through subsequent regulations.
  • The way that the Executive Order defines sensitive data and sensitive data is distinct from how they are defined under the European Union's General Data Protection Regulation (GDPR) - which is often considered the gold standard for data protection legislation. The Order's definitions have different criteria for scope, identifiability, and exemptions.

What are the implications of Biden's Executive Order on personal data and cybersecurity on AI?

Although Biden previously issued the Executive Order on AI safety and security, which specifically targets AI, the personal data executive order is also set to affect AI. Indeed, this latest Executive Order recognizes data as the linchpin of AI systems, with bulk sensitive personal data serving as a crucial resource for developing potent AI models. The Order explicitly acknowledges the potential misuse of AI technologies in conducting espionage, carrying out influential cyber operations, and engaging in other malicious activities. Consequently, there are two significant implications for AI:

  1. Inclusion of AI-related risks in assessments: The Executive Order requires a task force to be established by the Attorney General, the Secretary of Homeland Security, and the Director of National Intelligence, in coordination with the leaders of relevant agencies to issue a report on the identification, evaluation, and neutralization of national security threats resulting from previous data transfers. This risk assessment will also have to consider the risks and threats posed by AI technologies. This comprehensive approach ensures that the evaluation of national security risks encompasses the sophisticated challenges introduced by AI, including the potential for these systems to be leveraged in ways that compromise privacy and national security.
  1. Influence on AI development through regulating data use: The regulations to be enacted by the Attorney General, alongside Federal agencies, will directly impact the development of AI models and systems that depend on processing bulk sensitive personal data and US government-related data.

Through these measures, the Executive Order aims to balance the advancement of AI technologies to protect sensitive information and maintain national security, influencing how AI models are trained and deployed in the future.

Prioritize AI compliance

The Executive Order presents a nuanced approach to addressing the complex interplay between technological advancement, data privacy, and national security. By focusing on specific threats rather than imposing broad restrictions, the Order seeks to protect bulk sensitive personal data and government-related data without stifling innovation or international trade.

While the regulations from the Attorney General are awaited, AI providers, developers, and deployers involved in data processing and network infrastructures must prepare for a landscape that will demand greater vigilance and compliance.

Schedule a demo with our experts to find out how our Global AI Tracker can help you stay on top of AI legislation, regulation, guidance, and more around the world.

Download our comments here

DISCLAIMER: This blog article is for informational purposes only. This blog article is not intended to, and does not, provide legal advice or a legal opinion. It is not a do-it-yourself guide to resolving legal issues or handling litigation. This blog article is not a substitute for experienced legal counsel and does not provide legal advice regarding any situation or employer.

Subscriber to our Newsletter
Join our mailing list to receive the latest news and updates.
We’re committed to your privacy. Holistic AI uses this information to contact you about relevant information, news, and services. You may unsubscribe at anytime. Privacy Policy.

Discover how we can help your company

Schedule a call with one of our experts

Schedule a call