ARTICLE
2 January 2025

Tightened Data Transaction Regulations Reflect National Security Concerns And Geopolitical Dynamics

SJ
Steptoe LLP

Contributor

In more than 100 years of practice, Steptoe has earned an international reputation for vigorous representation of clients before governmental agencies, successful advocacy in litigation and arbitration, and creative and practical advice in structuring business transactions. Steptoe has more than 500 lawyers and professional staff across the US, Europe and Asia.
Earlier this year, the Biden administration took a significant step to extend protections over the sensitive personal data of Americans with Executive Order 14117 (EO).
Worldwide Privacy

Today's Deep Dive is 1,396 words and a 9-minute read.

Earlier this year, the Biden administration took a significant step to extend protections over the sensitive personal data of Americans with Executive Order 14117 (EO). The EO, which takes the step of applying protections to the international sale of Americans' sensitive data by data brokers to specific countries of concern (notably including China, Russia and Iran), makes clear the White House's rising concern over the implications of foreign access to Americans' sensitive data. While the EO has not yet been fully implemented, the bipartisan consensus on the risks of malign foreign access to Americans' data means that it is likely to go forward in whole or significant part, with important implications for US and multinational businesses, or any US persons involved in the sale of such sensitive data. (For a more comprehensive legal take on the implementation of EO 14117, see Steptoe's "New National Security Rules Targeting Personal Data to Have Significant Impact on AI Industry").

The EO and Implementing Regulations

On February 28, 2024, President Biden issued Executive Order 14117, "Preventing Access to Americans' Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern" (EO). As described by the Department of Justice (DOJ), the EO is intended "to address the national security threat posed by the continued effort of certain countries of concern to access and exploit certain kinds of Americans' sensitive personal data". On March 5, 2024, the DOJ published an Advance Notice of Proposed Rulemaking in the Federal Register (ANPRM), and after receiving and reviewing public comments on the ANPRM, subsequently published, on October 21, 2024, a Notice of Proposed Rulemaking (NPRM) that will establish a new DOJ national security regulatory program to address the national security threats at issue; the DOJ's National Security Division will be responsible for the execution of the program.

The NPRM (proposed rule) is comprehensive in nature, covering 422 pages. In brief, the proposed rule identifies classes of prohibited and restricted transactions involving bulk US sensitive personal data or government-related data; identifies countries of concern (China, Cuba, Iran, North Korea, Russia and Venezuela) and classes of covered persons with whom the regulations would prohibit or restrict transactions involving such data; establishes a process to issue (including to modify or rescind) licenses authorizing otherwise prohibited or restricted transactions and to issue advisory opinions; and addresses recordkeeping and reporting of transactions to inform investigative, enforcement, and regulatory efforts of the Department of Justice.

Implications for Businesses

Of critical importance to US businesses that conduct data brokerage or other covered data transactions, the proposed rule addresses the risk of data being re-sold or transferred through third parties to countries of concern by requiring US persons engaged in data brokerage with any foreign person that is not a covered person to satisfy certain conditions, including contractually requiring that the foreign person refrain from reselling or providing access to that data to a country of concern or covered person through a subsequent covered data transaction. US persons who know or suspect that a foreign counterparty is violating the restrictions on resale and onward transfer to countries of concern are required by the proposed rule to report the matter to the DOJ. Absent indications of evasion, conspiracy, or knowingly directing prohibited transactions, US persons that conduct adequate due diligence as part of a risk-based compliance program would not be determined by the DOJ to have engaged in a prohibited transaction if the foreign counterparty later violates the contractual provision or if the US person fails to detect such violations. Failure by a US person to conduct adequate due diligence, however, may subject the US person to enforcement actions.

US businesses also should be aware that the proposed rule imposes reporting requirements on US persons engaging in transactions subject to the application of the rule, as well as on US persons who have received and affirmatively rejected (including automatic rejections using software, technology or automated tools) an offer from another person to engage in a prohibited transaction. Further, the proposed rule establishes a DOJ/NSD compliance and enforcement regime, permitting the DOJ to conduct investigations, hold hearings, examine and depose witnesses, and issue subpoenas or witnesses and documents related to any matter under investigation. Civil penalties can be up to $368,136 or twice the amount of the transaction at issue, whichever amount is greater. Willful violations can lead to criminal fines of up to $1 million dollars and up to 20 years imprisonment. DOJ is currently reviewing public comments provided in response to the proposed rule; the comment submission window closed on November 29, 2024.

As also required by the EO and in coordination with the DOJ, the Department of Homeland Security's Cybersecurity and Infrastructure Agency (CISA) has developed and published proposed security requirements that will apply to classes of restricted transactions identified in the proposed rule. In brief, vendor agreements, employment agreements, and investment agreements that qualify as restricted transactions will require U.S. persons engaging in a restricted transaction to comply with organizational and system-level requirements, such as ensuring that basic organizational cybersecurity policies, practices, and controls are in place, and data-level requirements, such as data minimization and masking, encryption, and privacy-enhancing techniques. CISA's proposed security requirements also closed for comment on November 29, 2024.

Geopolitical Concerns

In the background of this EO and other regulatory efforts taken by the outgoing Biden administration is rising concern over the potentially negative impact on national security from malign foreign actors gaining access to bulk sensitive data on Americas – including the use of such data in hacking and online influence campaigns. The list of countries of concern further illustrates the inherent geopolitical angle to the EO: the list includes competitor China, long a target of US concern over data privacy and improper use of data, as well as rivals Russia, Iran, Cuba and Venezuela. Further developments in this arena will be deeply influenced by global geopolitical developments.

Prospects for Implementation

The final rule implementing EO 14117 has yet to be issued by the DOJ. Generally, final rules are effective no less than thirty days after the date of publication in the Federal Register. It is possible, therefore, that a final rule will be issued prior to the end of the Biden administration, although implementation of the rule and execution of the new NSD compliance program will be managed by senior DOJ officials appointed by President-elect Trump. (It should be noted that final rules also must be reported to Congress, as required by the Congressional Review Act (CRA). In rare circumstances, Congress has issued joint resolutions (JR) of disapproval of final rules under the CRA. If this were to occur, subject to the President's signing the JR or Congress overriding a Presidential veto of the JR, the formal rule would not take effect or would become void.)

Although Congress may disapprove a final rule after issuance, as discussed above, and although any President may lawfully revoke or amend executive orders issued by his or her predecessors and revoke or amend final rules by issuing additional ANPRMs and NPRMs, these actions are not likely to occur with regard to the final rule implementing EO 14117, given the broad bipartisan support across Republican and Democratic administrations for additional legal controls to address the national security threat posed by foreign adversaries' access to sensitive US person data. Such bipartisan support was recently evidenced by the House of Representatives' unanimous passage of House Resolution 7520, the Protecting Americans' Data From Foreign Adversaries Act of 2024 (PADFA). PADFA also was passed by the Senate and was signed into law by President Biden on April 24, 2024.

Steps Forward for US Businesses

Given the likelihood that any final rule issued under either the Biden or Trump administrations will remain fully or in significant part consistent with the proposed rule, US businesses currently conducting data brokerage or other covered data transactions should immediately begin developing risk-based compliance programs. As noted in the DOJ Fact Sheet accompanying the issuance of the proposed rule, it is the DOJ's expectation that US businesses will establish compliance programs tailored to each company's specific business operations. Programs should include procedures to ensure all reporting requirements are met, including reports of any rejected offers to engage in prohibited transaction. Should a violation of the final rule occur, the existence and adequacy of a company's compliance program will be a factor taken into consideration when DOJ/NSD considers appropriate enforcement action.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More