In a sweeping, coordinated effort across federal agencies, the US government has taken a giant leap forward to prevent access to data that could be exploited to the detriment of national security. On February 28, 2024, President Biden signed an Executive Order outlining restrictions on foreign access to personal data of US persons and US government-related information, which was accompanied by a fact sheet. The next day, the Department of Justice (DOJ) published an Advance Notice of Proposed Rulemaking (ANPRM; fact sheet here) seeking comment on a regulatory regime that would prohibit or restrict transactions that pose an unacceptable risk of access to and exploitation of sensitive data by "countries of concern" (to include the People's Republic of China (including Hong Kong and Macau), Russia, Iran, North Korea, Cuba, and Venezuela) or related persons. Comments on the proposed rule are due by April 19, 2024.
The Executive Order describes the threat, while attempting to balance its response with support for the free flow of data. As digital devices proliferate increasingly massive quantities of data about US persons, the participation of data brokers and access to data through commercial, investment, employment, and other means represent a growing vulnerability for US national security. US officials report malign misuse of these data for hacking, espionage, blackmail, identification of strategic advantages, training of artificial intelligence systems, and other purposes.
Although China, the European Union, and others regulate the transfer of their citizens' data, the United States has long advocated for an open internet and the free flow of data across borders. US regulation in this space is largely the work of the Committee on Foreign Investment in the United States (CFIUS), an interagency body authorized to determine whether and how foreign actors can gain access to certain categories of US-person data, but only in the investment context. That leaves many commercial arrangements unregulated at the federal level, including, for example, the bulk sale or licensing of US-person data unconnected with an investment, or access to those data by offshore employees or vendors of a US company. The Executive Order aspires to fill these and other gaps.
The regime proposed in the ANPRM is ambitious, to be administered by the DOJ but drawing on rules established by CFIUS, the Department of the Treasury's Office of Foreign Assets Control (OFAC), and the Department of Commerce's Bureau of Industry and Security.
The DOJ's Data Protection Regime
The ANPRM proposes a DOJ-administered regulatory scheme in which US persons would be prohibited or restricted from engaging in certain types of "covered data transactions" through which a country of concern or a covered person could access "bulk US sensitive personal data" or "government-related data." Certain transactions within that scope may be permitted if compliant with specific conditions, including forthcoming security and reporting requirements.
Parties to a prohibited covered data transaction could rely upon an applicable general license or seek a specific license from the DOJ. Certain data transactions would also be exempt, including common financial transactions; transactions conducted pursuant to a grant, contract, or other agreement with the US government; and transactions protected by the First Amendment (borrowing from OFAC concepts).
This graphic depicts the proposed regime at a high level:
Bulk US Sensitive Personal Data and Government-Related Data
The Executive Order authorizes the Attorney General to prohibit or otherwise restrict US persons from engaging in certain transactions involving "bulk US sensitive personal data" or "government-related data."
"Sensitive personal data" is proposed to include certain:
(1) "Covered personal identifiers" that could be used
to identify an individual from a dataset
(2) Precise geolocation data
(3) Biometric identifiers
(4) Human genomic data
(5) Personal health data
(6) Personal financial data
Each category of data will be subject to certain volume or "bulk" thresholds, proposed to range from 100 to 1 million US persons or devices, based on the associated threat, vulnerability, and consequences associated with such data.
In some cases, the proposed definition of "sensitive personal data" is more expansive than the CFIUS regulatory concept of the same name. For instance, the DOJ is proposing to include within the scope of "covered personal identifiers" datasets that link contact data (e.g., first and last names or email addresses) with other identifiers, such as account usernames, MAC addresses, advertising IDs, or Social Security numbers. Thus, although many US businesses have evaluated whether they collect or maintain "sensitive personal data" (as CFIUS defines the concept) or whether other state or federal privacy laws affect their operations, these analyses should be revisited under the definition that will apply here. 1
Meanwhile, "government-related data," which would not be subject to a volume threshold, is proposed as (1) sensitive personal data marketed as linked or linkable to current or former employees, contractors, or senior officials of the US federal government, and (2) precise geolocation data for sensitive locations or geographical areas to be identified on a Government-Related Location Data List.
"Countries of Concern" and "Covered Persons"
As noted, "countries of concern" are proposed to include the People's Republic of China (including Hong Kong and Macau), Russia, Iran, North Korea, Cuba, and Venezuela.
A "covered person" would include: (1) entities owned 50% or more by, or organized within, or having a principal place of business in a country of concern; (2) entities owned 50% or more by such an entity; (3) natural persons when they are employees or contractors of such an entity; (4) natural persons primarily resident in a country of concern; or (5) any natural person or legal entity that the Attorney General designates as a covered person on a list newly created for this purpose.
Individuals located in the United States are excluded (unless designated on the list); citizens of a country of concern would not automatically become covered persons unless they qualify under the other criteria above (e.g., Chinese citizens primarily resident outside of a country of concern would not be "covered persons" unless they are employees or contractors of a covered entity or designated on the list).
Prohibited or Restricted "Covered Data Transactions"
The DOJ proposes to define a "covered data transaction" as one that involves bulk US sensitive personal data or government-related data. The ANPRM includes a general prohibition on US persons knowingly engaging in covered data transactions with a country of concern or covered person. But certain "restricted covered data transactions" — vendor agreements, employment agreements, and investment agreements — would be permitted if they meet to-be-determined "security requirements." These security requirements would be based on existing cybersecurity frameworks, with specific guidance later published by the Department of Homeland Security through a separate process. Presumably because they present the highest risk, data brokerage transactions cannot qualify as restricted covered data transactions, and thus would be excepted from the general prohibition, even if they meet the security requirements.
The ANPRM also proposes to prohibit knowingly engaging in: (1) covered data transactions involving data brokerage with any foreign person unless the contract bars the latter from engaging in a subsequent covered data transaction involving the same data and a country of concern or covered person; and (2) covered data transactions with a country of concern or covered person that provide such person access to bulk US sensitive personal data that consists of human genomic data or human biospecimens from which such data could be derived.
"Knowingly" in the context of these prohibitions would apply to persons who knew or should have known of the circumstances of the transaction; it is not intended to be a strict-liability standard. The DOJ would also develop rules that prohibit evasions, attempts, or conspiracies; knowingly directing a covered data transaction that would be prohibited if engaged in by a US person; and the causing of a violation by another person (a prohibition that, in the OFAC context, authorizes extraterritorial jurisdiction over persons not otherwise subject to US law).
Exemptions and Authorizations
Exempted from the prohibitions and restrictions is certain official business of the US government, including by its employees, grantees, and contractors — a potentially expansive category that would allow federally funded programs to proceed outside the scope of the new regime. (But pending legislation addressing the collection of human genomic and other data, known as the BIOSECURE Act, could limit that freedom; as drafted, it would prohibit US federal funding for the procurement or use of "biotechnology equipment or services" from designated "biotechnology companies of concern.")
The DOJ would further exclude certain types of investment from this regulation, including certain "over the counter" investments in public securities in any jurisdiction; investments in an index fund, mutual fund, exchange-traded fund, or similar instrument; or limited partner investments in a fund — an exemption vital to a substantial volume of foreign investment in the United States. To qualify for exclusion, each of these investments must be passive, with to-be-determined limits on the total voting and equity interest acquired and an absence of governance, influence, and access rights similar to rights that could trigger jurisdiction under the CFIUS regime for investments in certain US businesses.
The financial services industry is also exempt to the extent that transactions are ordinarily incident to the provision of financial services.
An industry-agnostic exclusion would also allow certain intra-entity transactions incident to business operations (e.g., transfers of human resources data between a US company and its Chinese subsidiary).
Other exemptions would include personal communications and information or informational materials protected by the First Amendment and mirrored in the OFAC sanctions regulations, and transactions required or authorized by federal law or international agreements (e.g., law enforcement requests or public-health surveillance).
The Executive Order directs coordination among US government agencies, yielding further exclusions for otherwise-regulated transactions. For example, the proposed treatment of investment agreements intersects with the CFIUS approach to "covered transactions" involving certain data. The ANPRM seeks input regarding how to reconcile the new regulatory regime with the existing CFIUS regime, proposing to exclude only those transactions for which CFIUS has imposed mitigation measures.
The ANPRM also contemplates a licensing regime within the DOJ (and similar to the OFAC licensing scheme), including both general licenses available to anyone qualifying under their terms and specific licenses to be applied for on a set of specific facts. The ANPRM seeks further input on a method for handling requests for interpretive guidance.
Footnote
1. The proposed regime also seems to reflect the US government's growing mistrust of anonymization or de-identification techniques, the effectiveness of which is believed to be eroded by artificial intelligence technologies. It recognizes that adversaries, using sophisticated technologies, can draw inferences across datasets and so enable the association of data with specific individuals — a so-called mosaic theory that President Biden's September 15, 2022, Executive Order formally instructed CFIUS to consider in its national security reviews.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.