Key Takeaways
- On October 29, 2024, the DOJ issued a proposed rule prohibiting and restricting certain transactions that could allow persons from countries of concern, such as China, access to bulk sensitive personal data of U.S. citizens or to U.S. government-related data (regardless of volume).
- The rule builds on President Biden's Executive Order 14117 of February 28, 2024, which directed DOJ to initiate such a rulemaking, DOJ's ANPRM of March 5, 2024, which set forth the proposed scoping of key terms for the regulations, including categories of covered transactions, and the comments submitted in response to the ANPRM.
- Sensitive personal data covered by the rule includes human genomic data, biometric identifiers, precise geolocation data, personal health data, personal financial data, and combinations of specified personal identifiers (e.g., government identification numbers, financial account numbers, and personal device identifiers). To be covered, the transaction would need to involve identified "bulk thresholds" for each category of sensitive personal data, ranging from 100 to 100,000 U.S. persons.
- When the proposed rule becomes effective, certain transactions with entities subject to the jurisdiction of countries of concern—including China and Russia—or with entities directly or indirectly owned by such entities, will be prohibited if the transaction involves bulk sensitive personal data or U.S. government-related data. Certain transactions will be permitted to proceed so long as the U.S. person complies with certain security requirements proposed by CISA or, in other cases, obtains contractual terms restricting further transfers of the data to covered persons or countries of concern.
- With respect to those covered transactions that are permitted to proceed under certain circumstances, the proposed rule also contemplates a variety of compliance obligations, to include annual audits, recordkeeping responsibilities, and annual or periodic reporting requirements.
- Comments on the proposed rule are due to DOJ on November 29, 2024. In addition, CISA will be accepting comments on its proposed security requirements until November 29, 2024.
Background
The Department of Justice's (DOJ) proposed rule implements President Biden's Executive Order (EO) on "Preventing Access to Americans' Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern" and is intended to address a perceived gap in existing national security authorities posed by the continuing effort of certain countries of concern to access Americans' sensitive personal data and U.S. government-related data (see our prior alert). This new regulatory regime reflects the U.S. government's growing national security concerns about China and other adversarial governments obtaining access to Americans' sensitive personal data. The proposed rule seeks to prohibit the transfer of or access to such data, including through sales and licensing agreements, as well as significantly restricting certain vendor, employment and investment transactions involving persons affiliated with countries of concern. It further reflects concern that such transactions and relationships could enable these countries to use biometric, financial, genomic, geolocation or health data to engage in malicious cyber-enabled activities, espionage, tracking of military and national security personnel, blackmail or other nefarious activities. Advances in artificial intelligence and data analytics have exacerbated this risk.
The proposed rule builds on and addresses comments submitted by stakeholders in response to DOJ's earlier advance notice of proposed rulemaking (ANPRM) setting forth proposed scoping for regulations implementing the EO. Specifically, DOJ sought input on the proposed bulk data thresholds, key definitions, and the appropriate scope of certain exemptions. Despite a variety of comments seeking to significantly expand the rule's scope into a national data privacy regime, and many more requesting a narrowing of the rule to focus solely on transactions whose specific purpose was the sale or transfer of data, DOJ made limited changes between the ANPRM and the proposed rule. However, the proposed rule does provide greater clarity as to the scoping and operation of this new regulatory regime.
In addition, on October 29, 2024, the Cybersecurity and Infrastructure Security Agency (CISA) published a notice regarding proposed security measures that, under the proposed rule, would be required for U.S. persons to implement in order to engage in restricted transactions. These are based on the National Institute of Standards & Technology (NIST) Cybersecurity Framework, the NIST Privacy Framework and CISA's Cross-Sector Cybersecurity Performance Goals. These requirements are divided into (i) organizational and covered system-level requirements and (ii) data-level requirements (i.e., to prevent access to specific data). According to CISA, its proposed security measures will help to establish an auditable basis for ensuring compliance.
Key Scoping Terms
The following are key scoping terms that are used in the proposed rule:
- Covered Data Transactions – transactions that involve "access" to any "bulk U.S. sensitive personal data" or "government-related data" and that involve: (1) data brokerage; (2) a vendor agreement; (3) an employment agreement; or (4) an investment agreement.
- U.S. Person – any U.S. citizen, national or lawful permanent resident; certain protected individual (e.g., refugee or asylee); entity organized under the laws of the United States (including foreign branches); or any person in the United States.
- Country of Concern – foreign governments determined to (i) be engaged in long-term or serious conduct significantly adverse to U.S. national security and (ii) pose a significant risk of exploiting U.S. government-related or bulk sensitive personal data to the detriment of U.S. national security. The current list is China, Cuba, Iran, North Korea, Russia and Venezuela.
- Covered Person – this term captures:
- Foreign entities that are 50% or more owned by a country of concern, whether directly or indirectly, and entities that are organized in or have a principal place of business in a country of concern.
- Foreign entities that are 50% or more owned by a covered person, whether directly or indirectly.
- Foreign individuals who are employees or contractors of covered person entities, or who are employees or contractors of covered persons.
- Foreign individuals who are primarily resident in the territorial jurisdiction of a country of concern.
- Any person, wherever located, that the Attorney General determines (i) to be, to have been, or likely to become owned or controlled by a country of concern or covered person; (ii) to act, to have acted or purported to act, or likely to act for or on behalf of a country of concern or covered person; or (iii) to have knowingly caused or directed, or to be likely to knowingly cause or direct a violation of these regulations.
- Note: any person who constitutes a "U.S. person" will not be considered a covered person unless the Attorney General has specifically designated them as such.
- Bulk U.S. Sensitive Personal Data – the
following types and quantities of data regardless of whether it is
anonymized, pseudonymized, de-identified or encrypted:
- Human genomic data, including the results of individual genetic testing or data from human genetic sequencing, regarding more than 100 U.S. persons.
- Biometric identifiers, including facial recognition, voice prints, retina and iris scans, and fingerprints, regarding more than 1,000 U.S. persons.
- Precise geolocation data, defined as real-time or historical data on an individual's location within 1,000 meters, regarding more than 1,000 U.S. devices (any device with the capacity to store or transmit data that is linked or linkable to a U.S. person).
- Personal financial data, including any information about an individual's financial accounts, including credit or consumer reports, regarding more than 10,000 U.S. persons.
- Personal health data, including physical measurements and attributes, diagnoses, and treatment history, regarding more than 10,000 U.S. persons.
- Covered personal identifiers regarding more than 100,000 U.S. persons. This category captures any "listed identifier" (government ID or account number, financial account or ID number, device/hardware-based identified, demographic or contact data, advertising identifier, account authentication data, network-based identifier such as an IP address, or call-detail data) in combination with another listed identifier or in combination with other data that is linked or linkable to other listed identifiers or personal data. Exclusions apply for (i) demographic or contact data that is only linked or linkable to other such data and (ii) network-based identifier, account-authentication data or call-detail data linked or linkable to other such data for the purposes of telecommunications, networking or a similar service.
- In cases where there is combined data regarding the above, the lowest applicable threshold that is met for a specific category will apply to the data set.
- Note that the following are excluded from the definition of
sensitive personal data:
- Data that does not relate to an individual, including trade secrets and proprietary information.
- Data that is a matter of public record that is lawfully and generally available to the public, such as from government records or unrestricted, open-access repositories.
- Personal communications that do not "involve the transfer of anything of value."
- Informational materials, which the proposed rule narrowly defines as "expressive material" such as art, publications, photographs, films, and records. Data that is technical, functional or otherwise non-expressive remains subject to the rule.
- Government-Related Data - the following data,
regardless of volume:
- Precise geolocation data for locations on a "Government-Related Location Data List" that have been deemed sensitive, which currently includes eight sites.
- Any sensitive personal data (as described above) that a transacting party markets as being linked or linkable to current or recent former employees or contractors, or former senior officials, of the U.S. government, including the miliary and intelligence community.
- Access – defined broadly as "any logical or physical access, including the ability to obtain, read, copy, decrypt, edit, divert, view, release, affect, alter the state of, or otherwise view or receive, in any form, including through information systems, IT systems, cloud-computing platforms, networks, security systems, equipment or software."
Prohibited Transactions
U.S. persons are prohibited from knowingly engaging in the following types of covered data transactions:
- Those involving data brokerage with a country of concern or a covered person. Data brokerage is defined broadly as the sale of data, licensing of access to data, or similar commercial transactions involving the transfer of data from any person to any other person (the recipient), if the recipient did not collect or process the data directly from the individuals linked or linkable to collected or processed data.
- Those involving data brokerage with any foreign
person who is not a covered person unless the U.S. person:
- Contractually requires that the foreign person refrain from engaging subsequent covered data transactions involving data brokerage of the same data with a covered foreign person or a country of concern.
- Reports any known or suspected violations of this contractual requirements consistent with certain requirements in the regulations.
- Those with a country of concern of a covered foreign person that involve access to bulk U.S. sensitive personal data related to bulk human genomic data, or to human biospecimens from which bulk human genomic data could be derived.
- Directing a transaction that would be a prohibited transaction or a restricted transaction that fails to meet the applicable requirements (discussed below), if such transaction was engaged in by a U.S. person.
- Evading or avoiding these prohibitions, such as by having a covered person travel to the U.S. for the sole purposes of rendering them a U.S. person for just the duration of the transaction.
In addition, any U.S. person that receives and affirmatively rejects an offer to engaged in a prohibited transaction involving data brokerage must report this instance to DOJ within 14 days of the rejection.
Restricted Transactions & Accompanying Compliance Obligations
The following transactions are restricted transactions meaning that a U.S. person may engage in them so long as they comply with the CISA security requirements and other ongoing compliance obligations, explained in more detail below.
- Covered data transaction involving a "vendor agreement," which is a non-employment agreement in which any person provides goods or services to another person, including cloud-computing services, in exchange for payment or other consideration.
- Covered data transaction involving an "employment agreement," which is an agreement in which an individual, other than as an independent contractor, performs work or performs job functions directly for a person in exchange for payment or other consideration, including employment on a board or committee, executive-level arrangements or services, and employment services at an operational level.
- Covered data transaction involving an "investor agreement," which is an agreement in which any person, in exchange for payment or other consideration, obtains direct or indirect ownership interests in or rights in relation to (1) real estate located in the United States; or (2) a U.S. legal entity
The CISA security requirements require any U.S. persons engaging in a transaction with a covered person that involves access to bulk sensitive data or government-related data in the context of a vendor agreement, an employment agreement, or an investment agreement must comply with organizational and system-level requirements set forth under the CISA proposed rule, to include: implementing basic organizational cybersecurity policies, practices, and requirements, such as logical and physical access controls; and implementing data-level requirements such as data minimization and masking, encryption, privacy-enhancing techniques, and denial of access.
In addition, under the proposed rule, U.S. persons engaging in restricted transactions will be required to:
- Engage in due diligence prior to pursuing any restricted transactions, which will involve utilizing "Know Your Customer/Know Your Vendor" programs to screen potential partners.
- Develop and implement a data compliance program that includes risk-based procedures for (i) verifying data flows; (ii) verifying vendors; (iii) a written policy that describes the data compliance program that is to be certified annually; (iv) a written policy describing the implementation of the CISA security requirements; and (v) any other information that DOJ may require.
- Annual audit of all restricted transactions.
- Recordkeeping for all restricted transactions going back at least 10 years, to be maintained in an auditable manner.
- Furnishing reports of any covered data transactions at DOJ's request.
- Annual report requirements for any transactions involving cloud-computing services where a covered person owns 25% or more of the U.S. person.
Exempt Transactions
The proposed rule exempts the following transactions that would otherwise be prohibited or restricted:
- Personal Communications – data transactions that involve any postal, telegraphic, telephonic or other personal communications that do not involve the transfer of anything of value.
- Information and Informational Materials – data transactions that involve the importation of information or exportation of any "information and informational materials" (defined above).
- Travel – data transactions that are ordinarily incident to travel to or from any country.
- Official Business of the U.S. Government – data transactions to the extent that they are for the conduct of official business of the U.S. government by its employees, grantees or contractors, such as activities specifically funded by federal grants or the authorized activity of federal departments.
- Financial Services – data transactions that are ordinarily incident to and part of the provision of financial services.
- Corporate Group Transactions – data transactions that (i) are between a U.S. person and its affiliates located in a country of concern; and (ii) are ordinarily incident to and part of administrative or ancillary business operations, such as the sending of bulk biometric information and personal health information about U.S. employees to a human resources department located abroad.
- Transactions to Comply with Law – data transactions that are (i) required or authorized under federal law or pursuant to an international agreement to which the U.S. is a party; (ii) required or authorized under certain global health agreements or frameworks; or (iii) ordinarily incident to and are part of ensuring compliance with federal laws.
- Investment Agreements Subject to CFIUS Action – data transactions to the extent that they involve an investment agreement subject to a Committee on Foreign Investment in the United States (CFIUS) action (e.g., a national security agreement).
- Telecommunications Services – data transactions, other than data brokerage, that are ordinarily incident and part of the provision of telecommunications services.
- Drug, Biological Product and Medical Device Authorizations – data transactions that are necessary to obtain or maintain regulatory approvals subject to certain conditions.
- Other Clinical Investigations and Post-Marketing Surveillance Data – data transactions ordinarily incident to and part of FDA clinical investigations and post marketing surveillance data demonstrating the real-world performance or safety of medications released on the market, such as the global collection of data on the side effects of a particular medication, including effects on U.S. persons, for safety or efficacy analysis outside the United States.
Authorizations and Advisory Opinions
DOJ can issue both general and specific licenses authorizing transactions that are otherwise subject to the prohibitions and restrictions of the rule. General and specific licensees may be required to file reports with DOJ as a condition of authorization. In addition, DOJ will permit U.S. persons to seek advisory opinions regarding DOJ's enforcement intentions regarding these regulations.
Penalties
Under the authority of the International Emergency Economic Powers Act, civil penalties for violations of this rule are capped at the larger of $368,136, subject to adjustment for inflation, or twice the amount of the violating transaction. Criminal penalties of up to $1 million or 20 years in prison may apply to willful violations.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.