On April 8, the U.S. Department of Justice's (DOJ) Final Rule, codified at 28 CFR Part 202, (Final Rule), implementing President Biden's Executive Order 14117 "Preventing Access to U.S. Sensitive Personal Data and Government-Related Data by Countries of Concern or Covered Persons," came into effect. The Final Rule prohibits or restricts certain bulk transfers of sensitive personal data or U.S. government-related data to certain countries of concern and certain entities and individuals that reside in or are otherwise associated with a country of concern. The Final Rule imposes both civil and criminal penalties on offenders. The Final Rule has a far-reaching effect, influencing various activities from mergers & acquisitions to employment contracts, data licensing, and supplier management. As data exposure has shifted from being a privacy matter to an issue of national security, companies across industries need to reevaluate their cross-border data transfers and compliance measures.
Countries of Concern and Covered Persons
The Final Rule prohibits or restricts certain transactions involving transfers of covered data to certain countries of concern, including China (including Hong Kong and Macau), Cuba, Iran, North Korea, Russia, and Venezuela (Countries of Concern).
The Final Rule also prohibits or restricts the following "Covered Persons" from accessing the covered data:
- A foreign person that is an entity that is 50% or more owned, directly or indirectly, by themselves or together, by one or more Countries of Concern or Covered Persons; or is organized or chartered under the laws of or has its principal place of business in a Country of Concern.
- A foreign person that is an entity that is 50% or more owned, directly or indirectly, by themselves or together, by one or more Covered Persons.
- A foreign employee or contractor of a Country of Concern or of a Covered Person.
- A foreign individual who primarily resides in a Country of Concern.
- Any entity or individual (including U.S. persons) that the Attorney General determines is or is likely to become owned, controlled by, subject to the jurisdiction of, or act on behalf of a Covered Person or Country of Concern. Those determined by the Attorney General to be Covered Persons will be published in the Federal Register and National Security Division's Covered Persons List and take effect immediately.
Covered Data
The Final Rule regulates certain transactions involving primarily six types of sensitive personal data above a certain volume threshold (Bulk U.S. Sensitive Personal Data) and two types of government-related information regardless of the data processing volume. Bulk U.S. Sensitive Personal Data includes certain categories of data, but only if exceeding a threshold amount in the preceding 12 months, which threshold depends on the category of data.
The following are the relevant categories and related thresholds:
| Category of U.S. Sensitive Personal Data | Bulk Threshold | Definition |
| Human genomic data (a defined term under the Final Rule) | More than 1,000 U.S. persons | Human genomic, transcriptomic, and epigenomic data. |
| Precise geolocation data | More than 1,000 U.S. devices | Data identifying the location of an individual or device with a precision of 1,000 meters. |
| Biometric identifiers | More than 1,000 U.S. persons | Measurable physical characteristics or behaviors used to identify an individual. |
| Personal health data | More than 10,000 U.S. persons | Data that describes the physical or mental health or condition of an individual; the provision of healthcare to an individual; or payment for the provision of healthcare. |
| Personal financial data | More than 10,000 U.S. persons | Data about an individual's credit, charge, or debit card, or bank account, including purchases and payment history; data in a bank, credit, or another financial statement, including assets, liabilities, debts, or trades in a securities portfolio; or data in a credit report or in a "consumer report." |
| Covered personal identifiers | More than 100,000 U.S. persons | Any of the following Listed Identifiers in combination with or linked to another Listed Identifier or sensitive personal data: government ID number, demographic or contact data*, advertising identifier, account-authentication data, network-based identifier (e.g. IP or cookie data), call-detail data, SIM card number, MAC address, or IMEI. |
| Category of U.S. Government-Related Data | Bulk Threshold | Definition |
| Precise geolocation data | Any Amount | Covers precise geolocation data gathered from specific locations set forth in the Final Rule. The specified locations are primarily buildings and facilities tied to national security. |
| Employee/contractor sensitive personal data | Any Amount | Sensitive personal data (meaning any of the data categories identified in the chart above) marketed as linked or linkable to current or recent U.S. government employees or contractors. |
The above limits for both U.S. sensitive personal data and U.S. government-related data apply regardless of whether the data is anonymized, pseudonymized, de-identified or encrypted, and whether or not transferred through a single or multiple covered data transactions.
Prohibited, Restricted, and Exempt Transactions
The Final Rule establishes sweeping prohibitions and restrictions on data transactions that could grant access to U.S. sensitive personal data or government-related information by Covered Persons or Countries of Concern, with implications affecting M&A, real estate, employment, higher education, and commercial vendor agreements.
Obligations for businesses engaged in restricted transactions include implementing security requirements set forth by the Cybersecurity and Infrastructure Security Agency, complying with audit and diligence obligations, and establishing a comprehensive data compliance program that includes written policies for vendor identity verification and implementation of security requirements.
Prohibited Transactions
Prohibited transactions, as the name implies, prohibit knowingly engaging in data transactions that provide a Country of Concern or Covered Person access to certain Covered Data.
The Final Rule prohibits two types of transactions:
- Data Brokerage refers to the sale of data, licensing of access to data, or similar transactions, involving the transfer of data from any person (the provider) to any other person (the recipient), where the recipient did not collect or process the data directly from the individuals linked or linkable to the collected or processed data. Data transactions involving data brokerages with any foreign person that is not a Covered Person require additional contractual obligations and reporting obligations.
- Any data brokerage, vendor agreement, employment agreement, or investment agreement (each defined below) that involves access to either human genomic data of more than 1,000 U.S. persons or human biospecimens.
Restricted Transactions
Subject to certain exemptions, the Final Rule restricts U.S. entities and individuals from knowingly engaging in the following three categories of transactions with a Covered Person or Country of Concern unless the U.S. entity or person entering into the data transaction complies with certain security requirements:
- Vendor Agreements: agreements other than employment agreements, in which any person provides goods or services to another person.
- Employment Agreements: agreements in which an individual, other than as an independent contractor, performs work or performs job functions directly for a person.
- Investment Agreements: agreements in which a person exchanges payment for ownership interests or rights in U.S. real estate or U.S. legal entities (excluding certain passive investments).
Exempt Transactions
The Final Rule exempts several categories of transactions, primarily related to governmental activity. Exempted transactions include those related to:
- Personal communications
- Expressive materials
- Data incidental to travel
- Official business of the U.S. government
- Certain financial services
- Certain transactions with subsidiaries and affiliates
- Transactions required or authorized by federal law or international agreements, or necessary for compliance with federal law
- Investment agreements subject to a Committee on Foreign Investment in the United States (CFIUS) action
- Telecommunication services
- Drug, biological product, and medical device authorizations
- Other clinical investigations and post-marketing surveillance data
- Transactions licensed by the DOJ pursuant to an application by a U.S. entity (which may be subject to additional data protection obligations)
Penalties and Next Steps
The Final Rule represents a significant shift in how companies must manage cross-border data risks associated with sensitive data. Businesses whose operations might include access to personal information by Countries of Concern or Covered Persons should take immediate steps to identify entities and persons with access to sensitive information, the types of data being transferred and/or accessed, risk exposure, and applicable contracts, and then implement any required data protection processes.
Such processes include implementing required contractual language; record-keeping requirements; security requirements; data compliance programs (including due diligence, audits, and personnel training); and, in some cases, applying for specific licenses from the DOJ. The DOJ has already published additional FAQ's and guides for building data compliance programs in accordance with the Final Rule. Proactive compliance will be key as enforcement begins and further DOJ guidance emerges.
Entities that fail to comply may be subject to civil penalties up to the greater of $368,136 or an amount that is twice the amount of the transaction. For willful violations, criminal penalties include $1 million in fines and up to 20-year imprisonment.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
