October 24, 2024

Department of Justice Issues Notice of Proposed Rulemaking to Regulate Export of Sensitive Personal Data

Share

On October 21, 2024, the Department of Justice (DOJ) released an unpublished Notice of Proposed Rulemaking (NPRM), Provisions Pertaining to Preventing Access to U.S. Sensitive Personal Data and Government-Related Data by Countries of Concern or Covered Persons. DOJ intends to publish the NPRM in the Federal Register on October 29. As directed by President Joe Biden’s Executive Order 14117 and previewed in DOJ’s Advanced Notice of Proposed Rulemaking (ANPRM) in March 2024 (which we analyzed in a Legal Update), the proposed rule would establish a new national security program to prohibit or restrict US persons from engaging in certain categories of data transactions with countries of concern and covered persons involving the transfer of US government-related data or bulk US sensitive personal data.

Below, we summarize the key provisions of the NPRM, as well as key distinctions from the ANPRM issued in March. If published on October 29, interested persons have until November 28, 2024 to comment on the NPRM. No legal restrictions will be operative unless and until a Final Rule is ultimately promulgated. Note that there is a separate process to comment on the Proposed Security Requirements for Restricted Transactions issued by the Cybersecurity and Infrastructure Security Agency (CISA).

Key Takeaways

  • The NPRM closely tracks the program contemplated by the ANPRM in March and expands on topics such as applicable thresholds for “bulk” sensitive personal data, security requirements, compliance, and exempted transactions.
  • If the NPRM is implemented in current form, certain categories of transactions between US persons and persons and entities with a nexus to China or other countries of concern and involving several broad categories of data (including precise geolocation, biometric, human genomic, health, financial, personal identifiers, and government-related data) will be permitted only if the US person complies with certain security requirements or, in a unique circumstance, obtains a license from DOJ. In addition, US persons engaging in these transactions would have to adhere to certain recordkeeping, due diligence, and audit requirements.
  • The NPRM contains more than 300 pages of supplementary material, including commentary on elements of the proposed rule. DOJ notes multiple times throughout the commentary that it is still considering how to address certain definitions and requirements. In addition, the proposed rule contains several examples designed to demonstrate its mechanics and limits.

Summary of Proposed Rule

Covered Data Transactions: As in the ANPRM, the proposed rule identifies categories of covered data transactions between US persons and countries of concern or covered persons that involve access to either government-related data or bulk US sensitive personal data, and, depending on the nature of the transaction, either prohibits it outright or restricts the transaction, contingent on compliance with certain security requirements.

Prohibited Data Transactions: As under the ANPRM, the NPRM would prohibit US persons from “knowingly” engaging in or directing the following categories of transactions involving countries of concern or covered persons: (1) data-brokerage transactions, and (2) genomic data transactions involving the transfer of bulk human genomic data or biospecimens from which such data can be derived.

Key Addition: The NPRM would also prohibit US persons from “knowingly” engaging in a covered data transaction involving data brokerage with any foreign person that is not a covered person unless the US persons requires the foreign person to agree, by contract, not to engage in a subsequent data-brokerage transaction of the same data with a country of concern or covered person. In addition, US persons must report any known or suspected violations of this contractual requirement within 14 days of becoming aware of such violations.

Restricted Data Transactions: As under the ANPRM, the NPRM would prohibit US persons from “knowingly” engaging in or directing the following categories of transactions involving countries of concern or covered persons unless they comply with certain security requirements: (1) vendor agreements involving the provision of goods and services (including, for example, cloud-service agreements); (2) employment agreements (e.g., with a US company’s foreign IT staff located in a country of concern, or with a CEO who qualifies as a covered person); and (3) non-passive investment agreements (i.e., those that convey ownership interest or rights in exchange for payment or other considerations).

Key Difference: The NPRM excludes “passive investments” from the definition of “investment agreement,” including investments in publicly traded securities, securities offered by any investment company, and as a limited partner in a pooled investment fund (if certain conditions are met).

Key Addition: CISA has proposed specific security requirements for restricted transactions that build upon the proposals in the APRM. Such requirements include:

  • organizational-level requirements such as asset management, designating an individual accountable for cybersecurity, and patching vulnerabilities quickly and routinely;
  • system-level1 requirements such as implementing multifactor authentication on all covered systems, collecting logs, and limiting system access to only individuals who need it to perform their jobs; and
  • data-level requirements such as implementing a data retention and deletion policy, processing data in such a way to either render it no longer covered data or to minimize the linkability to US persons, and applying encryption during transit and storage.

For purposes of the NPRM, a US person acts “knowingly,” if the person had actual knowledge or reasonably should have known about particular conduct, circumstances, or results. The NPRM makes clear that in evaluating what a US person reasonably should have known, DOJ will consider all of the facts and circumstances surrounding the transaction.

Covered Data: The NPRM applies the prohibitions and restrictions to covered data transactions involving “sensitive personal data” relating to US persons in any format that exceeds certain bulk volume thresholds and government-related data (in any volume), regardless of whether the data is anonymized, pseudonymized, de-identified, or encrypted. Sensitive personal data includes:

(1) covered personal identifiers (listed identifiers (e.g., government ID number, financial account number, device-based identifier, demographic or contact data, etc.) linked to any other listed identifiers);
(2) precise geolocation data;
(3) biometric identifiers;
(4) human genomic data;
(5) personal health data; and
(6) personal financial data.

Key Addition: The NPRM interprets “bulk” as the following amounts of sensitive data meeting or exceeding the following thresholds at any point in the preceding 12 months, whether through a single transaction or aggregated across multiple transactions involving the same US person and the same foreign or covered person.

(a) Human genomic data collected about or maintained on more than 100 US persons;
(b) Biometric identifiers collected about or maintained on more than 1,000 US persons;
(c) Precise geolocation data collected about or maintained on more than 1,000 US devices;
(d) Personal health data collected about or maintained on more than 10,000 US persons;
(e) Personal financial data collected about or maintained on more than 10,000 US persons;
(f) Covered personal identifiers collected about or maintained on more than 100,000 US persons; or
(g) Combined data, meaning any collection or set of data that contains more than one of the categories in paragraphs (a) through (g), or that contains any listed identifier linked to categories in paragraphs (a) through (e), where any individual data type meets the threshold number of persons or devices collected or maintained in the aggregate for the lowest number of US persons or US devices in that category of data.

Government-related data includes precise geolocation data associated with military or other sensitive government functions or sensitive personal data sets explicitly linked to recent former employees, contractors, or officials of the US government.

Countries of Concern: The NPRM identifies the following countries of concern: China, Cuba, Iran, North Korea, Russia, and Venezuela.

Covered Persons: The NPRM proposes the following categories of covered persons:  

(1) A foreign person that is an entity that is 50% or more owned, directly or indirectly, by a country of concern, or that is organized or chartered under the laws of, or has its principal place of business in, a country of concern;

(2) A foreign person that is an entity that is 50% or more owned, directly or indirectly, by an entity described in paragraph (1) of this section or a person described in paragraphs (3), (4), or (5);

(3) A foreign person that is an individual who is an employee or contractor of a country of concern or of an entity described in paragraphs (1), (2), or (5);

(4) A foreign person that is an individual who is primarily a resident in the
territorial jurisdiction of a country of concern; or

(5) Any person, wherever located, determined by the Attorney General:

(i) To be, to have been, or to be likely to become owned or controlled by or subject to the jurisdiction or direction of a country of concern or covered person;

(ii) To act, to have acted or purported to act, or to be likely to act for or on behalf of a country of concern or covered person; or

(iii) To have knowingly caused or directed, or to be likely to knowingly, cause or direct a violation of this part.

Exempt Data Transactions: The NPRM would include the list of exempt data transactions proposed by the ANPRM, including data transactions to the extent that they: involve personal communications or information or informational materials (as IEEPA uses those terms); are for official business of the United States government; are incident to and part of the provision of financial services (e.g., banking, payment processing, etc.); are incident to and part of ancillary business operations (such as payroll or human resources) within multinational US companies; or are required or authorized by federal law or international agreements.

Key Addition: In addition to the above transactions, the NPRM would also exempt the following data transactions:

  • Data transactions to the extent that they are ordinarily incident to travel to or from any country;
  • Data transactions to the extent that they involve an investment agreement that is subject to a CFIUS action;
  • Data transactions, other than those involving data brokerage, to the extent that they are ordinarily incident to and part of the provision of telecommunications services, including international calling, mobile voice, and data roaming;
  • Data transactions that involve “regulatory approval data” and are necessary to obtain or maintain regulatory approval to market a drug, biological product, or device in a country of concern; or
  • Data transactions to the extent that they are ordinarily incident to and part of clinical investigations regulated by the US Food and Drug Administration (FDA) or the collection or processing of clinical data indicating real-world performance or safety of products, or the collection or processing of post-marketing surveillance data, and necessary to support or maintain authorization by the FDA, provided the data is deidentified.

Licensing and Advisory Opinions: The NPRM would provide a process for DOJ to issue general licenses authorizing a class of transactions and specific licenses authorizing a particular transaction. The NPRM also would include an advisory opinion process, and provides details on the requirements for requesting an advisory opinion and the effect of advisory opinions.

Compliance and Enforcement: There are no general recordkeeping or due-diligence requirements applicable to all US persons engaged in data transactions with foreign persons. However, the NPRM would require US persons engaging in restricted transactions to comply with due diligence, recordkeeping, and audit requirements.

US persons engaging in restricted transactions would have to implement a data compliance program including risk-based procedures for verifying data flows, types and quantities of data involved in the transaction, the identity of the transaction parties, and the end-use of the data, among other requirements. These persons would also have to keep full and accurate records of each restricted transaction and keep the records available for examination for at least 10 years after the date of such transaction (the length of the statute of limitations for violations of IEEPA). In addition, US persons engaging in restricted transactions would also have to obtain an annual independent third party audit of such transactions and compliance program for each calendar year in which they engage in a restricted data transaction.

Key Addition: The NPRM would require US persons to file an annual report if they
engage in restricted transactions involving cloud-computing services where 25 percent or more of that US person’s equity interests are owned (directly or indirectly, through any contract, arrangement, understanding, relationship, or otherwise) by a country of concern or covered person.

Key Addition: The NPRM would require US persons to file a report if they have received, and affirmatively rejected, an offer from another person to engage in a prohibited transaction involving data brokerage. The report must include basic details of the transaction and the types and volumes of covered data involved in the transaction.

DOJ would have authority to investigate violations of the Rule and seek civil or criminal penalties under IEEPA. As with other IEEPA programs, the NPRM includes a process for pre-penalty notice, in which an alleged violator that is subject to a civil monetary penalty would have an opportunity to respond to a notice informing the violator of DOJ’s intent to impose such a penalty. The alleged violator would have an opportunity to respond and initiate settlement discussions before DOJ imposes a final penalty.

Conclusion

Companies that engage in cross-border data transfers involving sensitive data or that have business or operational connections with countries of concern or covered persons should read the NPRM carefully to determine their potential risk.

 


 

1 “Covered system” means an information system used to obtain, read, copy, decrypt, edit, divert, release, affect, alter the state of, view, receive, collect, process, maintain, use, share, disseminate, or dispose of covered data as part of a restricted transaction, regardless of whether the data is encrypted, anonymized, pseudonymized, or de-identified.

Related Services & Industries

Stay Up To Date With Our Insights

See how we use a multidisciplinary, integrated approach to meet our clients' needs.
Subscribe