LawFlash

DOJ Proposes Rules to Restrict US Data Transfers to Countries of Concern

13. November 2024

The US Department of Justice (DOJ) on October 21, 2024 issued a Notice of Proposed Rulemaking (NPRM), through its Foreign Investment Review Section (FIRS), to implement Executive Order (EO) 14117, titled Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern. The lengthy and detailed NPRM introduces proposed rules aimed at restricting data transactions that could expose certain sensitive personal data or government-related data to “foreign adversaries.”

Following up on its previous Advance Notice of Proposed Rulemaking (ANPRM) in February, 2024, which was issued concurrent with US President Joseph Biden’s EO 14117, the NPRM reflects both the input gathered from public comments submitted in response to the ANPRM and the government’s further thinking about how broadly to regulate cross-border personal data transfers to countries of concern. For more details about the underlying EO and ANPRM, please see our previous LawFlash on the topic.

Published in the Federal Register on October 29, the new NPRM opens a 30-day public comment period through November 29, 2024. Although no implementation date has been set for the final rules, it is possible DOJ could seek to finalize the regulations by year-end or in early 2025, despite challenges posed by the upcoming presidential transition. Regardless of the effective date, the regulations raise significant new compliance requirements for companies that handle various types of data, and it is therefore important that companies and their counsel understand the proposed rules so they are prepared to manage potential changes to business operations and compliance programs.

KEY ELEMENTS AND DEFINITIONS OF THE PROPOSED RULE

The NPRM proposes specific restrictions on data transactions involving countries and entities that pose potential national security risk. Some of the key elements of the regulations and relevant definitions are summarized below and indicate the likely scope of the potential regulatory regime.

Countries of Concern

Consistent with the ANPRM, the rule explicitly identifies six nations, each of which it names as a “country of concern”—China (including Hong Kong and Macau), Cuba, Iran, North Korea, Russia, and Venezuela—citing these nations’ engagement in behavior deemed harmful to US national security. This list extends beyond China, in contrast to other national security regulatory regimes, such as the pending regulations on outbound investment issued pursuant to EO 14105, that are focused solely on China (including Hong Kong and Macau).

Covered Persons

The regulations will apply to certain data transactions with a “covered person.” Covered persons” currently include, among others, foreign entities owned 50% or more by a country of concern; foreign entities organized or chartered under the laws of, or having their principal places of business in, a country of concern; and foreign entities 50% or more owned by one of the previous two types of covered persons.

In addition to those and other types of covered persons, the US Attorney General may designate specific persons as covered persons if they meet certain criteria, adding another government “blacklist” to existing lists such as the US Department of Commerce’s Entity List, the US Department of the Treasury’s Specially Designated Nationals (SDN) List, and the Federal Communications Commission’s Covered List. The list of covered persons designated by the Attorney General is not limited to foreign persons and can include US persons as well—for instance, if the US (or foreign) person acts on behalf of a country of concern or a covered person.

Covered Data Transactions

The proposed rules would apply to any “covered data transaction,” which includes four basic types of transactions: (1) data brokerage, (2) vendor agreements, (3) employment agreements, and (4) investment agreements. Furthermore, covered data transactions are defined as ones that involve either government-related data or bulk US sensitive personal data.

Bulk Sensitive Personal Data and Government-Related Data

The NPRM proposes six categories of “sensitive personal data,” as well as specific bulk thresholds that would trigger the regulations:

  1. Covered Personal Identifiers (Bulk threshold: 100,000+ US persons)
  2. Precise Geolocation Data (Bulk threshold: 1,000 US persons)
  3. Biometric Identifiers (Bulk threshold: 1,000 US persons)
  4. Human Genomic Data (Bulk threshold: 100 US persons)
  5. Personal Health Data (Bulk threshold: 10,000 US persons)
  6. Personal Financial Data (Bulk threshold: 10,000 US persons)

Government-related data is treated with heightened sensitivity, carrying no bulk threshold requirement. Government-related data includes (1) specific government location data, to be listed on the DOJ’s public Government-Related Location Data List (which generally includes worksite or duty stations, military installations, and facilities supporting national security, defense, intelligence, law enforcement, or foreign policy missions), and (2) data linked to current or former senior US government personnel (including the military and intelligence community, as well as US government contractors).

Prohibitions and Restrictions

The NPRM specifies transactions that are entirely prohibited versus those that may proceed with added security requirements:

  • Prohibited transactions: A total ban applies to two types of transactions: (1) data brokerage and (2) transactions involving bulk human genomic data, or human biospecimens from which bulk human genomic data could be derived
  • Restricted transactions: Vendor agreements, employment contracts, and investment agreements are restricted but allowed under stringent security measures, provided these meet certain standards set by the US Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA)

Although the prohibitions and restrictions generally apply only to transactions between US persons and foreign persons, there are several circumstances in which the regulations are not quite that straightforward. First, even a foreign-to-foreign transaction may be swept into the scope of the regulations if a US person knowingly directs the transaction, which involves having and exercising the authority, individually or as part of a group, to make decisions. In addition, because, as noted above, the Attorney General can designate even US persons as covered persons in certain circumstances, there may be situations in which even a US-to-US transaction is covered by the regulations.

With respect to prohibited data brokerage transactions, it is important to be aware that the regulations also include a degree of restriction with respect to data brokerage transactions with foreign entities that are not covered persons. Specifically, in order for a US person to engage in a covered data transaction involving data brokerage with a foreign person who is not a covered person, the US person must contractually require that the foreign person refrain from engaging in a subsequent data transaction involving data brokerage of the same data with a country of concern or covered person.

With respect to restricted transactions involving vendor, employment, and investment agreements, CISA concurrently published its proposed security requirements for public comment. Among the requirements CISA is currently considering are the following:

  • At the organizational and system level, entities are required to maintain an updated inventory of all assets involved in restricted transactions, ensuring transparency and accountability in asset management. Designated leadership, such as a Chief Information Security Officer, must oversee cybersecurity and governance, risk, and compliance (GRC) functions to ensure adherence to these protocols. Addressing vulnerabilities is also critical, with mandatory remediation timelines set for known issues—14 days for critical vulnerabilities and 30 days for high-severity ones. Additionally, contracts with third-party suppliers must include robust cybersecurity clauses, and network topologies for covered systems should be mapped to enable real-time monitoring of connections. Access controls, including multifactor authentication and immediate revocation of access when personnel roles change, are essential, while incident response plans must be regularly updated to handle potential breaches effectively.
  • At the data level, the requirements prioritize minimizing exposure to sensitive information through data minimization and masking techniques like aggregation, pseudonymization, and anonymization. Such methods reduce the risk of unauthorized access to identifiable information. Encryption is a cornerstone of the data protection strategy, with all sensitive data required to be encrypted during transmission and storage. Only secure, industry-standard protocols, such as TLS 1.2 or higher, are permitted, and encryption keys must be carefully managed and stored separately from the data itself (of course, encryption standards may change based on technological developments including but not limited to quantum computing). Additionally, privacy-enhancing technologies, including homomorphic encryption, are encouraged to prevent data reconstruction or linkage to US persons, thereby maintaining privacy even in data analysis scenarios. Finally, stringent identity and access management practices are mandated to restrict data access to only authorized personnel and exclude countries of concern.

Exemptions, Licensing, and Advisory Opinions

The NPRM includes several proposed exemptions. Although each one has specific contours and limitations, at a high level, the exemptions cover the following:

  • Personal communications
  • Information or informational materials
  • Travel
  • Official US Government business
  • Financial services
  • Corporate group transactions
  • Transactions required or authorized by federal law or international agreements, or necessary for compliance with federal law
  • Investment agreements subject to an action by the Committee on Foreign Investment in the United States (CFIUS)
  • Telecommunications services
  • Drug, biological product, and medical device authorizations
  • Other clinical investigations and post-marketing surveillance data

We emphasize that the applicability of an exemption will need to be carefully analyzed and will be a fact-specific determination. For example, the exemptions for financial services and for telecommunications involve transactions that are ordinarily incident to and part of the provision of, respectively, financial and telecommunications services, which will encompass some but certainly not all transactions by financial and telecommunications companies.

For transactions not meeting any exemptions, the proposed rules authorize DOJ to issue general licenses that would apply to a class of transactions, as well as specific licenses for specific transactions by parties that apply for and disclose details of their intended transactions in a license application. The proposed rule sets out the requirements and procedures for the issuance of general and specific licenses, including the process to apply for a specific license or seek reconsideration of a denied license based on new information. In addition, similar to some other regulatory regimes, the proposed rules permit DOJ to issue general public guidance to address frequently asked questions and common issues, as well as regulated parties to request advisory opinions to address the applicability of the regulations to specific transactions.

Compliance and Reporting Requirements

The NPRM includes rigorous compliance measures, as well as enforcement mechanisms for any violations. US persons engaging in restricted transactions would be required to take certain affirmative steps:

  • Due diligence: Companies would be required to establish compliance programs and do adequate diligence on covered transactions
  • Recordkeeping: Companies would be required to maintain transaction records, including sensitive data types, data flow logs, and vendor information, with records retained for 10 years
  • Auditing: Companies would be required to obtain independent annual audits to verify compliance with CISA’s security standards and other requirements

To enhance oversight and ensure that US persons are accountable in managing data transactions, the proposed rules introduce specific reporting requirements. Key reporting obligations include the following:

  • Annual reports for certain cloud computing transactions: US persons involved in restricted transactions with cloud computing services that are at least 25% owned, directly or indirectly, by a country of concern or a covered person must submit annual reports
  • Reports of rejected offers to engage in a prohibited transaction: Any US person who has received and explicitly declined an offer to engage in a prohibited transaction involving data brokerage is required to file a report. This obligation exists even if the offer is automatically rejected using software, technology, or automated tools
  • Reports of violation of contractual restrictions on data brokerage transactions: US persons engaged in data brokerage transactions with foreign non-covered persons must report if they know or suspect the foreign counterparty is violating restrictions on resale or onward transfer to countries of concern or covered persons

KEY TAKEAWAYS AND NEXT STEPS

The proposed regulations represent a major step in US efforts to secure data. Although the new regulations are not intended to be a GDPR-like regime that regulates data privacy, and rather are focused more narrowly on data transactions that present potential national security risk, if implemented, they will still create broad new requirements for data transactions that had previously been unregulated. Moreover, many companies that do not think of themselves as data companies because they collect data incidentally rather than as part of their core mission, nevertheless would be subject to the regulations.

Although the regulations would have the greatest direct effect on US companies and companies located in the six countries of concern, the regulations would have indirect effects on companies from other nations as well. Most obviously, many multinational companies may have subsidiaries and other activities in the United States and/or in countries of concern. In addition, as discussed above, for data brokerage transactions between US persons and foreign persons that are not covered persons, the US parties would need to obtain contractual assurances that the foreign persons will not transfer the data to covered persons in a subsequent data brokerage transaction.

For affected US companies, the compliance requirements would require new burdens. Even for covered transactions that are not prohibited, in addition to abiding by the applicable security requirements, the US companies would need to maintain records, commission audits, and in some instances, provide reporting to the government. Additionally, even companies that engage in no covered data transactions whatsoever could still be required to submit a report to the government if they receive and reject an offer to engage in a prohibited data brokerage transaction.

The public comment period closes November 29 and offers stakeholders an opportunity to influence the rule’s final version by addressing specific concerns or suggesting refinements. Companies are encouraged to submit comments to address any potential unintended consequences of the regulations, anticipated compliance challenges, and other matters and to monitor comments advocating positions that could impact the final regulations.

Although the government is facing a presidential transition that will have significant effects on many existing and contemplated regulations, this new regulatory regime may not be affected by the transition. Although DOJ’s Foreign Investment Review Section would need to hire personnel in order to fully implement the new regulatory regime, in the short term we anticipate the office would begin implementation with its current resources. In the meantime, it would be prudent for companies to proactively assess their data governance practices to determine the effect of the regulations on business operations, plan for any necessary adjustments to business operations, and make at least preliminary plans for implementing appropriate compliance programs.

David Plotinsky, one of the authors of this LawFlash, previously served as acting chief of DOJ’s Foreign Investment Review Section, the office charged with developing and implementing the new regulations discussed herein.

Contacts

If you have any questions or would like more information on the issues discussed in this LawFlash, please contact any of the following: