Another Brick in the Wall: Regulatory Regime Established to Protect US Sensitive Personal Data From ‘Countries of Concern’

In a significant move to safeguard sensitive personal data of US persons, President Joseph Biden issued an executive order (EO) titled Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern. Concurrent with the EO, the US Department of Justice’s (DOJ’s) National Security Division published a draft Advance Notice of Proposed Rulemaking (ANPRM) to establish a program to implement the EO and to solicit public comments.

Under the new regime, even many companies that do not think of themselves as data companies will be faced with new restrictions on business activities that could result in the transfer of certain data to designated countries. The program aims to safeguard a wide array of sensitive personal data, which may be transferred to countries the US government identifies as involving particular concern, through data aggregators, investment relationships, vendor agreements, or employment agreements. The program represents the next step in what has generally been an incremental approach by the US government to address the risk to data, particularly as the risk relates to national security interests.

Background

Although the program is designed to fill a gap in current legal authorities, both the EO and ANPRM draw heavily from related government efforts to protect data in other contexts. In particular, it is evident that in conceptualizing and developing the program, the White House and the interagency took into consideration both the tools and the limitations of at least four existing regulatory processes:

• The Committee on Foreign Investment in the United States (CFIUS)
• The Committee for the Assessment of Foreign Participation in the United States Telecommunications Services Sector (more commonly known as Team Telecom)
• The process to regulate supply chain security for information and communications technology and services (ICTS) led by the US Department of Commerce (DOC) under EO 13873, Securing the Information and Communications Technology and Services Supply Chain
• Export control, sanctions, and other national-security and law-enforcement regulations

In fact, the new EO explicitly states that it expands the scope of the national emergency declared in EO 13873 in order to counter the “unusual and extraordinary threat” by certain countries of concern to access and exploit Americans’ bulk sensitive personal data and US government-related data.

One of us (David) was the original drafter of EO 13873 at DOJ, and that authority was intended to provide jurisdiction over transactions not covered by CFIUS, Team Telecom, or other authorities. The new EO, in turn, regulates transactions potentially outside the scope of EO 13873—as well as those other authorities—and thereby adds another brick to the wall the government has been gradually building to keep certain data from getting transferred to China and other “countries of concern.”

This LawFlash provides a summary of some of the key elements of the program—see the Key Elements of the Program section below—but at the outset we note a few especially significant considerations:

• It is important to bear in mind that the program is focused specifically on data protection from a national security standpoint, as opposed to a general privacy standpoint. The program is intentionally not designed to establish a broader privacy framework, such as the European Union’s General Data Protection Regulation (GDPR). For that reason, although the program will certainly create significant new compliance obligations that will affect a variety of companies, the level of burden will be substantially lower than that of GDPR compliance.
• Nevertheless, the program will mark a significant departure from current data privacy rules in the United States, which in most cases allow for the free transfer of personal data of US citizens throughout the world, specifically eschewing data transfer restrictions that have become more common in other countries.
• The potential scope of the program is quite broad and will cover an array of transactions related to data brokerage, vendor agreements, investment agreements, and employment agreements. Although the program will not involve a case-by-case review of transactions, it will include a licensing process as well as a process for requesting advisory opinions.
• The EO is issued pursuant to the International Emergency Economic Powers Act (IEEPA) and the National Emergencies Act (NEA), but the new authority is not self-executing and for the most part will not be immediately effective. Rather, the EO tasks DOJ with initiating a rulemaking proceeding to develop and promulgate implementing regulations.
• DOJ issued the ANPRM concurrent with issuance of the EO, and there will be a 45-day public comment period after the ANPRM is published in the Federal Register. Following the public comment period and further government deliberations, DOJ will issue an NPRM within 180 days of the EO (i.e., by approximately August 26, 2024), which will contain draft regulatory language and will trigger another round of public comments before final regulations are ultimately issued.
• Although the length of the rulemaking process may make it challenging for the government to issue regulations by the end of the year, the process will enable the government to gather feedback—both in advance of drafting proposed rules and on the proposed rules themselves—which will provide parties, including industry and other stakeholders and experts, with multiple opportunities to engage with the executive branch as the new regulatory regime is developed.

Key Elements of the Program

Leadership

The EO designates DOJ as the lead agency in this initiative, and indications are that DOJ’s role will be carried out through its National Security Division (NSD), and specifically NSD’s Foreign Investment Review Section (FIRS). One of us (David again) previously ran FIRS while at DOJ, and based on that experience, we assess that DOJ was likely selected to lead this policy initiative based on FIRS’s extensive involvement in identifying and addressing risk to sensitive personal data in the context of CFIUS and Team Telecom reviews. Although DOJ will coordinate as needed with interagency partners, including the DOC, putting a law enforcement and national security agency in charge of this effort, rather than an agency with a primarily economic mission, may presage aggressive use of the new legal authority.

Process

Unlike CFIUS and Team Telecom, the ANPRM provides that transactions will not be reviewed by the government on a case-by-case basis. Rather, the regulations will establish generally applicable rules for engaging in specific categories of data transactions, and companies will be responsible for deciding on their own whether transactions are covered and—as discussed in more detail below—will be subject to enforcement actions if they decide incorrectly. This element of the new regime is similar to EO 14105, issued last summer to establish new restrictions on US outbound investment in China (often referred to, although somewhat inaccurately, as a “reverse CFIUS” regime).

Although those regulations remain pending with the US Department of the Treasury (Treasury), one potential concern is the compliance jeopardy for companies. Perhaps in recognition of those concerns, the program provides that although transactions will not be reviewed by the government, there will be mechanisms for companies to seek licenses and advisory opinions in advance of engaging in a transaction. The program also exempts transactions that are incidental and ordinary to companies’ daily operations to further limit unintended consequences.

Countries of Concern

The program specifically identifies six “countries of concern,” aligning with the DOC’s designation of the same six “foreign adversaries” pursuant to its EO 13873 authorities—but in contrast to EO 14105 on outbound investment, which named only China. Currently, the six countries of concern include China (including Hong Kong and Macau), Cuba, Iran, North Korea, Russia, and Venezuela.

Covered Persons

The program defines four categories of covered persons, which are (1) “an entity owned by, controlled by, or subject to the jurisdiction or direction of a country of concern”; (2) “a foreign person who is an employee or contractor of such an entity;” (3) “a foreign person who is an employee or contractor of a country of concern;” and (4) “a foreign person who is primarily resident in the territorial jurisdiction of a country of concern.”

However, the program specifically excludes US citizens, lawful permanent residents, those located in the United States, and any entity organized solely under US laws and jurisdiction. The EO also authorizes DOJ to publish a public list designating other specific entities or individuals as covered persons if they meet certain criteria, such as being owned or controlled by or subject to the jurisdiction or direction of a country of concern or acting on behalf of a country of concern or another covered person.

Categories of Sensitive Personal Data

The EO defines “sensitive personal data” to cover transactions involving six defined categories of bulk US sensitive personal data, or any combination thereof. Those categories are (1) covered personal identifiers, (2) geolocation and related sensor data, (3) biometric identifiers, (4) human ‘omic data (that is not a typo; see explanation below), (5) personal health data, and (6) personal financial data. The ANPRM proposes to further define these categories:

• For covered personal identifiers, to include a comprehensive list of listed identifiers to include, such as government-issued IDs (e.g., Social Security Numbers, driver's licenses), financial account details, device identifiers (e.g., International Mobile Equipment Identity, media access control address), personal demographics and contact information, advertising IDs, account authentication details (e.g., usernames, passwords), network identifiers (e.g., IP addresses), and call-detail records.
• For geolocation and related sensor data, to only regulate transactions involving “precise geolocation data,” defined to mean data—whether real-time or historical—that identifies the physical location of an individual or a device (with a precision of within “X” number of meters/feet) based on electronic signals or inertial sensing units.
• For biometric identifiers, to mean measurable physical characteristics or behaviors used to recognize or verify the identity of an individual, including facial images, voice prints and patterns, retina and iris scans, palm prints and fingerprints, gait, and keyboard usage patterns that are enrolled in a biometric system and the templates created by the system.
• For Human ‘omic data, to cover data transactions only involving human genomic data. Human genomic data is a subcategory of human ‘omic data, a term defined in the EO to mean data generated from humans that characterizes or quantifies human biological molecules, such as human genomic data, epigenomic data, proteomic data, transcriptomic data, microbiomic data, or metabolomic data. In contrast, the term “human genomic data” means data representing the nucleic acid sequences that comprise the entire set or a subset of the genetic instructions found in a human cell, including the result or results of an individual’s genetic test and any related human genetic sequencing data.
• For personal health data, to cover data transactions involving individually identifiably health information, as the term is defined in other regulatory context to mean a type of health and demographic information that can identify an individual, created or received by entities like healthcare providers or employers. It pertains to an individual's health status, healthcare received, or payment for healthcare and either directly identifies the person or could reasonably be used to do so.
• For personal financial data, to mean data about an individual’s credit, charge, or debit card, or bank account, including purchases and payment history; data in a bank, credit, or other financial statement, including assets, liabilities and debts, and transactions; or data in a credit or consumer report.

The ANPRM stipulates that it is not designed to broadly include all personally identifiable information. Instead, the specific types of personal identifier data will be limited to combinations and specifically listed types of data that can be used by countries of concern to link data to individuals. Furthermore, data sets consisting of only demographic or contact information that is linked to another piece of demographic or contact data, such as names, addresses, and telephone numbers, will be excluded.

Similarly, network-based identifiers, account-authentication data, or call-detail data that is linked only to another network-based identifier, account-authentication data, or call-detail data for the provision of telecommunications, networking, or similar services, will be excluded.

Threshold Amounts

The program will regulate the six sensitive personal data categories only if a data set surpasses a threshold number of US persons or US devices. The ANPRM proposes to operationalize the thresholds as follows:

• For human genomic data, a range 100–1,000 US persons
• For biometrics identifiers, a range of 100–10,000 US persons or US devices
• For precise geolocation data, a range of 100–1,000 US persons or US devices
• For personal health data, a range of 1,000–1,000,000 US persons
• For personal financial data, a range of 1,000–1,000,000 US persons
• For covered personal identifiers, a range of 10,000–1,000,000 US persons

However, these thresholds do not apply to data transactions involving government-related data, which generally includes (1) any sensitive personal data that a transacting party markets as linked or linkable to current or recent former employees, contractors, senior officials of the US government, including the military and intelligence community; and (2) any precise geolocation data for any location within any area enumerated on a list of geofenced areas specified in a public list created through an interagency process and maintained by DOJ.

Covered Data Transactions

The ANPRM proposes to define “transaction” to mean any acquisition, holding, use, transfer, transportation, exportation of, or dealing in any property in which a foreign country or national thereof has an interest. A “covered data transaction,” in turn, is defined to mean any transaction that involves any bulk US sensitive personal data or government-related data and that involves

• a data brokerage, which means the sale of, licensing of access to, or similar commercial transactions involving the transfer of data from any person (the provider) to any other person (the recipient), where the recipient did not collect or process the data directly from the individuals linked or linkable to the collected or processed data;
• a vendor agreement, which includes any agreement or arrangement (other than an employment agreement) in which any person provides goods or services to another person, including cloud-computing services (e.g., infrastructure as a service, platform as a service, software as a service) in exchange for payment or other consideration;
• an employment agreement, which covers any agreement or arrangement in which an individual, other than as an independent contractor, performs work or performs job functions directly for a person in exchange for payment or other consideration, including employment on a board or committee, executive-level arrangements or services, and employment services at an operational level; or
• an investment agreement, which encompasses any agreement or arrangement in which any person, in exchange for payment or other consideration, obtains direct or indirect ownership interests in or rights in relation to (1) real estate located in the United States or (2) a US legal entity.

Pursuant to the EO, the program will further delineate “prohibited data transactions” versus “restricted data transactions.” The ANPRM contemplates outright prohibitions of (1) data-brokerage transactions involving the transfer of bulk US sensitive personal data or government-related data to countries of concern and covered persons, and (2) genomic-data transactions involving the transfer of bulk human genomic data or biospecimens from which such data can be derived.

However, the program will permit data transactions involving (1) vendor agreements that contain the provision of goods and services (including cloud-service agreements), (2) employment agreements, and (3) investment agreements, but only if these three types of transactions comply with certain cybersecurity requirements set by the US Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA).

These cybersecurity requirements would be based on existing performance goals, guidance, practices, and controls implemented by CISA, US National Institute of Standards & Technology Cybersecurity Framework, and often include encryption requirements, logical and physical access control, data masking and minimization, the use of privacy-preserving technology, among other things.

Exempt Data Transactions

The program also proposes to exempt transactions related to personal communications (defined under 50 U.S.C. § 1702(b)(1)), informational materials (50 U.S.C. § 1702(b)(3)), financial services, payment processing, and regulatory compliance; ancillary business operations such as payroll and human resources within multinational US companies; US government activities and those of its contractors, employees, and grantees; and transactions mandated or permitted by federal law or international agreements (such as EU-US data privacy frameworks).

Additionally, the government is considering exempting certain investments that do not grant the type of rights or influence typically associated with national security risks, particularly in giving sensitive personal data access to countries or individuals that may pose risk.

Licensing and Advisory Opinions

As directed by the EO, the program will also involve a process for issuing both general and specific licenses, as well as to request for interpretive guidance in the form of advisory opinions. General licenses will provide DOJ with the flexibility to exempt certain types of transactions from regulation, modify the conditions of these transactions, or allow for phased terminations. Specific licenses will enable companies and individuals to seek exemptions for engaging in particular data transactions. DOJ will make these licensing decisions in agreement with other agencies including the US Departments of State, Commerce, and Homeland Security. Additionally, companies and individuals will have the option to seek advisory opinions on how the regulations might apply to specific transactions.

Compliance and Enforcement

The program involves a risk-based compliance program, similar to the risk-based approach to sanctions compliance programs recommended by the Treasury’s Office of Foreign Assets Control (OFAC). DOJ will lead the implementation and enforcement of the EO, collaborating closely with other agencies. The National Security Council will also provide input and feedback. The program does not aim to establish broad and uniform due diligence, recordkeeping, or reporting standards applicable across the entire US economy. Instead, the EO directs DOJ to adopt a familiar compliance framework akin to the IEEPA-based economic sanctions programs overseen by OFAC, under which companies and individuals are expected to design and implement compliance measures tailored to their specific risk profiles. These profiles will be influenced by various factors, including company size, level of sophistication, nature of products and services offered, customer base, and geographic reach.

The ANPRM contemplates imposing affirmative due diligence, recordkeeping, and reporting requirements (similar to the “know your customer” requirements associated with OFAC’s sanctions programs), only as a condition of engaging in a restricted covered transaction or as a condition of a general or specific license.

In the event of a violation, DOJ would evaluate the adequacy of the compliance program as part of any enforcement action taken. Furthermore, affirmative recordkeeping and reporting requirements would only be mandated in specific situations, such as a prerequisite for engaging in restricted transactions or pursuant to a general or specific license. The specific penalty for any particular violation will be fact-specific, and DOJ may pursue civil remedies, criminal remedies, or both, under IEEPA.

Enhancements of Existing National Security Programs

The EO outlines three additional measures to mitigate data-security risks. First, for telecommunications infrastructure, the EO tasks Team Telecom, led by the Office of the Attorney General, to prioritize the review of submarine cable system licenses linked to or located in countries of concern, issue policy guidance for license reviews, and address ongoing data security risks. Second, for the US healthcare market, the EO directs the US Departments of Defense, Health and Human Services, Veterans Affairs, and the US National Science Foundation to use their powers to prevent or limit the transfer of sensitive health and genomic data to problematic countries. Third, for consumer protection, the EO encourages the Consumer Financial Protection Bureau (CFPB) to tackle the national security risks posed by data brokers, including proceeding with rulemaking proposals under the Fair Credit Reporting Act as discussed in the CFPB’s September 2023 Small Business Advisory Review Panel.

DOJ explained in the ANPRM that it does not intend for the program to have significant overlap with existing authorities because they do not provide prospective, categorial rules to address the national security risks associated with bulk US sensitive personal data or government-related data. However, for investment agreements involving US entities and foreign entities from countries of concern that are also subject to review by CFIUS, the ANPRM proposes to regulate such investments as restricted covered data transactions independently, until and unless CFIUS intervenes with mitigation measures to address national security risks. If and when CFIUS acts—through measures such as orders or mitigation agreements—the specific investment agreement would no longer fall under the program’s purview.

Conclusion

This new step for data protection comes very late in this presidential administration’s term, and the White House and interagency will need to move quickly if they want to promulgate the new regulations before the end of 2024—and before a potential presidential transition. By way of comparison, the EO on outbound investment and its accompanying ANPRM were issued in early August, and more than six months later, Treasury has gathered public comments but has not yet issued a subsequent NPRM.

As noted above, the deadline to submit comments on the ANPRM is 45 days after the ANPRM is published in the Federal Register. Our assessment is that the White House, DOJ, and other agencies are genuinely interested in receiving input from industry, and companies and associations will want to strongly consider submitting comments in order to help the government scope the regulations in a way that achieves its desired results while avoiding unintended consequences and burdens in the process.