In a significant move to safeguard sensitive personal data of US persons, President Joseph Biden issued an executive order (EO) titled Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern. Concurrent with the EO, the US Department of Justice’s (DOJ’s) National Security Division published a draft Advance Notice of Proposed Rulemaking (ANPRM) to establish a program to implement the EO and to solicit public comments.
Under the new regime, even many companies that do not think of themselves as data companies will be faced with new restrictions on business activities that could result in the transfer of certain data to designated countries. The program aims to safeguard a wide array of sensitive personal data, which may be transferred to countries the US government identifies as involving particular concern, through data aggregators, investment relationships, vendor agreements, or employment agreements. The program represents the next step in what has generally been an incremental approach by the US government to address the risk to data, particularly as the risk relates to national security interests.
Although the program is designed to fill a gap in current legal authorities, both the EO and ANPRM draw heavily from related government efforts to protect data in other contexts. In particular, it is evident that in conceptualizing and developing the program, the White House and the interagency took into consideration both the tools and the limitations of at least four existing regulatory processes:
In fact, the new EO explicitly states that it expands the scope of the national emergency declared in EO 13873 in order to counter the “unusual and extraordinary threat” by certain countries of concern to access and exploit Americans’ bulk sensitive personal data and US government-related data.
One of us (David) was the original drafter of EO 13873 at DOJ, and that authority was intended to provide jurisdiction over transactions not covered by CFIUS, Team Telecom, or other authorities. The new EO, in turn, regulates transactions potentially outside the scope of EO 13873—as well as those other authorities—and thereby adds another brick to the wall the government has been gradually building to keep certain data from getting transferred to China and other “countries of concern.”
This LawFlash provides a summary of some of the key elements of the program—see the Key Elements of the Program section below—but at the outset we note a few especially significant considerations:
Leadership
The EO designates DOJ as the lead agency in this initiative, and indications are that DOJ’s role will be carried out through its National Security Division (NSD), and specifically NSD’s Foreign Investment Review Section (FIRS). One of us (David again) previously ran FIRS while at DOJ, and based on that experience, we assess that DOJ was likely selected to lead this policy initiative based on FIRS’s extensive involvement in identifying and addressing risk to sensitive personal data in the context of CFIUS and Team Telecom reviews. Although DOJ will coordinate as needed with interagency partners, including the DOC, putting a law enforcement and national security agency in charge of this effort, rather than an agency with a primarily economic mission, may presage aggressive use of the new legal authority.
Process
Unlike CFIUS and Team Telecom, the ANPRM provides that transactions will not be reviewed by the government on a case-by-case basis. Rather, the regulations will establish generally applicable rules for engaging in specific categories of data transactions, and companies will be responsible for deciding on their own whether transactions are covered and—as discussed in more detail below—will be subject to enforcement actions if they decide incorrectly. This element of the new regime is similar to EO 14105, issued last summer to establish new restrictions on US outbound investment in China (often referred to, although somewhat inaccurately, as a “reverse CFIUS” regime).
Although those regulations remain pending with the US Department of the Treasury (Treasury), one potential concern is the compliance jeopardy for companies. Perhaps in recognition of those concerns, the program provides that although transactions will not be reviewed by the government, there will be mechanisms for companies to seek licenses and advisory opinions in advance of engaging in a transaction. The program also exempts transactions that are incidental and ordinary to companies’ daily operations to further limit unintended consequences.
Countries of Concern
The program specifically identifies six “countries of concern,” aligning with the DOC’s designation of the same six “foreign adversaries” pursuant to its EO 13873 authorities—but in contrast to EO 14105 on outbound investment, which named only China. Currently, the six countries of concern include China (including Hong Kong and Macau), Cuba, Iran, North Korea, Russia, and Venezuela.
Covered Persons
The program defines four categories of covered persons, which are (1) “an entity owned by, controlled by, or subject to the jurisdiction or direction of a country of concern”; (2) “a foreign person who is an employee or contractor of such an entity;” (3) “a foreign person who is an employee or contractor of a country of concern;” and (4) “a foreign person who is primarily resident in the territorial jurisdiction of a country of concern.”
However, the program specifically excludes US citizens, lawful permanent residents, those located in the United States, and any entity organized solely under US laws and jurisdiction. The EO also authorizes DOJ to publish a public list designating other specific entities or individuals as covered persons if they meet certain criteria, such as being owned or controlled by or subject to the jurisdiction or direction of a country of concern or acting on behalf of a country of concern or another covered person.
Categories of Sensitive Personal Data
The EO defines “sensitive personal data” to cover transactions involving six defined categories of bulk US sensitive personal data, or any combination thereof. Those categories are (1) covered personal identifiers, (2) geolocation and related sensor data, (3) biometric identifiers, (4) human ‘omic data (that is not a typo; see explanation below), (5) personal health data, and (6) personal financial data. The ANPRM proposes to further define these categories:
The ANPRM stipulates that it is not designed to broadly include all personally identifiable information. Instead, the specific types of personal identifier data will be limited to combinations and specifically listed types of data that can be used by countries of concern to link data to individuals. Furthermore, data sets consisting of only demographic or contact information that is linked to another piece of demographic or contact data, such as names, addresses, and telephone numbers, will be excluded.
Similarly, network-based identifiers, account-authentication data, or call-detail data that is linked only to another network-based identifier, account-authentication data, or call-detail data for the provision of telecommunications, networking, or similar services, will be excluded.
Threshold Amounts
The program will regulate the six sensitive personal data categories only if a data set surpasses a threshold number of US persons or US devices. The ANPRM proposes to operationalize the thresholds as follows:
However, these thresholds do not apply to data transactions involving government-related data, which generally includes (1) any sensitive personal data that a transacting party markets as linked or linkable to current or recent former employees, contractors, senior officials of the US government, including the military and intelligence community; and (2) any precise geolocation data for any location within any area enumerated on a list of geofenced areas specified in a public list created through an interagency process and maintained by DOJ.
Covered Data Transactions
The ANPRM proposes to define “transaction” to mean any acquisition, holding, use, transfer, transportation, exportation of, or dealing in any property in which a foreign country or national thereof has an interest. A “covered data transaction,” in turn, is defined to mean any transaction that involves any bulk US sensitive personal data or government-related data and that involves
Pursuant to the EO, the program will further delineate “prohibited data transactions” versus “restricted data transactions.” The ANPRM contemplates outright prohibitions of (1) data-brokerage transactions involving the transfer of bulk US sensitive personal data or government-related data to countries of concern and covered persons, and (2) genomic-data transactions involving the transfer of bulk human genomic data or biospecimens from which such data can be derived.
However, the program will permit data transactions involving (1) vendor agreements that contain the provision of goods and services (including cloud-service agreements), (2) employment agreements, and (3) investment agreements, but only if these three types of transactions comply with certain cybersecurity requirements set by the US Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA).
These cybersecurity requirements would be based on existing performance goals, guidance, practices, and controls implemented by CISA, US National Institute of Standards & Technology Cybersecurity Framework, and often include encryption requirements, logical and physical access control, data masking and minimization, the use of privacy-preserving technology, among other things.
Exempt Data Transactions
The program also proposes to exempt transactions related to personal communications (defined under 50 U.S.C. § 1702(b)(1)), informational materials (50 U.S.C. § 1702(b)(3)), financial services, payment processing, and regulatory compliance; ancillary business operations such as payroll and human resources within multinational US companies; US government activities and those of its contractors, employees, and grantees; and transactions mandated or permitted by federal law or international agreements (such as EU-US data privacy frameworks).
Additionally, the government is considering exempting certain investments that do not grant the type of rights or influence typically associated with national security risks, particularly in giving sensitive personal data access to countries or individuals that may pose risk.
Licensing and Advisory Opinions
As directed by the EO, the program will also involve a process for issuing both general and specific licenses, as well as to request for interpretive guidance in the form of advisory opinions. General licenses will provide DOJ with the flexibility to exempt certain types of transactions from regulation, modify the conditions of these transactions, or allow for phased terminations. Specific licenses will enable companies and individuals to seek exemptions for engaging in particular data transactions. DOJ will make these licensing decisions in agreement with other agencies including the US Departments of State, Commerce, and Homeland Security. Additionally, companies and individuals will have the option to seek advisory opinions on how the regulations might apply to specific transactions.
Compliance and Enforcement
The program involves a risk-based compliance program, similar to the risk-based approach to sanctions compliance programs recommended by the Treasury’s Office of Foreign Assets Control (OFAC). DOJ will lead the implementation and enforcement of the EO, collaborating closely with other agencies. The National Security Council will also provide input and feedback. The program does not aim to establish broad and uniform due diligence, recordkeeping, or reporting standards applicable across the entire US economy. Instead, the EO directs DOJ to adopt a familiar compliance framework akin to the IEEPA-based economic sanctions programs overseen by OFAC, under which companies and individuals are expected to design and implement compliance measures tailored to their specific risk profiles. These profiles will be influenced by various factors, including company size, level of sophistication, nature of products and services offered, customer base, and geographic reach.
The ANPRM contemplates imposing affirmative due diligence, recordkeeping, and reporting requirements (similar to the “know your customer” requirements associated with OFAC’s sanctions programs), only as a condition of engaging in a restricted covered transaction or as a condition of a general or specific license.
In the event of a violation, DOJ would evaluate the adequacy of the compliance program as part of any enforcement action taken. Furthermore, affirmative recordkeeping and reporting requirements would only be mandated in specific situations, such as a prerequisite for engaging in restricted transactions or pursuant to a general or specific license. The specific penalty for any particular violation will be fact-specific, and DOJ may pursue civil remedies, criminal remedies, or both, under IEEPA.
Enhancements of Existing National Security Programs
The EO outlines three additional measures to mitigate data-security risks. First, for telecommunications infrastructure, the EO tasks Team Telecom, led by the Office of the Attorney General, to prioritize the review of submarine cable system licenses linked to or located in countries of concern, issue policy guidance for license reviews, and address ongoing data security risks. Second, for the US healthcare market, the EO directs the US Departments of Defense, Health and Human Services, Veterans Affairs, and the US National Science Foundation to use their powers to prevent or limit the transfer of sensitive health and genomic data to problematic countries. Third, for consumer protection, the EO encourages the Consumer Financial Protection Bureau (CFPB) to tackle the national security risks posed by data brokers, including proceeding with rulemaking proposals under the Fair Credit Reporting Act as discussed in the CFPB’s September 2023 Small Business Advisory Review Panel.
DOJ explained in the ANPRM that it does not intend for the program to have significant overlap with existing authorities because they do not provide prospective, categorial rules to address the national security risks associated with bulk US sensitive personal data or government-related data. However, for investment agreements involving US entities and foreign entities from countries of concern that are also subject to review by CFIUS, the ANPRM proposes to regulate such investments as restricted covered data transactions independently, until and unless CFIUS intervenes with mitigation measures to address national security risks. If and when CFIUS acts—through measures such as orders or mitigation agreements—the specific investment agreement would no longer fall under the program’s purview.
This new step for data protection comes very late in this presidential administration’s term, and the White House and interagency will need to move quickly if they want to promulgate the new regulations before the end of 2024—and before a potential presidential transition. By way of comparison, the EO on outbound investment and its accompanying ANPRM were issued in early August, and more than six months later, Treasury has gathered public comments but has not yet issued a subsequent NPRM.
As noted above, the deadline to submit comments on the ANPRM is 45 days after the ANPRM is published in the Federal Register. Our assessment is that the White House, DOJ, and other agencies are genuinely interested in receiving input from industry, and companies and associations will want to strongly consider submitting comments in order to help the government scope the regulations in a way that achieves its desired results while avoiding unintended consequences and burdens in the process.
If you have any questions or would like more information on the issues discussed in this LawFlash, please contact any of the following: