On February 28, 2024, the Biden administration announced the creation of a new national security regulatory regime that will prohibit or restrict certain transactions involving bulk sensitive US personal data or government-related data and specified “countries of concern.” The Biden administration announced the regime in a new executive order, Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern (EO 14117), which was accompanied by an advance notice of proposed rulemaking (ANPRM) issued by the National Security Division (NSD) of the Department of Justice (DOJ), the component and agency with primary responsibility for implementing and enforcing the forthcoming regulations. The White House and DOJ also published fact sheets regarding the new regime.

Executive branch officials and members of Congress have long been concerned about the lack of a national security regulatory regime covering the transfer of sensitive US personal data to countries of concern, particularly China. As explained in EO 14117, such data has the potential to be used for a variety of nefarious purposes, including surveillance, extortion, and influence campaigns targeting US government employees and members of the US military, among others. The order highlights that such risks have become more acute due to the rapid advancement of artificial intelligence (AI) and its ability to analyze and manipulate data sets. Bulk sensitive personal data can also be used in the creation and refinement of AI models and other advanced technologies.

According to the White House, the EO is “the most significant executive action any President has ever taken to protect Americans’ data security.”

The public may submit comments on the ANPRM through April 19, 2024 and will likely have an additional opportunity to comment on the language contained in a proposed rule, once issued.

Although intended to be tailored in its scope, our initial assessment is that the new regulatory scheme, once fully implemented, will likely have a profound impact on a number of industries and entities around the world. At a minimum, it seems certain that regulatory compliance costs could be substantial, particularly on entities that have not previously focused on building out a risk-based compliance program in this or other related areas.

Key Takeaways:

  • Impacted Industries
    • The EO and associated regulatory regime will have a significant impact on a broad range of industries, including industries that have not traditionally been the focus of personal data or national security regulatory regimes. This includes companies such as mobile app and SaaS providers, makers of computers and mobile devices, makers of fitness trackers, healthcare providers, and financial institutions, among others.
    • The AI industry, specifically, may be impacted by the rules given the importance of using vast quantities of data to train AI models and the ability of AI models to review data to identify trends and make connections between seemingly unlinked data points.
  • Challenges for Global Companies
    • The contemplated regime may be particularly challenging for large global companies that have personnel located in the United States, who would be subject to the rules. Moreover, US persons working overseas likely will remain subject to the rules wherever located and be prohibited from approving or directing a transaction undertaken by a foreign entity, if that transaction would be prohibited if performed by a US person.
    • Although certain exemptions are contemplated, including one with regard to intra-entity transactions incident to business operations, it appears they will be relatively narrow in scope and are unlikely to fully address this issue with regard to large multinationals headquartered outside the US.
  • Low Threshold Levels
    • The ANPRM suggests DOJ anticipates setting relatively low volume thresholds for covered transactions, potentially capturing some sensitive personal data transactions involving as few as 100 US persons. For government-related data, as defined below, there is no threshold, meaning any quantity of such data would trigger the rules.
  • Role of DOJ
    • DOJ has long been a leader with respect to sensitive personal data issues, often serving as a co-lead agency within the Committee on Foreign Investment in the United States (CFIUS) when such transactions arise. Therefore, DOJ was in many ways a natural choice to oversee and administer this regime. With that said, DOJ has less experience implementing detailed national security regulatory regimes than other departments such as Commerce or Treasury. As such, much remains unknown about how DOJ will handle implementation of the regime going forward.
    • It is perhaps telling that the ANPRM cites other International Emergency Economic Powers Act (IEEPA)-based regulatory regimes, particularly those administered by Treasury’s Office of Foreign Assets Control (OFAC), as a model for certain definitions and processes that DOJ anticipates adopting as it stands up this new regulatory scheme.
  • Due Diligence Challenges
    • The contemplated regime is likely to present difficult due diligence challenges for companies, requiring complex data mapping exercises and detailed assessments of particular pieces of data. It will also require an understanding of a company’s business partners, vendors, suppliers, and customers who might have access to data during the course of business operations.
  • Compliance Programs
    • While DOJ is unlikely to require companies to adopt compliance programs in this area, in keeping with other national security regimes it seems likely to strongly encourage the adoption of risk-based compliance programs for affected entities and may treat the absence of a compliance program as an “aggravating factor” should a violation occur.
  • Overlap with CFIUS
    • The ANPRM acknowledges that the new regime would regulate certain “investment transactions,” which may also be “covered transactions” under CFIUS’s regulations. To avoid redundancy and inconsistency, the DOJ regime would cease to apply in the event CFIUS imposes mitigation measures on parties to a transaction or takes other specified actions. But CFIUS approval in the absence of mitigation would not have the same effect and separate consideration of EO 14117 and the new regulatory rules would be necessary.

Overview of Regime

The new regime, once implemented, will broadly prohibit certain transactions and impose restrictions on other transactions involving “bulk sensitive personal data” or “government-related data” and “covered persons” associated with “countries of concern.” The ANPRM uses the term “covered data transaction,” which it defines as, “any transaction that involves any bulk US sensitive personal data or government-related data and that involves: (1) data brokerage; (2) a vendor agreement; (3) an employment agreement; or (4) an investment agreement.” The ANPRM defines “transaction” broadly to mean “any acquisition, holding, use, transfer, transportation, exportation of, or dealing in any property in which a foreign country or national thereof has an interest.”

The ANPRM contemplates prohibiting certain “highly sensitive transactions” falling into two categories: (1) data brokerage transactions and (2) genomic data transactions involving the transfer of bulk human genomic data or biospecimens from which such data can be derived. It contemplates imposing restrictions on three categories of transactions, including: (1) vendor agreements involving the provision of goods and services (including cloud-service agreements); (2) employment agreements; and (3) investment agreements.

Perhaps anticipating industry concern, the EO and associated documents go to great lengths to clarify the various things that the EO does not do. For example, the ANPRM highlights that it does not “propose generalized data-localization requirements” nor seek to “broadly prohibit US persons from conducting commercial transactions with entities and individuals located in countries of concern or impose measures aimed at a broader decoupling….” Instead, the ANPRM reaffirms the Biden administration is “committed to promoting an open, global, interoperable, reliable, and secure Internet; promoting open, responsible scientific collaboration to drive innovation; protecting human rights online and offline; supporting a vibrant, global economy by promoting cross-border data flows to enable international commerce and trade; and facilitating open investment.”

Countries of Concern and Covered Persons

The ANPRM states that countries of concern are likely to include China (including Hong Kong and Macau), Russia, Iran, North Korea, Cuba, and Venezuela, which is consistent with the approach taken in other newly created national security regulatory regimes, including the new Information and Communications Technology and Services (ICTS) rules administered by the Department of Commerce. See our blog post on the ICTS rules here.

The ANPRM indicates DOJ is likely to define “covered person” broadly to include:

  1. An entity that is 50 percent or more owned, directly or indirectly, by a country of concern, or that is organized or chartered under the laws of, or has its principal place of business in, a country of concern;
  2. An entity that is 50 percent or more owned, directly or indirectly, by an entity described in category (1) or a person described in categories (3), (4), or (5);
  3. A foreign person who is an employee or contractor of a country of concern or of an entity described in categories (1), (2), or (5);
  4. A foreign person who is primarily resident in the territorial jurisdiction of a country of concern; or
  5. Any person designated by the Attorney General as being owned or controlled by or subject to the jurisdiction or direction of a country of concern, or as acting on behalf of or purporting to act on behalf of a country of concern or covered person, or knowingly causing or directing a violation of these regulations.

With respect to specifically designated covered persons (category 5), DOJ is considering creating a public list of such persons, which the ANPRM explains will be “modeled on various sanctions designations lists maintained by OFAC.”

Prohibited Covered Data Transactions

As noted above, DOJ is contemplating a prohibition on two categories of transactions involving covered persons.

First, the ANPRM contemplates a prohibition on US persons knowingly engaging in a covered data transaction involving “data brokerage” with any foreign person unless the US person contractually requires that the foreign person refrain from engaging in a subsequent covered data transaction involving the same data with a country of concern or covered person. DOJ notes this is the only portion of the rules that is likely to regulate conduct involving third countries.

The term “data brokerage” is defined in the ANPRM to mean “the sale of, licensing of access to, or similar commercial transactions involving the transfer of data from any person (the provider) to any other person (the recipient), where the recipient did not collect or process the data directly from the individuals linked or linkable to the collected or processed data.”

Second, the ANPRM contemplates a prohibition on US persons knowingly engaging in “any covered data transaction with a country of concern or covered person that provides that country of concern or covered person with access to bulk US sensitive personal data that consists of human genomic data, or to human biospecimens from which such data could be derived.”

Importantly, “knowledge” will likely be defined to include both actual knowledge as well as “reason to know.”

In addition to these two prohibitions, DOJ is also likely to prohibit evasion of the rules, causing others to violate the rules, attempting to violate the rules, and conspiring to violate the rules, as is common under other programs based on IEEPA authority.

DOJ is also contemplating a prohibition on US persons “knowingly directing any covered data transaction that would be prohibited (including restricted transactions that do not comply with the security requirements) if engaged in by a US person.” This prohibition may pose challenges for non-US entities with US person employees. It is also similar to the restrictions on knowingly directing prohibited transactions contained in the recent ANPRM on outbound foreign investment, discussed in our recent blog post here, suggesting a trend toward prohibitions of this nature.

Restricted Covered Data Transactions

The ANPRM contemplates a prohibition on covered data transactions involving: (1) vendor agreements; (2) employment agreements; and (3) investment agreements, unless such transactions comply with certain security requirements enumerated in the rules. The precise security requirements remain “under development” and “will be available to the public at later date.” The ANPRM indicates the security requirements, which will be refined further in coordination with Homeland Security through a separate but related process, are likely to fall within three broad categories, indicating a restricted covered data transaction would be permissible if a US person:

  1. implements Basic Organizational Cybersecurity Posture requirements;
  2. conducts the covered data transaction in compliance with the following four conditions: (a) data minimization and masking; (b) use of privacy preserving technologies; (c) development of information-technology systems to prevent unauthorized disclosure; and (d) implementation of logical and physical access controls; and
  3. satisfies certain compliance-related conditions, such as retaining an independent auditor to perform annual testing and auditing of the requirements in (1) and (2) above, for so long as the US person relies on compliance with those conditions to conduct the restricted covered data transaction.

A “vendor agreement” means “any agreement or arrangement, other than an employment agreement, in which any person provides goods or services to another person, including cloud-computing services, in exchange for payment or other consideration.”

An “employment agreement” means “any agreement or arrangement in which an individual, other than as an independent contractor, performs work or performs job functions directly for a person in exchange for payment or other consideration, including employment on a board or committee, executive-level arrangements or services, and employment services at an operational level.”

An “investment agreement” means “any agreement or arrangement in which any person, in exchange for payment or other consideration, obtains direct or indirect ownership interests in or rights in relation to (1) real estate located in the United States or (2) a U.S. legal entity.”

DOJ is contemplating a number of broad, categorical exclusions of investment agreements that are “passive investments that do not convey the ownership interest or rights (including those that provide meaningful influence that could be used to obtain such access) that ordinarily pose an unacceptable risk to national security because they may give countries of concern or covered persons access to bulk sensitive personal data or government-related data.” For example, certain investments by limited partners in investment funds may fall within this exemption.

Covered Data

As noted above, covered data includes both “sensitive personal data” and “government-related data.”

The ANPRM contemplates six categories of “sensitive personal data,” including:

  1. certain enumerated covered personal identifiers;
  2. precise geolocation data;
  3. biometric identifiers;
  4. human genomic data;
  5. personal health data; and
  6. personal financial data.

Each of these categories is defined in considerable detail in the ANPRM and will likely be further refined in the proposed rule and final rule. Companies that may have data falling into one or more of the above categories would benefit from carefully reviewing those sections of the ANPRM.

In addition to sensitive personal data, covered data also includes certain government-related data and is likely to include: (1) sensitive personal data marketed as linked or linkable to current or recent former employees or contractors, or former senior officials, of the federal government, including the intelligence community and military and (2) geolocation data that is linked or linkable to certain sensitive locations within geofenced areas that DOJ will specify on a public list.

Bulk Data Thresholds

In most instances, to fall within the new rules a transaction would need to exceed certain bulk volumes defined by DOJ. While these thresholds will be refined as the rulemaking process progresses, DOJ indicates it is considering thresholds within the following ranges:

These ranges are relatively low and, particularly if DOJ uses the lower end of these ranges, a significant number of companies could fall within the new regime.

Importantly, the bulk data thresholds do not apply to US Government-related data, which would be regulated at any level.

Exemptions

The ANPRM contemplates a number of important exemptions, including with respect to certain financial transactions, transactions within multinational US companies, activities of the US government, and transactions required or authorized by federal law or international agreements. These exemptions may be critically important for some members of industry who would otherwise face significant operational challenges due to the new regulatory scheme.

Because the new regime will be based on statutory authority contained in IEEPA, DOJ states that the rules will also contain certain statutory exemptions including for personal communications and “information” and “informational materials,” among other exemptions.

Licensing, Advisory Opinions, and Procedures

As outlined in EO 14117, DOJ will develop a process to issue general and specific licenses authorizing certain transactions otherwise prohibited by the rules and will create an advisory opinion process. The ANPRM indicates DOJ will likely model this process, again, on the well-established process used by OFAC, as well as existing DOJ processes used for advisory opinions regarding the Foreign Corrupt Practices Act (FCPA) and the Foreign Agents Registration Act (FARA).

It will also create a process to add to, remove from, or modify the covered persons list, which the ANPRM explains “would be similar to the internal processes used by other United States Government agencies that make designations based on IEEPA authorities.” Designated persons would be able to challenge the validity of a designation or seek removal based on changed circumstances via that administrative process.

Compliance and Enforcement

The ANPRM explains, “With respect to due diligence and recordkeeping, the Department of Justice is considering a model in which US persons subject to the contemplated program employ a risk-based approach to compliance by developing, implementing, and routinely updating a compliance program.” US persons would not be affirmatively obligated to maintain such a program, but DOJ may consider failure to maintain an appropriate compliance program as an “aggravating factor” should a violation arise. This is similar to the approach used in other US national security regulatory regimes, including with respect to export controls and economic sanctions.

DOJ may, however, impose affirmative due diligence and recordkeeping requirements and, potentially, auditing requirements for US persons that engage in a restricted covered data transaction, after implementing the required security measures, or that engage in a transaction authorized pursuant to a general or specific license. DOJ may also require reporting requirements for US persons engaged in certain restricted covered data transactions.

With respect to penalties, the ANPRM contemplates the imposition of civil monetary penalties “similar to the processes followed by OFAC and CFIUS, with mechanisms for pre-penalty notice, an opportunity to respond, and a final decision.” Though not a stated focus of the ANPRM, it is fair to assume DOJ could choose to pursue any willful violations of the forthcoming regulations criminally, as it does with other IEEPA-based violations.

Interaction with CFIUS

With respect to restricted covered data transactions involving “investment agreements” there is potential for overlapping authority between CFIUS and the contemplated DOJ regime. To handle that overlap, the DOJ regime will likely apply “unless and until CFIUS enters into or imposes mitigation measures to resolve national-security risk arising from a particular covered transaction.” Notably, the DOJ regime would continue to apply to transactions reviewed by CFIUS and approved without mitigation measures, meaning the safe harbor obtained by CFIUS approval would not apply to the DOJ regime absent the imposition of relevant mitigation measures. Likewise, the new DOJ rules would not impact CFIUS regulations regarding jurisdiction over US sensitive personal data businesses.

Additional Measures Contained in EO 14117

In addition to the new regulatory regime outlined above, EO 14117 takes a number of other important steps that may impact companies in certain industries.

First, the EO directs Team Telecom, chaired by the Attorney General, to: (1) prioritize reviewing existing licenses for submarine cable systems owned or operated by country-of-concern entities or landing in a country of concern; (2) issue public guidance regarding reviews of license applications; and (3) take other steps to address data-security risks on an ongoing basis.

Second, the EO directs the Departments of Defense, Health and Human Services, and Veterans Affairs, and the National Science Foundation, to take measures under existing grantmaking and contracting authorities to prevent federal funding that supports the transfer of sensitive health data and human genomic data to countries of concern and covered persons (or to otherwise mitigation such transactions).

Third, the EO directs the Consumer Financial Protection Bureau (CFPB) to take measures to address the role data brokers play in contributing to national-security risks, including to pursue the rulemaking proposals that it identified at the September 2023 Small Business Advisory Panel for Consumer Reporting Rulemaking.

Next Steps and Path Ahead

The ANPRM seeks comments on 114 specific questions, reflecting the complex nature of the new regime and its potential to significantly impact companies in a range of industries. Comments on the ANPRM are due by April 19, 2024. We anticipate that DOJ will publish a proposed rule after reviewing and considering comments on the ANPRM, and will allow industry an additional opportunity to comment on the proposed rule, once issued.

***

For assistance in submitting a comment or questions regarding this development generally please contact a member of our Export Controls Practice, National Security Practice or AI, Data, and Digital Practice.