The Department of Justice (DOJ) has proposed a significant restriction on cross-border transfers of sensitive personal data to designated “countries of concern.” The goal is to address national security risks posed by transactions that could enable these countries to access sensitive U.S. personal and government data. The rule would:
- Prohibit data brokerage transactions posing high national security risks to China, Russia, Iran, North Korea, Cuba and Venezuela. It would also ban such transactions with covered persons.
- Restrict certain vendor, employment and investor agreements involving countries of concern, unless the agreements meet certain security requirements.
- Require companies engaging in certain restricted transactions to establish risk-based compliance programs modeled on U.S. sanctions.
A Growing Risk
The proposed rule would implement Executive Order 14117, issued under the authority of the International Emergency Economic Powers Act (IEEPA), the authorizing statute for most U.S. sanctions programs. It seeks to address the mounting risk that countries of concern could use advanced technologies, such as artificial intelligence, to process large sets of sensitive personal data or U.S. government data.
The concern is that countries could use insights from processing the data to engage in malicious cyber-enabled or malign foreign influence activities. They could also track and build profiles of U.S. individuals, including members of the military and other federal employees and contractors, for illicit purposes such as blackmail and espionage.
The proposed rule would also address the risk that countries may use bulk sets of sensitive personal data to create or refine AI to improve their ability to exploit data.
What Companies Need to Know
The proposed rule would create an expansive new regulatory regime that restricts transactions involving bulk sensitive personal data and U.S. government data.
- The regime would build on efforts to protect sensitive personal data, including those of the Committee on Foreign Investment in the United States (CFIUS).
- CFIUS can prohibit specific foreign investment that poses a national security risk as a result of its connection to sensitive personal data.
- The proposed rule would establish broad prohibitions and restrictions rather than assessing transactions case-by-case.
- No new restrictions are to take effect immediately. The precise timing of a final rule or effective date remains unclear.
- The proposed rule would:
- Prohibit covered data brokerage transactions and any other transactions that provide a country of concern or covered persons access to bulk human genomic data or human biospecimens from which that data can be derived.
- Restrict other transactions, namely certain vendor, employment and investor agreements. Such agreements would need to meet security requirements set by the Cybersecurity and Infrastructure Security Agency (CISA) of the Department of Homeland Security.
- Require companies engaging in restricted transactions to develop and implement risk-based compliance programs modeled on guidance issued by the Office of Foreign Assets Control (OFAC) commensurate with their size and sophistication, products and services, customers and counterparties and locations.
Who Would be Covered?
The proposed rule defines “covered persons” to include:
Entities that:
- are organized in a country of concern;
- have a principal place of business in a country of concern;
- are designated by DOJ as a covered person; or
- are 50% or more owned, directly or indirectly, by a country or covered person.
Individuals that:
- are employees or contractors of a country of concern or a covered person;
- are residents of China (including Hong Kong and Macau), Russia, Iran, North Korea, Cuba and Venezuela; or
- are designated by DOJ as a covered person.
The DOJ will maintain a public list of designated covered persons. The rule authorizes DOJ to designate persons upon the basis of ownership or control by, or acting for on behalf of, a covered person or country of concern. Being subject to the jurisdiction of a country of concern, or knowingly causing a violation of the rule, are also bases for designation. The proposed rule would let designated covered persons seek reconsideration and removal from relevant lists.
U.S. persons seeking to identify whether a third party qualifies as a covered person will need to consult the DOJ’s list and conduct independent diligence to identify whether the person falls within the definition of a covered person.
What Data Would be Covered?
Bulk Sensitive Personal Data
1. Covered personal identifiers
The proposed rule sets out a list of identifiers, including government identification numbers, financial account numbers, device-based and hardware-based identifiers, demographic and contact data, advertising identifiers, account-authentication data, network-based identifiers and call-detail data.
These would be covered when combined with each other or with information disclosed pursuant to the transaction such that the identifier is linked or linkable to other listed identifiers or to other sensitive personal data.
2. Geolocation and related sensor data
Precise geolocation data would include real-time and historical data that identifies the physical location of an individual or a device with a precision of within 1,000 meters.
3. Biometric identifiers
These are “measurable physical characteristics or behaviors used to recognize or verify the identity of an individual, including facial images, voice prints and patterns, retina and iris scans, palm prints and fingerprints, gait and keyboard usage patterns that are enrolled in a biometric system and the templates created by the system.”
4. Human genomic data
This refers to the nucleic acid sequences that constitute a set or a subset of the genetic instructions in a human cell. This includes the results of an individual’s genetic test and related human genetic sequencing data.
5. Personal health data
The proposed rule expands the definition of “personal health data” beyond what the advanced notice initially contemplated. The new definition would encompass:
- An individual’s physical or mental health or condition.
- The provision of health care to an individual, including payment information.
- Physical measurements and health attributes (such as bodily functions, height and weight, vital signs, symptoms and allergies).
- Social, psychological, behavioral, and medical diagnostic, as well as intervention and treatment history.
- Test results logs of exercise habits.
- Data on immunization, reproductive and sexual health and the use or purchase of prescribed medications.
6. Personal financial data
This would include credit card and bank account data and information from financial statements and credit or consumer reports.
What is “bulk” data?
The rule would consider data in these categories “bulk” if it met or exceeded these thresholds in the preceding 12 months, whether through one or across multiple transactions:
- Human genomic data: 100 U.S. persons
- Biometric identifiers: 1,000 U.S. persons
- Precise geolocation data: 1,000 U.S. devices
- Personal health data: 10,000 U.S. persons
- Personal financial data: 10,000 U.S. persons
- Covered personal identifiers: 100,000 U.S. persons
U.S. Government-related Data
The proposed rule defines “U.S. government-related data” as:
- Precise geolocation data for any location within an enumerated list of specific geofenced areas associated with military, government and other sensitive locations.
- Sensitive personal data, regardless of volume, that a transacting party markets as linked or linkable to current or recent former employees or contractors, or former senior officials, of the U.S. government, including those in the military and intelligence community.
What Transactions are Covered?
Prohibited Transactions
The proposed rule would prohibit three categories of “highly sensitive” covered data transactions:
- Data brokerage transactions with countries of concern or covered persons.
- Data brokerage transactions with non-covered foreign persons unless the U.S. person contractually requires the foreign person to refrain from engaging in a covered data transaction involving the same data with a country of concern or covered person. The proposal also would require U.S. persons to report violations.
- Transactions that provide a country of concern or covered person access to bulk human genomic data or human biospecimens from which human genomic data can be derived.
Restricted Transactions
The proposed rule would restrict certain covered data transactions by prohibiting them unless they comply with security requirements set by CISA. CISA recently proposed these requirements in a separate rulemaking proposal.
The proposed rule would restrict three categories of covered data transactions:
- Vendor agreements, including technology services and cloud service agreements such as Software-as-a-Service (SaaS).
- Employment agreements, including employment on a board or committee, executive-level agreement and employment services at an operational level.
- Investment agreements, including investments in U.S. real estate or legal entities.
Exempt Transactions
The proposed rule would exempt certain data transactions, including those:
- Involving personal communications.
- Involving importation and exportation of information or informational materials.
- Ordinarily incidents on travel to or from any country.
- For the conduct of the official business of the U.S. government.
- Ordinarily incidents to and part of the provision of financial services.
- Between a U.S. person and its subsidiaries and affiliates located in (or otherwise subject to the ownership, direction, jurisdiction, or control of) a country of concern, to the extent that the transactions are incidental to administrative or ancillary business operations.
- Required or authorized by Federal law or pursuant to an international agreement.
- Involving an investment agreement subject to a CFIUS action.
- Ordinarily incidents to and in part of the provision of telecommunications services.
- Involves “regulatory approval data” and is necessary to obtain or maintain regulatory approval to market a drug, biological product, device, or a combination product in a country of concern.
- Ordinarily incidents to and in part of clinical investigations regulated by the U.S. Food and Drug Administration (FDA) or for the collection or processing of clinical care data necessary to support or maintain authorization by the FDA, provided the data is deidentified.
Enforcement and Compliance
The proposed rule sets the maximum civil penalty for violations at $368,136 or twice the amount of the violating transaction, whichever is larger. Criminal violations could trigger fines of up to $1 million and imprisonment of up to 20 years.
The proposal envisions a pre-penalty notice and an opportunity for people and companies to respond before a final decision is made. It would prohibit U.S. persons from “knowingly” violating the rule.
The proposed rule does not impose affirmative due diligence and recordkeeping requirements on every U.S. person in a covered data transaction with a covered person or country of concern. Rather, it imposes these requirements as a condition of engaging in a restricted transaction. However, the DOJ is likely to consider the adequacy of compliance programs in enforcement actions.
In addition, the proposed rule would establish processes to issue licenses authorizing some prohibited or restricted transactions.
What’s Next?
The proposed rule, if finalized, would mark a significant restriction by the United States on cross-border data transfers. When the proposed rule is finalized, U.S. companies will likely need to develop and implement rigorous compliance programs based on their risk profiles.
Companies should:
- Assess the proposed rule’s potential impact on future transactions.
- Review the Framework for OFAC Compliance Commitments, given that the DOJ modeled compliance program requirements on the OFAC’s approach.
- Confirm compliance efforts with counsel.
Want to know more? Reach out to one of the authors (Elizabeth Zane, Shannon Yavorsky, Ben Hutten, Olivia Rauh, Cosmas Robless) or another member of the Orrick team.