DOJ's Advance Notice of Proposed Rulemaking (ANPRM) on the EO
On March 5, 2024, the DOJ published an Advance Notice of Proposed Rulemaking (ANPRM), which was closed for comment on April 19, 2024. The ANPRM introduced the structure and details of the initial program, in which the DOJ presented its proposal:
- Prohibiting U.S. persons (broadly defined) from engaging in classes of covered data transactions that pose an unacceptable risk to U.S. national security.
- Allowing some restricted transactions to proceed under certain conditions, including security requirements.
- Permitting certain covered transactions based on general or specific licenses.
- Exempting certain data transactions from the program's requirements.
Key Definitions
- U.S. Person: Any U.S. citizen, national, lawful permanent resident, refugee, asylee, and entity organized under U.S. laws, including foreign branches.
- Covered Data Transaction: Any acquisition, holding, use, transfer, transportation, exportation, or dealing in property involving bulk U.S. sensitive personal data or government-related data, with interest from a foreign country or national, and involving (1) data brokerage, (2) vendor agreements, (3) employment agreements, and (4) investment agreements.
- Countries of Concern: Countries identified as posing significant risks to U.S. national security, as determined by the Attorney General with the concurrence of the Secretaries of State and Commerce. The EO identified China, Russia, Iran, North Korea, Cuba, and Venezuela as engaging in conduct significantly adverse to U.S. national security.
- Covered Person: Entities or individuals linked to countries of concern, including:
- Entities at least 50% owned, directly or indirectly, by a country of concern or organized under the laws of, or having their principal place of business in, a country of concern.
- Entities at least 50% owned, directly or indirectly, by an entity described in (1) or by a person described in (3), (4), or (5).
- Foreign persons who are employees or contractors of a country of concern or entities described in (1), (2), or (5).
- Foreign persons primarily residing in the territorial jurisdiction of a country of concern.
- Any person the DOJ designates as being controlled by or subject to the jurisdiction or direction of a country of concern, acting on behalf of or purporting to act on behalf of a country of concern or covered person, or knowingly causing or directing a violation of these regulations.
- Bulk Sensitive Personal Data: Collection or set of data relating to U.S. persons, in any format, whether anonymized, pseudonymized, de-identified, or encrypted, involving the same foreign person or covered person. This includes human genomic data, biometric identifiers, precise geolocation data, personal health data, personal financial data, and covered personal identifiers. Sensitive data also includes combined data across these categories, with the DOJ proposing bulk thresholds within ranges of the number of persons or devices within each category.
- Government-Related Data:
- Precise geolocation data for any location within specific geofenced areas associated with military, government, or other sensitive facilities.
- Sensitive personal data marketed as linked or linkable to current or recent former employees, contractors, or senior officials of the U.S. government, including the military and Intelligence Community.
Prohibitions for Covered Transactions and Related Exemptions
The proposed rule would prohibit U.S. persons from knowingly:
- Engaging in covered data transactions with countries of concern or covered persons.
- Engaging in data brokerage transactions with foreign persons unless the U.S. person contractually requires the recipient to refrain from onward transfer of the same data with a country of concern or covered person.
- Engaging in any covered data transaction that provides a country of concern or covered person access to bulk U.S. sensitive personal data consisting of specific human genomics.
- Directing any covered data transactions that do not comply with security requirements established under the regulations.
The DOJ is considering creating exemptions from these prohibitions for data transactions involving certain kinds of data, official business transactions, financial services, payment-processing, and regulatory-compliance-related transactions, intra-entity transactions incident to business operations, and transactions required or authorized by federal law or international agreements.
Prohibited Data Transactions and Restricted Data Transactions
The DOJ identified two classes of prohibited data transactions: (1) data-brokerage transactions and (2) any transaction that provides a country of concern or covered person with access to bulk human genomic data. These prohibited transactions, however, would be permitted under a licensing regime proposed by the ANPRM. Restricted Data Transactions would fall within three classes: (1) vendor agreements (including agreements for technology services and cloud-service agreements), (2) employment agreements, and (3) investment agreements. The proposed security requirements include implementing basic organizational cybersecurity posture requirements, data minimization and masking, use of privacy-preserving technologies, development of information technology systems to prevent unauthorized disclosure, and implementation of logical and physical access controls, auditing, and annual testing.
Licensing
Under the proposed program, the DOJ is contemplating a licensing regime consisting of general and specific licenses. These licenses would enable relevant agencies to authorize otherwise prohibited covered data transactions.
Enforcement and Penalties
The compliance and enforcement program under consideration would grant full enforcement authority to the Attorney General and be modeled on the Department of Treasury's IEEPA-based (International Emergency Economic Powers Act) economic sanctions.
Conclusion
The EO and the ANPRM set an agenda for regulating the transfer of sensitive personal data outside U.S. borders. It addresses regulatory gaps and proposes new standards that add another layer to existing privacy and security compliance obligations. As of July 27, 2024, the ANPRM received 7,911 page views and garnered sixty-eight (68) responses via regulations.gov during the comment period. The DOJ is expected to issue a proposed rule by August 26, 2024, providing stakeholders another opportunity to participate in the rulemaking process and contribute to shaping the final rules.
Sources
- Access to Americans' Bulk Sensitive Personal Data and Government-Related Data by Countries of Concern
- Executive Order on Preventing Access to Americans' Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern
- Fact Sheet: Justice Department Will Issue Advance Notice of Proposed Rulemaking
- Fact Sheet: President Biden Issues Executive Order to Protect Americans' Sensitive Personal Data
- Justice Department to Implement Groundbreaking Executive Order Addressing National Security Risks and Data Security
- National Security Division; Provisions Regarding Access to Americans' Bulk Sensitive Personal Data and Government-Related Data by Countries of Concern