Department of Justice Issues Proposed Rule to Regulate Certain Bulk U.S. Sensitive Personal Data and Government-Related Data Transactions

Department of Justice Issues Proposed Rule to Regulate Certain Bulk U.S. Sensitive Personal Data and Government-Related Data Transactions

October 29, 2024, Covington Alert

Summary

On October 21, 2024, the Department of Justice (“DOJ”) issued a Notice of Proposed Rulemaking (“NPRM” or “Proposed Rule”), published in the federal register today, further developing the contemplated implementing regulations for the February 28, 2024 Executive Order on “Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern” (the “EO”)—setting the United States on the path to begin regulating the collection and transfer of certain types of personal data from a national security standpoint and drawing enforceable lines related to such data between the United States and certain countries of concern, including the People’s Republic of China (“PRC” or “China”). The Proposed Rule is, in effect, an effort at insulating certain types of personal data of Americans from PRC-related risk, and along with other developments, such as the Commerce Department’s proposed rule on connected vehicles and the Treasury Department’s proposed rule on outbound investment, reflects a trend of the United States more aggressively using national security regulations to advance “selective decoupling” policy objectives.

As a reminder, and by way of background, the NPRM follows the Advance Notice of Proposed Rulemaking (“ANPRM”), issued on February 28, 2024, which set out a framework for the proposed regulations and solicited comments. DOJ addressed comments received in response to the ANPRM and solicited additional comments to refine certain provisions. Comments in response to the NPRM will be due on November 29, 2024.

In parallel with the release of the NPRM, the Cybersecurity and Infrastructure Security Agency (“CISA”), which is part of the Department of Homeland Security (“DHS”), issued “Proposed Security Requirements for Restricted Transactions” (the “Security Requirements”), which detail the requirements that U.S. companies will need to meet in order to engage in restricted transactions—i.e., those classes of transactions that would be prohibited under the Proposed Rule unless certain mitigation measures, including the Security Requirements, are implemented. The Security Requirements were also issued on October 21, 2024 and published today in the Federal Register, and will be separately open for public comment until November 29, 2024.

As detailed in our client alert regarding the ANPRM, the Proposed Rule will establish a new regulatory regime led by DOJ’s National Security Division to address the U.S. national security risks arising from foreign adversary access to U.S. sensitive personal data. The impetus for the EO and the Proposed Rule is a perception within U.S. national security agencies that existing U.S. law is not sufficient to address those concerns. The NPRM sets forth a new national security-based regulatory regime governing the collection and transfer of personal data that could have far-reaching implications across an array of companies and industries—both in the United States and globally. For example, a U.S. company that collects human genomic data may be prohibited from sharing such data with a subsidiary or partner in China with which the U.S. company is collaborating. Further, a U.S. company focused on software development may be restricted from transferring sensitive personal data to a subsidiary in China for purposes of further product development. And, where a U.S. company collects U.S. sensitive personal data covered by the Proposed Rule, and licenses that data to an affiliate in China, such transaction could be prohibited even if such license is not for purposes of monetization.

Notably, DOJ affirmed in the preamble that the Proposed Rule is a national security regulation and not a new data privacy regime. This distinction informed many of DOJ’s responses to comments received in response to the ANPRM, including comments that suggested that the objective of the Proposed Rule would be better served by the passage of a comprehensive federal privacy law. While privacy measures and national security measures are complementary protections for Americans’ sensitive personal data—and may have some overlap—DOJ noted that they focus on fundamentally different policy interests and require different regulatory solutions. DOJ distinguished these different policy interests by stating that privacy protections are focused on addressing individual rights and preventing individual harms, whereas national security measures focus on collective risks and externalities that may result from how individuals and businesses choose to sell and use their data, even in lawful and legitimate ways.

As such, DOJ maintained the fundamental framework proposed in the ANPRM, and largely rejected suggestions to borrow or incorporate aspects of various privacy laws in the Proposed Rule.

At the same time, the Proposed Rule offers more clarity with respect to various issues raised by commenters, including through the clarification of certain defined terms and the addition or expansion of certain exemptions. It also further details the compliance obligations to be imposed on U.S. businesses, including reporting obligations and enhanced cybersecurity, data security, and third-party auditing requirements for those U.S. entities seeking to engage in restricted transactions. The additional detail provides a greater sense of the potential scope and application of the Proposed Rule, though there remain ambiguities that will make it challenging for some companies to assess fully their compliance obligations under the new regime.

Discussion

Overview of Prohibitions and Restrictions

The overall structure of the Proposed Rule is broadly unchanged from the ANPRM. As directed by the EO, the NPRM regulates covered data transactions—which the Proposed Rule defines as any transaction that involves access to any government-related data or bulk U.S. sensitive personal data and (1) data brokerage; (2) a vendor agreement; (3) an employment agreement; or (4) an investment agreement. But for one exception described below, the prohibitions and restrictions apply only when those covered data transactions are between a U.S. person and a country of concern or covered person.

The list of countries of concern remains the same as the ANPRM, and includes China (including Hong Kong and Macau), Russia, North Korea, Iran, Cuba, and Venezuela. DOJ also chose not to make changes to the covered person definition, meaning that it extends not only to, for example, Chinese subsidiaries of U.S. or other non-Chinese companies, but could also capture any entity that is 50 percent or more owned by such entity, any foreign person who is an employee of such entity, or any foreign person that is an individual primarily resident in a country of concern. As in the ANPRM, DOJ stated in the preamble to the Proposed Rule that nationals of any country of concern located in the United States would be treated as U.S. persons—not covered persons—unless otherwise designated by the Attorney General. Similarly, a U.S. entity—even if ultimately owned or controlled by a covered person—would be considered a U.S. person unless designated otherwise.

In addition to any volume of U.S. government-related data, the following categories of sensitive personal data would be regulated pursuant to the NPRM at the corresponding “bulk” thresholds, with “bulk” defined as any amount of sensitive personal data that meets or exceeds the following thresholds at any point in the preceding 12 months, whether through a single transaction or aggregated across transactions involving the same U.S. person and the same foreign person or covered person:

Prohibited transactions would include the following covered data transactions undertaken by a U.S. person:

• Any covered data transaction involving data brokerage with a covered person or a country of concern. Importantly, the term “data brokerage” is very broadly defined and encompasses a range of transactions that most businesses would not consider “brokering” transactions in the traditional commercial sense.

Note: The preamble to the Proposed Rule acknowledges several comments to the ANPRM on the contemplated definition of “data brokerage” which means the “sale of data, licensing of access to data, or similar commercial transactions involving the transfer of data from any person to another person, where the recipient did not collect or process the data directly from the individuals linked or linkable to the collected or processed data.” Specifically, commenters referenced a lack of clarity about the definition’s scope and failure to distinguish between businesses selling data for monetary purposes versus businesses transferring data pursuant to normal business operations, i.e., where the data is the object of the transaction versus where it is incidental to the development, testing, or sale of a product or service. DOJ declined to revise this definition, noting that the definition is intentionally designed to address the activity of data brokerage that gives rise to national security risk, regardless of the kind of entity that engages in it.

• Any covered data transaction that involves access by a covered person to bulk U.S. human genomic data, or to human biospecimens from which bulk human genomic data could be derived.

Note: In commentary that is particularly salient for the life sciences industry, the preamble to the Proposed Rule clarifies that covered data transactions involving human genomic data as part of vendor, investment, or employment agreements will be prohibited if they involve human genomic data, even though such covered data transactions are otherwise only restricted. As discussed below, however, DOJ proposed exemptions for certain regulatory submissions pertaining to drug, biological, and medical device products, and certain transactions related to clinical investigations and post-marketing surveillance.

• A covered data transaction involving data brokerage with any foreign person that is not a covered person, unless the U.S. person imposes contractual commitments on the foreign person not to engage in a subsequent transaction involving that data with a country of concern or covered person.

Note: DOJ stated it expects U.S. persons to take reasonable steps to evaluate whether their foreign counterparties are complying with the contractual provision as part of implementing risk-based compliance programs under the Proposed Rule. The Proposed Rule also adds a requirement for U.S. persons engaged in such transactions to report any known or suspected violations of the required contractual provision to DOJ.

Any transaction structured for purposes of evading or circumventing the regulations would also be prohibited.

Restricted transactions would include any covered data transaction involving a vendor agreement, employment agreement, or investment agreement with a country of concern or covered person, unless the U.S. person party to the transaction adopts compliance measures specified by the NPRM, including the CISA Security Requirements incorporated by reference.

While the definitions of vendor, employment, and investor agreements remained largely unchanged from the ANPRM, DOJ did introduce specific exceptions for investment agreements, noting that the following would not constitute an “investment agreement” under the Proposed Rule:

• Investments made into a publicly traded security or into a security offered by an investment company, such as an index fund, or any company that has elected to be regulated or is regulated as a business development company;
• Investments as a limited partner into a venture capital fund, private equity fund, fund of funds, or other pooled investment fund, if the limited partner’s contribution is solely capital and the limited partner does not have formal or informal ability to influence the fund’s decision making or operations;
• An investment that affords a covered person less than 10% in total voting and equity interest in a U.S. person; and
• An investment that does not afford a covered person rights beyond those considered to be standard minority shareholder protections.

Clarification of Key Provisions and Exemptions

The Proposed Rule included a number of clarifications or changes to definitions and exemptions that were first discussed in the ANPRM, and we have highlighted some of the most notable ones below.

Covered Person. As noted above, the NPRM did not change the definition of “covered person.” Moreover, DOJ addressed suggestions from comments that it create exceptions for certain “trusted” companies or subsidiaries of U.S. companies in a country of concern. DOJ declined to do so, noting that national security risks exist regardless of the nature or trustworthiness of entities that engage in certain activities, because countries of concern have the legal authority or political systems to force, coerce, or influence entities in their jurisdictions to share their data and access with the government.

Corporate Group Transactions. The Proposed Rule exempts covered data transactions to the extent that they are (1) between a U.S. person and its subsidiary or affiliate located in (or otherwise subject to the ownership, direction, jurisdiction, or control of) a country of concern; and (2) ordinarily incident to and part of administrative or ancillary business operations. Some commenters sought greater clarity on how to draw the line between what may or may not be in scope for this exemption (which the ANPRM referred to as “intra-entity exemptions”), and the Proposed Rule provides an illustrative list that includes, for example, human resources, payroll, paying business taxes or fees, obtaining business permits or licenses, customer support, and employee benefits, among others. It does not appear that DOJ intends to exempt substantive operations-related activity (e.g., product development) under this exemption.

Life Sciences. Under the Proposed Rule, certain data transactions necessary to obtain and maintain regulatory approval to research or market a drug, biological, medical device, or combination product in a country of concern would be exempt from the NPRM’s prohibitions and restrictions, though still subject to recordkeeping and reporting requirements. This exemption would be limited to data that is de-identified (undefined), required by a regulatory entity, and “reasonably necessary to evaluate the safety and effectiveness” of the product. The exemption is intended to apply beyond the initial regulatory approval process, to include post-market clinical investigations and product surveillance activities, as well as supplemental applications for additional uses. DOJ stated, “[t]he exemption applies even where [U.S. Food and Drug Administration (“FDA”)] authorization for a product has not been sought or obtained.”

To address concerns in comments to the ANPRM about the impact of the data transaction prohibitions and restrictions on clinical investigations in countries of concern and biopharmaceutical innovation, the NPRM contains an exemption for certain data transactions in connection with clinical investigations and post-marketing surveillance data. This exemption would include: (1) data transactions that are “ordinarily incident to and part of” clinical investigations regulated by FDA or that support research or marketing applications to FDA for drugs, biological products, medical devices, combination products, or infant formula; and (2) data transactions involving de-identified data that are “ordinarily incident to and part of” the collection of clinical care data indicating real-world performance or safety of products, or post-marketing surveillance data, where necessary to support or maintain authorization by FDA. In the preamble to the Proposed Rule, DOJ indicated that, as an alternative to the proposed exemption, it could delay the effective date as to ongoing or imminent clinical research, or use licenses for a period of time, to allow companies to transition their clinical development programs. DOJ asked for comment on this exemption and the alternative approach.

Financial Services. As a general matter, DOJ emphasized in the NPRM that it intends to keep the financial services exemption broad and is not interested in encroaching on any “data transactions, to the extent that they are ordinarily incident to and part of the provision of financial services.” That said, the NPRM adds new examples to the financial services exemption section that suggest that there may be a limit to what DOJ views as “ordinarily incident to and part of the provision of financial services.”

For example, the Proposed Rule provides an example stating that where a citizen of a country of concern, located in a country of concern, is hired as a director to the board of a wealth management company, and may have access to sensitive personal data in connection with that role, such transaction is a restricted transaction (employment agreement), as it would not be ordinarily incident to and part of the provision of wealth management services. In addition, the Proposed Rule includes a separate example stating that if a U.S. bank is processing payments for purposes of facilitating U.S. person transactions (i.e., transactions not related to a country of concern), but bulk data is stored by a third-party provider in a country of concern, using a third-party party provider in a country of concern for those purposes would fall outside of the exemption and be restricted. As a policy matter, these positions align with DOJ’s broader goals, but DOJ asked for comments on whether these are appropriate lines to draw.

Telecommunications. Some comments in response to the ANPRM suggested that the sensitive personal data restrictions could incorporate telecommunications data and emphasized the importance of global communications to facilitate global commerce. DOJ recognized the need to ensure that U.S. persons are able to communicate globally, including with and in countries of concern. Accordingly, the NPRM adds an exemption for transactions that are ordinarily incident to and part of telecommunications services (offering examples such as international calling and data roaming). However, the preamble to the Proposed Rule makes clear that this “exemption is intended to be narrowly tailored,” in order to mitigate the risk to national security while facilitating global communications.

Travel. The NPRM also introduces a new exemption pertaining to the regulation of restricted transactions for data transactions that are ordinarily incident to travel to or from any country. This exemption tracks the classes of data transactions that are statutorily exempt from regulation under the statutory exemption on the presidential authority under the International Emergency Economic Powers Act (“IEEPA,” 50 U.S. Code § 1702).

Additional Notable Points of Discussion

Other Human ‘Omic Data. DOJ indicated in the ANPRM that it did not intend to regulate other human ‘omic data transactions as part of its initial rulemaking. Although the Proposed Rule does not contain any specific proposed provisions that seek to regulate transactions involving these data types—and the proposed definition of “sensitive personal data” in the Proposed Rule does not include “human ‘omic data”—the preamble to the Proposed Rule indicates that DOJ is now contemplating such regulation. Human ‘omic data may extend to “human epigenomic data, glycomic data, lipidomic data, metabolomic data, meta-multiomic data, microbiomic data, phenomic data, proteomic data, and transcriptomic data.” DOJ invited comment on the inclusion of such data types in the regulations’ prohibitions and restrictions.

Applicability to Platform/Cloud Providers. Under the ANPRM, there was ambiguity around whether companies that provide services that allow for the processing or storage of data, but do not actually access a customer’s data or have visibility into transactions, would nonetheless be captured by the regulations if customers were to engage in a prohibited or restricted transaction. Some commenters asked for the rule to address this issue by distinguishing between processors and controllers, such as is done in privacy law.

DOJ rejected these recommendations and stated that whether such providers would be covered by the regulations would turn on whether they “knowingly” engaged in a covered data transaction. The preamble to the Proposed Rule states, for example, if in the ordinary course of business a provider does not access customer data and has no reason to know the customer engaged in covered data transactions, the provider would not be subject to the requirements of the Proposed Rule because they would not know, or have reason to have known, the nature of the customer’s data and transactions. On the other hand, the Proposed Rule provides an example that states if a provider “specializes” in providing cloud storage for human genetics companies, then by virtue of being specialized, the provider should know that its customers’ data is likely sensitive personal data (e.g., human genomic data). Thus, if the cloud provider hires IT personnel in a country of concern—i.e., enters into an employee agreement with a covered person—then the cloud-service provider may have knowingly engaged in a prohibited transaction. While this helps provide some clarity as to how cloud and platform providers should evaluate their obligations, it raises additional questions including, for example, what it means to offer “specialized” cloud storage and whether the cloud provider, by virtue of hosting the human genomic data, may also be liable in some situations for a prohibited transaction undertaken by the customer.

Evasions or Violations via Artificial Intelligence. Building on the ANPRM’s prohibition of any transaction that has the purpose of evading or avoiding the prohibitions of the Proposed Rule, the preamble of the NPRM acknowledges the concern—raised in comments to the ANPRM—of instances in which an algorithm or AI model could provide a means to evade the prohibitions of the rule. For example, if a transaction gives a country of concern or covered person access to an AI model trained on bulk U.S. sensitive personal data, the receiving party could feasibly access the underlying data by querying the model to share some or all of the data. While DOJ does not propose to explicitly restrict the license of AI models through the regulations, the Proposed Rule states that if a transaction is structured for purposes of evading these regulations—i.e., the covered person licenses a model for purposes of accessing the U.S. sensitive personal data—such transaction would be a violation of the regulations.

Compliance Requirements

The ANPRM previewed that DOJ was considering a range of possible compliance measures that would need to be implemented by U.S. persons engaging in covered data transactions, and together with the Security Requirements issued by CISA, the Proposed Rule now details with more clarity the scope and applicability of such compliance measures.

Restricted Transaction Requirements. As a condition to engage in a restricted transaction, a U.S. person must (1) comply with the CISA Security Requirements; (2) implement a data compliance program, described in a written policy; and (3) conduct annual third-party audits.

CISA Security Requirements

The CISA Security Requirements, which CISA issued on October 21, 2024, are incorporated by reference in the NPRM and include organizational-, system-, and data-level requirements that are largely adapted from (and cross reference) the National Institute of Standards and Technology (“NIST”) Cybersecurity Framework, NIST Privacy Framework, and CISA’s Cross-Sector Cybersecurity Performance Goals. Such requirements include:

• Organizational- and system-level requirements, which cover documentation and policy requirements, logical and physical access controls, and data risk assessments. This includes, for example:
  • Designating an individual (e.g., a Chief Information Security Officer, or CISO) responsible for cybersecurity and governance, risk, and compliance functions;
  • Remediating known vulnerabilities within prescribed timeframes;
  • Maintaining an accurate network topology of the covered system and any network interfacing with a covered system;
  • Implementing an administrative policy that requires approval before new hardware, firmware, or software (including new software versions) is installed or deployed on a covered system;
  • Implementing logical and physical access controls to prevent covered persons of countries of concern from gaining access to covered data; and
  • Conducting data risk assessments to evaluate the sufficiency of data-level requirements, described below.
• Data-level requirements such as data minimization and data masking, encryption, privacy enhancing technologies, and identity and access management. This includes, for example:
  • Applying data minimization and data masking strategies;
  • Applying encryption techniques to protect covered data during restricted transactions, including comprehensive encryption during transit and storage, Transport Layer Security (“TLS”), and cryptographic key management; and
  • Applying privacy enhancing technologies, such as privacy preserving computation or differential privacy techniques, to process covered data.

Restricted Transaction Diligence and Audit

The NPRM also imposes data compliance program and audit requirements on U.S. persons engaging in any restricted transactions. The required data compliance program must include:

• Procedures for verifying data flows involved in the restricted transaction;
• Procedures for verifying the identity of any vendors involved in the restricted transaction; and
• A written policy describing the data compliance program and the implementation of the CISA Security Requirements.

U.S. persons engaging in any restricted transactions must conduct annual third-party audits (that is, by an independent, external auditor) to examine the U.S. person’s data transactions, data compliance program, required recordkeeping, and implementation of the CISA Security Requirements.

Recordkeeping. The NPRM expands on the recordkeeping and reporting requirements signaled in the ANPRM, noting that all U.S. persons engaging in covered data transactions are required to keep a full and accurate record of each such transaction engaged in, and keep such record for a period of ten years. Further, any U.S. person engaged in a restricted transaction is required to also maintain the following records:

• A written policy that describes the data compliance program;
• A written policy that describes the implementation of the applicable Security Requirements (described above);
• The results of annual audits to verify compliance with security requirements and any conditions on a license;
• Documentation of due diligence to verify the data flow of restricted transactions;
• The types and volumes of government-related data or bulk U.S. sensitive personal data involved in the transaction;
• The identity of the transaction parties;
• A description of the end-use of the data; and
• Documentation and copies of related information including method of data transfer, date of transaction, agreements associated with the transaction, relevant licenses and advisory opinions, and annual certification of the accuracy and completeness of the records.

Reporting. In addition to DOJ having the authority to require a report on demand, the NPRM includes an annual reporting requirement for certain transactions, as well as reporting requirements related to prohibited transactions. Specifically, U.S. persons engaged in restricted transactions involving cloud-computing services are required to submit annual reports where 25% or more of that U.S. person’s equity interests are owned by a country of concern or covered person. It is unclear, however, what is meant by transactions “involving cloud-computing services”—i.e., whether it is referring to the provision of cloud services or the use of a third-party cloud service provider.

A report must also be filed by any U.S. person that has received and affirmatively rejected an offer from another person to engage in a prohibited transaction involving data brokerage.

Enforcement and Penalties. The NPRM states that violations of the regulations could result in both civil and criminal penalties. Civil penalties, per violation, cannot exceed the greater of $368,136 or an amount that is twice the amount of the transaction that is the basis of the violation. Criminal penalties, per violation, cannot exceed a fine of $1,000,000, imprisonment of 20 years, or both.

In connection with penalties, the NPRM establishes a pre-penalty notice process, whereby DOJ will issue a written notice informing the alleged violator of DOJ’s intent to impose a penalty. The alleged violator has the right to respond to such a notice, after which DOJ may determine that a finding of violation is not warranted or to impose a penalty.

Key Open Items and Next Steps

As part of its ongoing engagement with stakeholders through the rulemaking process, DOJ invited public input on a number of topics. While commenters may provide feedback on any aspect of the Proposed Rule, certain topics on which DOJ is specifically seeking feedback include:

• Additional measures that would allow U.S. persons to enforce contractual requirements regarding the onward transfer or resale of government-related data or bulk U.S. sensitive personal data to countries of concern and covered persons or to ensure that the data is not subsequently resold in violation of those provisions;
• Definitions of certain terms to be included in the definition of “other human ‘omic data”;
• De minimis threshold to be used in the exemption of passive investments from the definition of “investment agreements”;
• Whether and how the financial services exemption should apply to employment and vendor agreements between U.S. financial services firms and covered persons where the underlying financial services provided do not involve a country of concern; and
• The application to and implication of the NPRM’s restrictions and prohibitions on clinical research.

Comments on the NPRM and the CISA Security Requirements are due on November 29, 2024.

If you have any questions concerning the material discussed in this client alert, please contact the members of our CFIUS practice.