Please download the detailed alert here.

On February 28, 2024, President Biden issued Executive Order 14117 on Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern” (the “EO”).The EO reflects the federal government’s efforts to counteract the increased exploitation of Americans’ sensitive personal data by countries significantly adverse to the national security of the U.S.

The EO directs the Department of Justice (“DOJ”), along with other federal agencies, to issue regulations that defend against large-scale transfer of “sensitive personal data” (i.e., personal identifiers, genetic and biometric information, geolocation, etc.) to certain countries of concern (potentially China, Russia, Iran, North Korea, Cuba, and Venezuela). Accordingly, in conjunction with the EO, the DOJ has released an Advanced Notice of Proposed Rulemaking (“ANPRM”) – a preliminary step in the regulatory process – seeking public comment on various topics related to the implementation of the EO’s goals.

This alert summarizes the goals of the EO and the ANPRM and overviews the conduct and data to be targeted for regulation by the DOJ.

The EO aims at mitigating the risk of countries adverse to the U. S. exploiting sensitive U.S. data

The EO expands the scope of an earlier Executive Order, reaffirming the U.S.’s goal of restricting access by certain countries of concern to certain sensitive U.S. data when such access would pose an unacceptable risk to U.S. national security.

In response to this threat, the EO authorizes the DOJ to implement rules that prohibit or otherwise restrict “United States persons” (broadly defined) from participating in certain “transactions” of data, broadly, the acquisition, use or transfer of data.

The ANPRM kicks off the process of setting rules for U.S. persons engaged in data transactions with countries of concern

The DOJ published an official draft of the ANPRM. After public comments are received, the DOJ will publish a proposed rule for further notice and comment within 180 days of the publishing of the EO (an August 27, 2024, deadline). While the rulemaking process is notoriously lengthy, some expect a succinct draft of regulations to be ready for final approval by the end of 2024.

Rules would only target transactions between a US person and a country of concern, not purely domestic transactions between US persons.

Covered data: Regulatory efforts will target sensitive data, which access by countries of concern would constitute a threat to the U.S.

In the ANPRM, the DOJ proposes two categories of data that will be covered under future regulations: (a) sensitive personal data and (b) sensitive government-related data (together, “covered sensitive data”).

a)Sensitive personal data

Sensitive personal data encompasses:

• U.S. persons’ covered personal identifiers: specifically listed classes of personally identifiable data that are reasonably linked to an individual, which can be used to identify an individual from a data set. The final rule will include a comprehensive list of listed identifiers.
• precise geolocation data: data, whether real-time or historical, that identifies the physical location of an individual or a device with a precision of [undetermined number of meters/feet] based on electronic signals or inertial sensing units.
• biometric identifiers: measurable physical characteristics or behaviors used to recognize or verify the identity of an individual, including facial images, voice prints and patterns, retina and iris scans, palm prints and fingerprint, gait, and keyboard usage patterns.
• human genomic data: data presenting the nucleic acid sequences that compromise the entire set or a subset of genetic instructions found in a human cell.
• personal financial data: data about a individual’s credit, charge, debit card, or bank account. This includes purchases and payment history, data in a financial statement, or data in a credit or “consumer report”.
• personal health data: individually identifiable health information, regardless of whether such information is collected by a covered entity or a business associate.

The DOJ will establish precise volume-based thresholds for each category of sensitive personal data, with the idea that only “bulk” transactions of sensitive personal data will be targeted by future regulations.

b)Sensitive government-related data

Broadly, sensitive government-related data is:

• sensitive personal data linked to current or recent former employees, contractors, or officials of the U.S. government; and
• geolocation data for any location within any area on a list of specific geofenced areas associated with certain military, government, or sensitive facilities.

Transactions of sensitive government-related data will be targeted by regulations, regardless of volume.

Covered transactions: Some data “transactions” will be prohibited, while others will be restricted

The ANPRM outlines the DOJ’s preliminary plans to establish a program that will (a) identify certain classes of highly sensitive transactions related to covered sensitive data that would be prohibited in their entirety (“prohibited transactions”), and (b) identify other classes of transactions that would be prohibited except to the extent they comply with predefined security requirements to mitigate risk (“restricted transactions”).

a)Prohibited data transactions

The ANPRM considers identifying two prohibited data transactions between U.S. persons and countries of concerns:

• “data-brokerage transactions”, defined as the sale of, licensing of access to, or similar commercial transaction involving the transfer of covered sensitive data; and
• any transaction that provides a country of concern or “covered person” with access to bulk human genomic data or human biospecimens from which human genomic data can be derived.

b)Restricted data transactions

The ANPRM also considers identifying three classes of restricted data transactions to address critical risk areas. Because these agreements typically involve access or transmission of covered sensitive data, the ANPRM labels them as restricted data transactions:

• vendor agreements, including, among other types, agreements for technology services and cloud-service agreements;
• employment agreements, and
• investment agreements.

Restricted data transactions related to covered sensitive data would only be permitted so long as three security conditions are met:

1. the U.S. person implements a basic “cybersecurity posture”, i.e., protocols for the protection over its networks, data, and systems^;

2. the U.S. person conducts the data transaction in compliance with four conditions: (a) minimization and masking of the covered sensitive data, (b) use of privacy-preserving technologies, (c) development of information-technology systems to prevent unauthorized disclosure, and (d) implementation of logical and physical access controls; and

3. the U.S. person satisfied certain compliance-related conditions, such as retaining an independent auditor to perform annual testing of requirements (1) and (2).

Certain low-risk data transactions would be exempt from future regulation

In accordance with the EO, the ANPRM proposes certain data transactions that would be exempt from coverage by future rules, including

• personal communications, including any postal, telegraphic, telephonic, or other personal communication that does not involve the transfer of anything of value);
• “informational materials”;
• transactions for the conduct of the official business of the U.S. government; and
• ordinary financial activities, including processing payments and the transfer of financial data.

The EO also authorizes the DOJ to issue licenses to authorize transactions related to covered sensitive data that would otherwise be prohibited or restricted. The ANPRM considers creating a licensing regime within the DOJ, which would allow U.S. persons to apply for general or specific licenses for covered sensitive data transactions.

Risk-based compliance: The level of compliance with future regulations will depend on an individualized risk profile

The ANPRM considers a model in which U.S. persons subject to future regulations “employ a risk-based approach to compliance by developing, implementing, and routinely updating a compliance program.”

Thus, the due diligence and recordkeeping required from a particular U.S. person would be based on that U.S. person’s “individualized risk profile and would vary depending on a variety of factors, including the U.S. person's size and sophistication, products and services, customers and counterparties, and geographic locations.”

Similarly, the ANPRM considers developing reporting requirements for certain categories of U.S. persons engaged in restricted data transactions, or engaging in restricted or prohibited data transactions as conditions of a license.

Enforcement: A potential system of civil monetary penalties for noncompliance

The ANPRM considers “establishing a process for imposing civil monetary penalties similar to the processes followed by OFAC and CFIUS.” Penalties could be based on noncompliance with future regulations, making material misstatements or omissions, making false certifications or submissions, or other actions.

Importantly, the DOJ intends for these regulations to apply to “individuals and entities who knew or should have known of the circumstances of the transaction.” In determining whether an individual or entity “should have known” of the circumstances in a particular context, the DOJ lists relevant facts and circumstances it will consider.