News 05 Dec. 2024
Partner Dr. Alexandra G. Maier Recognized Again in Lexology Client Choice Award 2025, Mining Experts Category 2025
more
Event 23 Oct. 2024
Counsel Mohannad El Murtadi Suleiman to Speak at the 2nd Annual Africa Arbitration Day in New York
Event 18 Aug. 2023
Partner Borzu Sabahi Speaks at FDI Moot Shenzhen
News 25 Jul. 2023
Partner Eric Gilioli Ranked in Top 10 Influential Energy & Natural Resources Lawyers in Kazakhstan in Business Today
News 09 Apr. 2024
Curtis Announces New Partners and Counsels Across Offices in Spring 2024
Client Alert 28 Dec. 2023
U.S. to Impose Secondary Sanctions on Non-U.S. Banks For Financing Russia’s Defense Industry
News 28 Aug. 2024
Curtis Recognized for Excellence in Arbitration in Chambers Latin America Guide 2025
Event 22 Aug. 2023
Partner Dr. Claudia Frutos-Peterson to Speak at Arbitration and ADR Commission of the ICC Mexico
Publications 19 Dec. 2024
Curtis Partner, John Balouziyeh, Authors New Guide to Investing in the Kingdom of Saudi Arabia and the GCC
News 08 Oct. 2024
Curtis Boosts London Finance and Corporate Capability with Appointment of Partner Christopher Harrison
News 24 Aug. 2023
Curtis Attorneys Quoted in CoinDesk on FTX Founder Sam Bankman-Fried’s Strategy Ahead of His Criminal Trial
Client Alert 10 Jul. 2024
EU Adopts New Restrictive Measures Against Belarus
Client Alert 26 Jun. 2024
The EU Adopts its 14th Sanctions Package Against Russia
news
Curtis Secures Early Victory for Colombia, Highlighting Sovereign Defense Excellence
publications
Client Alert 02 Apr. 2024
Please download the detailed alert here.
On February 28, 2024, President Biden issued Executive Order 14117 on Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern” (the “EO”).The EO reflects the federal government’s efforts to counteract the increased exploitation of Americans’ sensitive personal data by countries significantly adverse to the national security of the U.S.
The EO directs the Department of Justice (“DOJ”), along with other federal agencies, to issue regulations that defend against large-scale transfer of “sensitive personal data” (i.e., personal identifiers, genetic and biometric information, geolocation, etc.) to certain countries of concern (potentially China, Russia, Iran, North Korea, Cuba, and Venezuela). Accordingly, in conjunction with the EO, the DOJ has released an Advanced Notice of Proposed Rulemaking (“ANPRM”) – a preliminary step in the regulatory process – seeking public comment on various topics related to the implementation of the EO’s goals.
This alert summarizes the goals of the EO and the ANPRM and overviews the conduct and data to be targeted for regulation by the DOJ.
The EO expands the scope of an earlier Executive Order, reaffirming the U.S.’s goal of restricting access by certain countries of concern to certain sensitive U.S. data when such access would pose an unacceptable risk to U.S. national security.
In response to this threat, the EO authorizes the DOJ to implement rules that prohibit or otherwise restrict “United States persons” (broadly defined) from participating in certain “transactions” of data, broadly, the acquisition, use or transfer of data.
The ANPRM kicks off the process of setting rules for U.S. persons engaged in data transactions with countries of concern
The DOJ published an official draft of the ANPRM. After public comments are received, the DOJ will publish a proposed rule for further notice and comment within 180 days of the publishing of the EO (an August 27, 2024, deadline). While the rulemaking process is notoriously lengthy, some expect a succinct draft of regulations to be ready for final approval by the end of 2024.
Covered data: Regulatory efforts will target sensitive data, which access by countries of concern would constitute a threat to the U.S.
In the ANPRM, the DOJ proposes two categories of data that will be covered under future regulations: (a) sensitive personal data and (b) sensitive government-related data (together, “covered sensitive data”).
Sensitive personal data encompasses:
The DOJ will establish precise volume-based thresholds for each category of sensitive personal data, with the idea that only “bulk” transactions of sensitive personal data will be targeted by future regulations.
Broadly, sensitive government-related data is:
Transactions of sensitive government-related data will be targeted by regulations, regardless of volume.
The ANPRM outlines the DOJ’s preliminary plans to establish a program that will (a) identify certain classes of highly sensitive transactions related to covered sensitive data that would be prohibited in their entirety (“prohibited transactions”), and (b) identify other classes of transactions that would be prohibited except to the extent they comply with predefined security requirements to mitigate risk (“restricted transactions”).
The ANPRM considers identifying two prohibited data transactions between U.S. persons and countries of concerns:
The ANPRM also considers identifying three classes of restricted data transactions to address critical risk areas. Because these agreements typically involve access or transmission of covered sensitive data, the ANPRM labels them as restricted data transactions:
Restricted data transactions related to covered sensitive data would only be permitted so long as three security conditions are met:
1. the U.S. person implements a basic “cybersecurity posture”, i.e., protocols for the protection over its networks, data, and systems;
2. the U.S. person conducts the data transaction in compliance with four conditions: (a) minimization and masking of the covered sensitive data, (b) use of privacy-preserving technologies, (c) development of information-technology systems to prevent unauthorized disclosure, and (d) implementation of logical and physical access controls; and
3. the U.S. person satisfied certain compliance-related conditions, such as retaining an independent auditor to perform annual testing of requirements (1) and (2).
In accordance with the EO, the ANPRM proposes certain data transactions that would be exempt from coverage by future rules, including
The EO also authorizes the DOJ to issue licenses to authorize transactions related to covered sensitive data that would otherwise be prohibited or restricted. The ANPRM considers creating a licensing regime within the DOJ, which would allow U.S. persons to apply for general or specific licenses for covered sensitive data transactions.
The ANPRM considers a model in which U.S. persons subject to future regulations “employ a risk-based approach to compliance by developing, implementing, and routinely updating a compliance program.”
Thus, the due diligence and recordkeeping required from a particular U.S. person would be based on that U.S. person’s “individualized risk profile and would vary depending on a variety of factors, including the U.S. person's size and sophistication, products and services, customers and counterparties, and geographic locations.”
Similarly, the ANPRM considers developing reporting requirements for certain categories of U.S. persons engaged in restricted data transactions, or engaging in restricted or prohibited data transactions as conditions of a license.
The ANPRM considers “establishing a process for imposing civil monetary penalties similar to the processes followed by OFAC and CFIUS.” Penalties could be based on noncompliance with future regulations, making material misstatements or omissions, making false certifications or submissions, or other actions.
Importantly, the DOJ intends for these regulations to apply to “individuals and entities who knew or should have known of the circumstances of the transaction.” In determining whether an individual or entity “should have known” of the circumstances in a particular context, the DOJ lists relevant facts and circumstances it will consider.
Data Protection and Privacy Law
National Security Law
Elisa Botero
Partner
Jonathan J. Walsh
Joseph Muschitiello
Associate
New York
+1 212 696 6000
client alert
Does U.S. Sanctions Law Prohibit Providing a Speech Platform to Sanctioned Persons?
The EU issues new FAQs clarifying the Best Efforts Obligation on EU Operators
We use cookies on our website to enhance your browsing experience, match your interests and assess our website performance. We do not share information with any third-party for marketing purposes. Please view our privacy policy to learn more about the use of cookies on our website. By continuing to browse our website, you consent to our use of cookies.