Proposed rule would create new prohibitions on transactions of sensitive personal data and government-related data
The Department of Justice (DOJ) has proposed a new rule aimed at preventing access of China and other designated countries of concern to bulk US sensitive personal data and certain government-related data—indicating a degree of data sovereignty has hit US shores.
The proposed rule has a 30-day comment window, and it aims to address the national security risk posed by the continuing efforts of countries like China, Russia, Iran, North Korea, Cuba, and Venezuela to access and exploit Americans’ sensitive personal data. The rule would significantly impact companies that collect, process, store or transfer data, particularly companies that deal with bulk sensitive personal data and data relating to the location of government facilities.
While DOJ emphasizes the proposed rule is not meant to impose broader data localization requirements, the rule would create personal data transfer restrictions under US law. In addition, the Government is looking to “derisk” certain transactions with countries of concern in order to limit the harm to national security (i.e., to avoid potential adversaries from being in a position to utilize sensitive personal data to the US detriment), but the same time US companies may find it harder to advocate for an open, global internet as opposed to a segmented internet favored by a number of the countries in question.
On penalty of significant fines, companies will soon need to ensure, for example, that all vendor contracts, employment contracts, or investment agreements involving countries of concern meet strict new data security requirements—and may need to determine whether such agreements are worth the cost of compliance.
Companies should therefore urgently consider assessing their current practices with respect to data in the context of the proposed rule, as well as against the latest threats. Those with concerns about the proposed rule should also consider expressing their views to the Department of Justice during the rapidly closing 30-day comment window.
Key Points of the Proposed Rule:
The proposed rule implements Executive Order 14117 by setting restrictions on data transactions that are consistent with recent actions by the Committee on Foreign Investment in the United States (CFIUS) and the Committee for the Assessment of Foreign Participation in the U.S. Telecommunications Services Sector (Team Telecom). The proposed rule outlines prohibitions, restrictions, compliance requirements and penalties for violations.
Importantly, the Proposed Rule distinguishes between privacy and national security, with the result that certain privacy principles like individual consent would not afford companies the ability to conduct a restricted transfer, much like individual corporate choice is not available to permit the export of a restricted technology.
More specifically, the proposed rule would bar US persons from engaging in certain bulk data transactions with individuals or entities owned or controlled by, or organized or located in, a country of concern, as well as people who pose unacceptable risks of giving such countries access to certain government-related or bulk sensitive personal data.
- For the purposes of the rule, sensitive personal data includes personal identifiers, precise geolocation data, biometric identifiers, human genomic data, personal financial data, and personal health data.
- The proposed rule establishes thresholds for what constitutes bulk sensitive personal data, including, according to DOJ’s fact sheet, “human genomic data on over 100 US persons, biometric identifiers on over 1,000 US persons, precise geolocation data on over 1,000 US devices, personal health data on over 10,000 US persons, personal financial data on over 10,000 US persons, certain covered personal identifiers on over 100,000 US persons, or any combination of these data types that meets the lowest threshold for any category in the dataset.”
- The proposed rule defines government-related data as sensitive personal data and location data that, regardless of volume, could pose a heightened risk of being exploited by a country of concern to harm US national security. That includes information linked to certain categories of current or former government employees, contractors, and senior officials as well as data relating to sensitive government locations.
Beyond the rule’s general ban on transferring bulk data and certain US Government-related data to countries of concern, the proposed rule also specifically categorizes certain transactions with countries of concern as either prohibited or restricted. Prohibited transactions include data brokerage and bulk data transactions involving human genomic data or material from which such data can be derived. Restricted transactions include vendor agreements, employment agreements, and investment agreements involving countries of concern, which are permitted only if they meet strict security requirements being developed separately by the Department of Homeland Security’s Cybersecurity and Infrastructure Agency (CISA).
- The proposed rule defines vendor agreements broadly, to include agreements and arrangements for cloud-computing services. That could include, for example, a medical facility’s contract for IT services to store bulk personal health data.
- Covered employment agreements include all operational and executive-level employment, as well as board and committee employment roles, but not employment as an independent contractor. That could include, for example, employment agreements for overseas IT personnel who could potentially access company systems that contain bulk sensitive personal data.
- Investment agreements would include any agreement or arrangement through which an investor obtains direct or indirect ownership rights in a US legal entity or real estate in the United States. The rule excludes certain investments that amount to less than 10% of the total equity and voting interest of a US person in passive investments that do not pose a risk to national security, absent any unusual minority shareholder rights. That could include investments in publicly traded securities, in securities offered by registered investment companies, and as a limited partner in private equity and venture capital funds, provided certain conditions are met.
- As proposed by CISA, security controls for restricted transactions could include enterprise-level cybersecurity policies and practices, physical and logical access controls to prevent unauthorized access to data, data masking and minimization, encryption, and the use of other privacy-enhancing techniques.
The rule exempts certain types of transactions, such as personal communications, financial services, corporate group transactions, and clinical trials. US persons must also avoid facilitating prohibited transactions through third parties, as the rule introduces penalties for attempts to circumvent these restrictions.
The proposed rule contains a process for obtaining general and specific licenses to engage in otherwise prohibited transactions, including to wind down current business arrangements that violate the rule. The proposed rule also includes a mechanism for seeking advisory opinions from the DOJ on the application of the rule to specific transactions.
Considerations for Companies:
Organizations that collect, process, store or transfer sensitive personal data in bulk or government data should carefully evaluate their international data-sharing practices, particularly if they—or their service providers—engage in transactions with entities from the countries of concern.
As the proposed rules are being finalized, affected companies should consider the prospect of adopting robust compliance programs shaped to their circumstances, including internal and third-party due diligence, recordkeeping and annual audits, to ensure adherence when the rule is finalized. Failure to comply with the new regulations could result in significant penalties, as well as increased scrutiny from US regulatory authorities.
The proposed rule will now be open for a 30-day comment period. Companies that have general or specific concerns with the rule as drafted should also consider submitting feedback to and monitoring updates regarding the finalization and implementation of the rule.
[View source.]
