On February 28, 2024, President Biden issued an Executive Order (the “Order”) designed to protect the “sensitive personal data” of Americans from “exploitation” by “countries of concern” or related “covered persons.” Concurrently, the Department of Justice (“DOJ”) released an Advance Notice of Proposed Rulemaking (“Advance Notice”), detailing potential definitions for key terms not defined in the Order, discussing the potential regulatory framework to implement the Order (the “Program”) and seeking public comment on over 100 related questions.[1]
Assistant Attorney General Matthew G. Olsen of the DOJ’s National Security Division described the actions as addressing a “key gap in our national security authorities” that will be “a new and powerful enforcement tool to protect Americans and their most sensitive information from being exploited by our adversaries.”
In this post, we identify several key aspects of the Order and Advance Notice and outline considerations for entities that may be impacted by the forthcoming regulations, if enacted.
- Obligations and timing. The Order and the Advance Notice do not impose any immediate legal obligations; rather, this is the beginning of a long regulatory process that likely will not conclude until later this year, at the soonest.
- Countries of concern and covered persons.
The Advance Notice contemplates identifying six countries of concern: China (including Hong Kong and Macau), Russia, Iran, North Korea, Cuba and Venezuela.
Covered persons would include certain types of entities and individuals that are subject to the jurisdiction, direction, ownership or control of countries of concern, including residents of those countries, with exceptions for U.S. persons.
- Sensitive personal data. “Sensitive personal data” is proposed to include six (6) unique categories of personal information—certain personal identifiers, geolocation data, biometric identifiers, human ‘omic data, personal health data or personal financial data—as well as any combinations of these data that could be exploited by a country of concern, harming U.S. national security by linking that data to individuals or groups.
Under the Order, there are three exclusions to this definition: (1) public record data (such as court records); (2) personal communications that are within the scope of section 203(b)(1) of IEEPA (including postal, telegraphic and telephonic communication that does not involve a transfer of anything of value); and (3) information or informational materials (including, for example, publications, films, posters, photographs and news wire feeds) within the scope of section 203(b)(3) of IEEPA.
In addition, “U.S. government-related data” is defined in the Order as sensitive personal data that poses a heightened national security risk, regardless of volume, and is linkable to either senior government officials or sensitive federal government locations.
- Scope of covered data transactions. The Program is designed to implement “targeted” rules to either restrict or prohibit specific categories of transactions with countries of concern or covered persons.
Under the Advance Notice, the DOJ discusses adopting a broad definition of “transaction” as “any acquisition, holding, use, transfer, transportation, exportation of, or dealing in any property in which a foreign country or national thereof has an interest.”
Data brokerage transactions and genomic data transactions between U.S. persons and countries of concern or covered persons would be prohibited.
Three other types of data transactions would be restricted under the Advance Notice, in that the transactions would be prohibited unless they met certain to-be-determined security requirements: (1) vendor agreements (including cloud-service agreements); (2) employment agreements; and (3) investment agreements.
The security requirements are expected to be based on existing standards, such as CISA’s Cybersecurity Performance Goals and NIST’s Cybersecurity Framework, and will impose conditions around (1) a set of “basic” requirements; (2) data minimization and masking; (3) use of privacy-preserving technologies; (4) IT systems to prevent unauthorized disclosure; (5) logical and physical access controls; and (6) compliance conditions, such as independent auditing of the implementation of requirements (1)–(5).
The Program contains several key exemptions for data transactions, including for (1) financial services (including banking, capital markets and financial insurance services); (2) ancillary business operations within multinational U.S. companies; (3) activities of the U.S. government; and (4) transactions required or authorized by federal law or international agreements.
The regulations would generally apply only to transactions over certain bulk volumes, except for transactions involving U.S. government-related data, which may be restricted regardless of volume.
Additionally, the Advance Notice also anticipates that the DOJ may establish processes to issue general and specific licenses to potentially exempt or accommodate transactions and advisory opinions to assist with the application of the regulations.
- Compliance requirements. The Program anticipates requiring a compliance approach modeled on the economic sanctions programs administered by the U.S. Treasury Department’s Office of Foreign Assets Control (“OFAC”), where U.S. companies and individuals develop and implement risk-based compliance programs.
- Penalties. The Order authorizes the DOJ to investigate violations of the regulations, including pursuing civil and criminal remedies available under IEEPA, which currently carry a maximum civil penalty per violation of the greater of $368,136 or an amount that is twice the amount of the underlying transaction, and, for willful violations, may incur criminal penalties of $1 million per violation and, for individuals, up to 20 years imprisonment per violation. The Advance Notice also contemplates establishing an enforcement process to impose civil penalties for violations, similar to civil enforcement processes at other regulators such as OFAC.
- Other agency actions. The Order also directs certain agency actions to address data security risks associated with countries of concern with regard to: (1) submarine cable systems; (2) grantmaking and contracting authorities related to sensitive health data and human genomic data; and (3) the role of data brokers.[2]
While the Order and the Advance Notice do not impose any immediate legal obligations, businesses that engage in the types of data transactions contemplated may wish to begin considering the following:
- Participate in the public notice and comment process. Independently or through industry associations, interested businesses should consider commenting on the Advance Notice and looking for other opportunities to provide feedback during the rulemaking process. The comment period will be open for 45 days following publication of the Advance Notice in the Federal Register.
- Transactional diligence. Entities should consider whether they currently engage in data transactions contemplated by the Order and Advance Notice, or similar transactions, and, if so, consider enhancements to existing diligence processes that may be needed to screen for affiliations with “countries of concern” or related “covered persons” going forward.
- Security controls. Businesses that might seek to engage in data transactions under the currently contemplated “restricted” category can review the Advance Notice for guidance on the types of organizational security measures that they will be expected to have implemented in order to do a preliminary gap analysis.
- Data mapping. Entities may wish to conduct a review to identify the sensitive personal data and U.S. government-related data that they hold and where that data is stored and processed—both geographically and whether it is stored at a third party.
- Vendor agreements. Where data is held by a third party, businesses should keep in mind that new contractual terms may be needed in order to ensure compliance with any forthcoming obligations.
- Compliance audits. Entities can begin to consider enhancements to compliance audit processes that will capture covered data transactions and include monitoring data flows, assessing security protocols, vendor oversight and reviewing diligence on parties to data transactions.
Please look out for our in-depth discussion of the Order and Advance Notice, which we will be sharing as a Client Update in the coming days.
***
This post was originally published on the Debevoise Data Blog, available here. To subscribe to the Data Blog, please click here.
***
To subscribe to the Debevoise Fintech Blog, click here.
***
[1] The relevant documents are consolidated here.
[2] The Order specifically encourages the Consumer Financial Protection Bureau to consider addressing the role of data brokers in national security risks, including encouragement to continue to pursue the rulemaking proposals under the Fair Credit Reporting Act identified at the September 2023 Small Business Advisory Panel for Consumer Reporting Rulemaking. See here.
