For companies in the U.S. that hold certain personal data and U.S. Government-related data, rules stemming from recent Executive Order (“EO”) 14117 on “Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern” may create obstacles and new compliance obligations. Under this EO, the Attorney General is charged with issuing regulations to either outright prohibit or impose restrictions on transactions involving bulk sensitive personal data or U.S. Government-related data when such transactions involve a “country of concern.”

A Department of Justice (“DOJ”) Advanced Notice of Proposed Rulemaking (“ANPRM”) forecasts what some of the contours of the eventual regulations could look like, as discussed below. 

Types of Data Covered

The EO identifies two classes of data that will be covered by the regulation: bulk sensitive personal data and U.S. Government-related data.

The ANPRM outlines six categories of data to be considered bulk U.S. sensitive personal data: (1) covered personal identifiers; (2) geolocation and related sensor data; (3) biometric identifiers; (4) human genomic data; (5) personal health data; (6) personal financial data.

For bulk sensitive personal data, there is a yet-to-be-determined volume threshold that must be involved in the transaction for it to be covered. Each data category will have a different volume threshold depending on its sensitivity, and combined data categories are covered if the volume surpasses the lowest of the thresholds in those data categories. Suggested thresholds in the ANPRM range from data sets on 100 U.S. persons for highly sensitive data to more than 1,000,000 U.S. persons for less sensitive data categories.

The ANPRM considers two categories under U.S. Government-related data:

  1. Precise geolocation data for government related locations, which refers to location data within a yet-to-be-determined level of accuracy within a yet-to-be-enumerated list of geofenced areas associated with military, government, and other sensitive facilities (there will be a “Government-Related Location Data List”).
  2. Sensitive personal data that a party markets as linked or linkable to current or recent former employees or contractors, or former senior officials, of the U.S. Government (e.g., company advertises the sale of personal data of active duty personnel or data set on members of a specific organization limited to military members and their families, such as USAA).

For U.S. Government-related data, there is no threshold requirement and the data categories will be covered regardless of volume.

Prohibitions and Restrictions

The ANPRM identifies certain classes of transactions that will be prohibited and those that will be restricted. Prohibited transactions include selling or licensing access to covered data – “Data Brokerage Transactions” – and transactions for bulk genomic data and human biospecimens from which genomic data can be derived. To be prohibited, the transaction must involve a country of concern. The ANPRM is considering identifying the following countries as countries of concern: China (including Hong Kong and Macau), Russia, Iran, North Korea, Cuba, and Venezuela.[1]

Vendor agreements, employment agreements, and investment agreements involving potential access by a country of concern to covered data will be restricted, requiring compliance with specific security measures to be determined by the Cybersecurity and Infrastructure Security Agency (“CISA”). The ANPRM includes suggested frameworks for CISA to draw on for these measures, including the CISA Cybersecurity Performance Goals (“CPG”), the National Institute of Standards & Technology (“NIST”) Cybersecurity Framework (“CSF”), the NIST Privacy Framework (“PF”), and NIST SP 800–171 rev. 3, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations.

Impact of the New Regulations

The new regulations will impact businesses with operations in or transactions involving countries of concern and covered persons related to those countries. This includes vendor agreements, employment agreements, and investment agreements that may enable access to covered data by countries of concern and covered persons if certain security measures are not in place. Companies should be cognizant of data hosting or cloud services in a country of concern, of employees that are citizens of and reside in a country of concern with access to covered data, and of foreign investment[2] from a county of concern.

Government contractors may benefit from an “Official business” exemption which would except otherwise covered transactions performed pursuant to a government contract or grant. Note this exemption is contemplated so that government agencies may craft their own contract and grant conditions to control risk of access to covered data.

The DOJ will issue a proposed rule (currently due at the end of August) based on feedback received on the ANPRM, followed by another comment period, and then a final rule. Because we currently are in the early stages of rulemaking, we expect there to be changes and (hopefully) more clarity by the time we arrive at a final rule. However, companies that hold sensitive information and have operations or vendors in identified countries of concern should stay up-to-date on developments in this space and take steps to prepare for the final rule by identifying potential transactions prohibited or restricted by the rule as well as implementing security measures that may mitigate identified risks.

FOOTNOTES

[1] This initial list is drawn from EO 13873, which identified these countries as “having engaged in a long-term pattern or serious instances of conduct significantly adverse to the national security of the United States or security and safety of the United States.”

[2] The ANPRM contemplates a coordination with the Committee on Foreign Investment in the United State (CFIUS), whereby the DOJ would regulate covered data transactions until CFIUS takes action related to the transaction.