DOJ Issues Notice of Proposed Rulemaking to Restrict Flow of Bulk Sensitive Personal Data to China and other Countries of Concern

Introduction/Summary

On October 29, 2024, the Department of Justice (“DOJ”) published its Notice of Proposed Rulemaking (“NPRM”) to implement President Biden’s Executive Order 14117, “Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern.” This follows the DOJ’s publication of its Advance Notice of Proposed Rulemaking earlier this year. (Ropes & Gray covered the ANPRM in detail here).

The NPRM asserts the DOJ as a critical regulator of data transfers involving countries of concern or covered persons. Organizations transacting with entities or individuals with relationships to the People’s Republic of China (including Hong Kong and Macau) (the “PRC”), Russia, Iran, North Korea, Cuba, and Venezuela should carefully review the proposed rules for potential impacts on their business models. The regulations prohibit certain transactions involving data brokers and human genomic data, while also significantly restricting transactions involving vendor agreements, employment agreements, or investment agreements. There are several proposed exemptions, however, that may be applicable for certain industries such as financial services, telecommunications, pharmaceutical development, and clinical research.

While expansive in scope, the regulations are limited to bulk U.S. sensitive personal data and U.S. government-related data. Specifically, with respect to sensitive personal data, the NPRM limits the prohibitions and restrictions to:

• Human genomic data, or biospecimens from which such data may be derived, of more than 100 U.S. persons.
• Biometric identifiers of more than 1,000 U.S. persons.
• Precise geolocation data of more than 1,000 U.S. devices.
• Personal health data of more than 10,000 U.S. persons.
• Personal financial data of more than 10,000 U.S. persons.
• Covered personal identifiers of more than 100,000 U.S. persons.

These amounts are calculated from the preceding 12 months either from one transaction or aggregated from multiple transactions involving the same parties.

The proposed rule also provides for sweeping enforcement authority for the DOJ including through audits as well as civil and criminal enforcement. Civil penalties can approach the greater of $368,136 or an amount that is twice the amount of the transaction, while willful violations can be fined as much as $1 million or 20-years imprisonment. The NPRM also proposes to create exhaustive recordkeeping and reporting requirements.

The NPRM has a 30-day comment period, with a deadline of November 29, 2024. In the preamble to the NPRM, the DOJ solicits comments from interested parties on a variety of critical details of the proposed rule. It is important for organizations contemplating submitting comments to review the rule with care to assess how to best influence DOJ decision making.

There is no specific deadline for a rule to go into effect, but organizations potentially effected by its obligations should begin assessing how best to comply with the rule. Organizations should be reviewing their data practices and business needs to determine the best approach for compliance.

Overview

Below, we provide an overview of the main aspects of the NPRM along with critical details. We have also provided a list of important definitions that inform the regulations in an appendix. It is important to note that the DOJ provides a significant number of examples to illustrate further the contours of the proposed rule and solicits additional comments on a variety of specific and general questions. Organizations affected by aspects of the NPRM should be sure to review the specific examples and solicitations for comments related to the relevant section.

Prohibited Transactions

The proposed rule prohibits U.S. persons from knowingly engaging in a covered data transaction involving data brokerage with a country of concern or covered person. It also prohibits covered data brokerage transactions with any foreign person unless the foreign person is contractually restricted from engaging in a subsequent covered data transaction involving data brokerage of the same data with a country of concern or covered person and the U.S. person reports any known or suspected violation of the contractual requirement.

The proposed rules also prohibit U.S. persons from knowingly engaging in any covered data transaction with a country of concern or covered person that involves access by that country of concern or covered person to bulk U.S. sensitive personal data that involves bulk human genomic data, or to human biospecimens from which bulk human genomic data could be derived.

Importantly, the NPRM also prohibits U.S. persons from knowingly directing any covered data transaction involving a foreign person that would be a prohibited transaction or restricted transaction that fails to comply with applicable requirements, if engaged in by a U.S. person. For example, if a U.S. person is an officer, senior manager, or equivalent senior level employee at a foreign company that is not a covered person, and the foreign company undertakes a covered data transaction at that U.S. person’s direction or with that U.S. person’s approval when the covered data transaction would be prohibited if performed by a U.S. person, the U.S. person has knowingly directed a prohibited transaction.

Restricted Transactions

The regulations restrict U.S. persons from knowingly engaging in a covered data transaction involving a vendor agreement, employment agreement, or investment agreement with a country of concern or covered person unless the U.S. person complies with certain security requirements published by the Cybersecurity and Infrastructure Security Agency (“CISA”).

In tandem with the publication of the NPRM, CISA published proposed security requirements for restricted transactions. These security requirements include: an asset inventory; a Chief Information Security Officer; timely remediation of vulnerabilities (the requirements have specific timelines); documentation of all vendor agreements; maintaining an accurate network map; a vendor cybersecurity diligence policy; an incident response plan; multi-factor authentication or sufficiently complex passwords when multi-factor authentication is not feasible; timely revocation of credentials; comprehensive logging; access management policies and procedures; data retention and deletion policies; sufficient encryption; and incorporation of privacy enhancing technologies.

Exempt Transactions

The NPRM expanded upon and created certain new proposed exempted transactions to which the prohibitions and restrictions do not apply. These exempted transactions are as follows:

• Nothing of Value: Data transactions to the extent that they involve any postal, telegraphic, telephonic, or other personal communication that does not involve the transfer of anything of value.
• Expressive Materials: Data transactions to the extent that they involve the importation from any country, or the exportation to any country, whether commercial or otherwise, regardless of format or medium of transmission, of any information or informational materials. This is defined as expressive material, which includes publications, films, posters, phonograph records, photographs, microfilms, microfiche, tapes, compact disks, CD ROMs, artworks, and news wire feeds, but does not include data that is technical, functional, or otherwise non-expressive.
• Incident to Travel: Data transactions to the extent that they are ordinarily incident to travel to or from any country.
• USG Business: Data transactions to the extent that they are for the conduct of the official business of the U.S. government.
  • Example
    • A U.S. hospital receives a federal grant to conduct human genomic research on U.S. persons. As part of that federally funded human genomic research, the U.S. hospital contracts with a foreign laboratory that is a covered person, hires a researcher that is a covered person, and gives the laboratory and researcher access to the human biospecimens and human genomic data in bulk. The contract with the foreign laboratory and the employment of the researcher are exempt transactions but would be prohibited transactions if they were not part of the federally funded research.
• Financial Services: Data transactions to the extent that they are ordinarily incident to and part of the provision of financial services including:
  • Banking, capital-markets (including investment-management services), or financial-insurance services;
  • A financial activity authorized for national banks by 12 U.S.C. 24 (Seventh) and rules and regulations and written interpretations of the Office of the Comptroller of the Currency thereunder;
  • An activity that is “financial in nature or incidental to such financial activity” or “complementary to a financial activity,” section (k)(1), as set forth in section (k)(4) of the Bank Holding Company Act of 1956 (12 U.S.C. 1843(k)(4)) and rules and regulations and written interpretations of the Board of Governors of the Federal Reserve System thereunder;
  • The transfer of personal financial data or covered personal identifiers incidental to the purchase and sale of goods and services (such as the purchase, sale, or transfer of consumer products and services through online shopping or e-commerce marketplaces);
  • The provision or processing of payments or funds transfers (such as person-to-person, business-to-person, and government-to-person funds transfers) involving the transfer of personal financial data or covered personal identifiers, or the provision of services ancillary to processing payments and funds transfers (such as services for payment dispute resolution, payor authentication, tokenization, payment gateway, payment fraud detection, payment resiliency, mitigation and prevention, and payment-related loyalty point program administration); and
  • The provision of investment-management services that manage or provide advice on investment portfolios or individual assets for compensation (such as devising strategies and handling financial assets and other investments for clients) or provide services ancillary to investment-management services (such as broker-dealers executing trades within a securities portfolio based upon instructions from an investment advisor).
  • Example
    • A U.S. investment adviser purchases securities of a company incorporated in a country of concern for the accounts of its clients. The investment adviser engages a broker-dealer located in a country of concern to execute the trade, and, as ordinarily incident to and part of the transaction, transfers to the broker-dealer its clients’ covered personal identifiers and financial account numbers in bulk. This provision of data is an exempt transaction because it is ordinarily incident to and part of the provision of investment-management services.
• Corporate Groups: Data transactions to the extent they are corporate group transactions, which are defined to include transactions that are:
  • Between a U.S. person and its subsidiary or affiliate located in (or otherwise subject to the ownership, direction, jurisdiction, or control of) a country of concern; and
  • Ordinarily incident to and part of administrative or ancillary business operations, including:
    • Human resources;
    • Payroll, expense monitoring and reimbursement, and other corporate financial activities;
    • Paying business taxes or fees;
    • Obtaining business permits or licenses;
    • Sharing data with auditors and law firms for regulatory compliance;
    • Risk management;
    • Business-related travel;
    • Customer support;
    • Employee benefits; and
    • Employees’ internal and external communications.
  • Example
    • A U.S. company has a foreign subsidiary located in a country of concern, and the U.S. company’s U.S.-person contractors perform services for the foreign subsidiary. As ordinarily incident to and part of the foreign subsidiary’s payments to the U.S.-person contractors for those services, the U.S. company engages in a data transaction that gives the subsidiary access to the U.S.-person contractors’ bulk personal financial data and covered personal identifiers. This is an exempt corporate group transaction.
• Required by law or treaty: Data transactions to the extent they are required or authorized by federal law or pursuant to an international agreement to which the United States is a party.
• CFIUS: Data transactions to the extent that they involve an investment agreement that is subject to a CFIUS action.
• Telecommunications: Data transactions, other than those involving data brokerage, to the extent that they are ordinarily incident to and part of the provision of telecommunications services, including international calling, mobile voice, and data roaming.
• Regulatory Approval: Data transaction that involves “regulatory approval data” and is necessary to obtain or maintain regulatory approval to market a drug, biological product, device, or a combination product in a country of concern, provided that the U.S. person complies with certain recordkeeping and reporting requirements.
  • Examples
    • A U.S. pharmaceutical company seeks to market a new drug in a country of concern. The company submits a marketing application to the regulatory entity in the country of concern with authority to approve the drug in the country of concern. The marketing application includes the safety and effectiveness data reasonably necessary to obtain regulatory approval in that country. The transfer of data to the country of concern’s regulatory entity is exempt from the prohibitions in this part.
    • Same as Example 1, except the regulatory entity in the country of concern requires that the data be de-anonymized. The transfer of data is not exempt under this section, because the data includes sensitive personal data that is identified to an individual.
    • Same as Example 1, except the U.S. company enters a vendor agreement with a covered person located in the country of concern to store, organize, and prepare the bulk U.S. sensitive personal data for submission to the regulatory agency. The transaction is not exempt under this section, because the use of a covered person to prepare the regulatory submission is not necessary to obtain regulatory approval.
• Clinical Studies: Data transactions to the extent that those transactions are:
  • Ordinarily incident to and part of clinical investigations regulated by the U.S. Food and Drug Administration (“FDA”) under sections 505(i) and 520(g) of the Federal Food, Drug, and Cosmetic Act (“FD&C Act”) or clinical investigations that support applications to the FDA for research or marketing permits for drugs, biological products, devices, combination products, or infant formula; or
  • Ordinarily incident to and part of the collection or processing of clinical care data indicating real-world performance or safety of products, or the collection or processing of post-marketing surveillance data (including pharmacovigilance and post-marketing safety monitoring), and necessary to support or maintain authorization by the FDA, provided the data is deidentified.
  • DOJ is soliciting comments on specific aspects of the scope of the exemption such as:
    • Whether to exempt all transactions that are part of the conduct of an FDA-regulated clinical investigation to develop a drug or to limit an exemption to only certain types of transactions that are especially important to the conduct of a clinical investigation and that cannot feasibly be avoided without jeopardizing the clinical investigation.
    • Whether the exemption should exempt clinical investigations data related to other products, such as foods (including dietary supplements) that bear a nutrient content claim or a health claim, food and color additives, and electronic products, as those terms are defined in the FD&C Act.
    • On the number of clinical investigations that would be disrupted, and the extent of such disruption, if the prohibitions were immediately applicable; how long and how to structure any delay to minimize disruption without inviting misplaced reliance; and the best mechanism for implementing such a delay.

Licensing

The NPRM contemplates a licensing regime that could issue general licenses that would be applicable to specific types of transactions as well as specific licenses that would be applicable to certain transactions.

Recordkeeping

The regulations require entities engaging in restricted transactions to implement a data compliance program, which requires comprehensive policies, procedures, and recordkeeping surrounding data involved in a restricted transaction. The proposed rule would also require entities to conduct a yearly third-party audit to assess its compliance with the regulations as well as require entities to maintain comprehensive records surrounding compliance with the proposed rule.

Penalties

The NPRM provides for civil and criminal enforcement. Civil penalties can approach the greater of $368,136 or an amount that is twice the amount of the transaction, while willful violations can be fined as much as $1 million or 20-years imprisonment. If the DOJ determines that a civil monetary penalty is warranted, it will issue a pre-penalty notice informing the alleged violator of the agency’s intent to impose a monetary penalty. An alleged violator has the right to respond to a pre-penalty notice or finding of violation by making a written presentation to the Department of Justice. The NPRM also allows organizations to solicit advisory opinions on the applicability of the rule to certain transactions.

Conclusion

The DOJ is taking its direction under Executive Order 14117 seriously and has crafted a comprehensive regulatory regime for the transfer of bulk sensitive data to countries of concern and covered persons. The penalties for violations are significant and may have a material impact on some organizations’ business models. The proposed rule would severely restrict cross-border data flows to countries of concern and increase costs for compliance. Organizations should look to submit comments before November 29, and then prepare for the issuance of a final rule.

---

Appendix A: Important Definitions

Access means logical or physical access, including the ability to obtain, read, copy, decrypt, edit, divert, release, affect, alter the state of, or otherwise view or receive, in any form, including through information systems, information technology systems, cloud-computing platforms, networks, security systems, equipment, or software.

Bulk U.S. Sensitive Personal Data means a collection or set of bulk data relating to U.S. persons, in any format, regardless of whether the data is anonymized, pseudonymized, de-identified, or encrypted.

• Sensitive Personal Data means covered personal identifiers, precise geolocation data, biometric identifiers, human genomic data, personal health data, personal financial data, or any combination thereof.
  • Covered Personal Identifiers means government ID number, financial account numbers, device-based identifier, demographic or contact data, advertising identifier, account-authentication data, network-based identifier, or call-detail data.
    •  To be considered covered personal identifiers, these above identifiers must be combined with an additional identifier or linkable with an additional identifier, with some specific exclusions.
  • Precise Geolocation Data means data, whether real-time or historical, that identifies the physical location of an individual or a device with a precision of within 1,000 meters.
  • Biometric Identifiers means measurable physical characteristics or behaviors used to recognize or verify the identity of an individual, including facial images, voice prints and patterns, retina and iris scans, palm prints and fingerprints, gait, and keyboard usage patterns that are enrolled in a biometric system and the templates created by the system.
  • Human Genomic Data means data representing the nucleic acid sequences that constitute the entire set or a subset of the genetic instructions found in a human cell, including the result or results of an individual’s “genetic test” (as defined in 42 U.S.C. § 300gg-91(d)(17)) and any related human genetic sequencing data.
  • Personal Health Data means health information that relates to the past, present, or future physical or mental health or condition of an individual; the provision of healthcare to an individual; or the past, present, or future payment for the provision of healthcare to an individual.
  • Personal Financial Data means data about an individual’s credit, charge, or debit card, or bank account, including purchases and payment history; data in a bank, credit, or other financial statement, including assets, liabilities, debts, or trades in a securities portfolio; or data in a credit report or in a “consumer report.”

Country of Concern currently is defined as China (including Hong Kong and Macau), Russia, Iran, North Korea, Cuba, and Venezuela.

Covered Data Transaction is any transaction that involves any access to any government-related data or bulk U.S. sensitive personal data and that involves data brokerage, vendor agreement, employment agreement, or investment agreement.

• Data Brokerage means the sale of data, licensing of access to data, or similar commercial transactions involving the transfer of data from any person (the provider) to any other person (the recipient), where the recipient did not collect or process the data directly from the individuals linked or linkable to the collected or processed data.
• Vendor Agreement means any agreement or arrangement, other than an employment agreement, in which any person provides goods or services to another person, including cloud-computing services, in exchange for payment or other consideration.
• Employment Agreement means any agreement or arrangement in which an individual, other than as an independent contractor, performs work or performs job functions directly for a person in exchange for payment or other consideration, including employment on a board or committee, executive-level arrangements or services, and employment services at an operational level.
• Investment Agreement is an agreement or arrangement in which any person, in exchange for payment or other consideration, obtains direct or indirect ownership interests in or rights in relation to: (1) Real estate located in the United States; or (2) A U.S. legal entity.
  • Does not include certain Passive Investments.

Covered Person means:

1. A foreign person that is an entity that is 50 percent or more owned, directly or indirectly, by a country of concern, or that is organized or chartered under the laws of, or has its principal place of business in, a country of concern;
2. A foreign person that is an entity that is 50 percent or more owned, directly or indirectly, by an entity described in bullet 1 or a person described in bullets 3, 4, or 5;
3. A foreign person that is an individual who is an employee or contractor of a country of concern or of an entity described in bullets 1, 2, or 5;
4. A foreign person that is an individual who is primarily a resident in the territorial jurisdiction of a country of concern; or
5. Any person, wherever located, determined by the Attorney General: (i) to be, to have been, or to be likely to become owned or controlled by or subject to the jurisdiction or direction of a country of concern or covered person; (ii) to act, to have acted or purported to act, or to be likely to act for or on behalf of a country of concern or covered person; or (iii) to have knowingly caused or directed, or to be likely to knowingly cause or direct a violation of this part.

Directing means having any authority (individually or as part of a group) to make decisions for or on behalf of an entity and exercising that authority.

Engage is undefined in the regulations.

Government-Related Data means certain precise geolocation data, regardless of volume, explicitly enumerated in the rule and any sensitive data, regardless of volume, linkable to current or recent employees of the U.S. government.

Human Genomic Data means a quantity of tissue, blood, urine, or other human-derived material including such material classified under any of the following 10-digit Harmonized System-based Schedule B numbers:

(a) 0501.00.0000 Human hair, unworked, whether or not washed or scoured; waste of human hair;
(b) 3001.20.0000 Extracts of glands or other organs or of their secretions;
(c) 3001.90.0115 Glands and other organs, dried, whether or not powdered;
(d) 3002.12.0010 Human blood plasma;
(e) 3002.12.0020 Normal human blood sera, whether or not freeze-dried;
(f) 3002.12.0030 Human immune blood sera;
(g) 3002.12.0090 Antisera and other blood fractions, other;
(h) 3002.51.0000 Cell therapy products;
(i) 3002.59.0000 Cell cultures, whether or not modified, other;
(j) 3002.90.5210 Whole human blood;
(k) 3002.90.5250 Blood, human/animal, other;
(l) 9705.21.0000 Human specimens and parts thereof.

Knowingly means with respect to conduct, a circumstance, or a result, that a person has actual knowledge, or reasonably should have known, of the conduct, the circumstance, or the result.

U.S. Person means any United States citizen, national, or lawful permanent resident; any individual admitted to the United States as a refugee under 8 U.S.C. § 1157 or granted asylum under 8 U.S.C. § 1158; any entity organized solely under the laws of the United States or any jurisdiction within the United States (including foreign branches); or any person in the United States.