The Department of Justice (“DOJ”) has moved ahead with its effort to protect Americans’ sensitive personal data and U.S. government data from exploitation by countries of concern or related covered persons, issuing a Notice of Proposed Rulemaking (the “Proposal”) that closely tracks its earlier Advance Notice of Proposed Rulemaking (the “Advance Notice”). The Advance Notice had been released in February concurrently with an Executive Order (the “Order”) in response to concerns that countries of concern were leveraging access to Americans’ bulk sensitive personal data or U.S. government-related data “to engage in a wide range of malicious activities.”[1] We covered the earlier Advance Notice and Order in detail in our prior blog post and Debevoise in Depth.
Under the Proposal, prohibited and restricted transactions would include transactions that may enable countries of concern or covered persons to access government-related data or bulk U.S. sensitive personal data and are not otherwise exempted. Certain transactions that involve genomic data are outright prohibited and three classes of restricted transactions (vendor agreements, employment agreements and non-passive investment agreements) are prohibited unless the U.S. person entering into the transactions complies with specific security requirements (“Proposed Security Requirements”) that have been proposed in parallel to DOJ’s process by the Cybersecurity and Infrastructure Security Agency (“CISA”).
Public comment on both the Proposal and the Proposed Security Requirements are due on November 29, 2024.
In this post, we provide a brief overview of the Proposal, review the key changes from the Advance Notice and discuss considerations for entities that may be impacted by the forthcoming regulations, if enacted.
Key Features of the Proposal
- As previewed in the Advance Notice, the Proposal would designate six countries — China (including Hong Kong and Macau), Cuba, Iran, North Korea, Russia and Venezuela — as countries of concern that pose a significant risk of exploiting bulk sensitive personal data or government-related data.
- The Proposal would generally regulate U.S. persons’ data transactions with “covered persons” through which there is an unacceptable risk that countries of concern, as a legal and practical matter, can access and exploit sensitive personal data.
• Covered persons. As previewed in the Advance Notice, the Proposal primarily defines four classes of covered persons: (1) foreign entities that are 50 percent or more owned by a country of concern, organized under the laws of a country of concern, or has its principal place of business in a country of concern; (2) foreign entities that are 50 percent or more owned by a covered person; (3) foreign employees or contractors of countries of concern or entities that are covered persons; and (4) foreign individuals primarily resident in countries of concern.
• As discussed in the Advance Notice, these four classes would be supplemented by a public list of individuals and entities designated by the DOJ as covered persons.
- As previewed by the Advance Notice, the Proposal’s prohibitions and restrictions would generally apply only to covered data transactions involving sensitive personal data that exceeds certain bulk volume thresholds. (However, no thresholds apply to the Proposal’s prohibitions and restrictions for U.S. government-related data.)
• Prohibited transactions. The two categories of prohibited transactions are data brokerage and covered data transactions involving access to bulk human genomic data or biospecimens from which such data can be derived.
• Restricted transactions. The three categories of restricted transactions are vendor, employment and non-passive investment agreements, which would be subject to the Proposed Security Requirements.
• Exemptions. As previewed in the Advance Notice, the Proposal would exempt certain classes of data transactions.
For additional detail about the overall contours of the program, please see our prior blog post and Debevoise in Depth.
Key Updates
Although largely consistent with the overall framework discussed in the Advance Notice, there are several key changes and updates between the Proposal and the Advance Notice, in particular:
- Proposed Security Requirements. The newly released Proposed Security Requirements seek to mitigate the risk of access by countries of concern or covered persons by including cybersecurity measures that are proposed in detail and include basic organizational cybersecurity policies and practices, physical and logical access controls, data masking and minimization, encryption, and the use of privacy-enhancing techniques.
- New exemptions for telecom services and clinical trial data. In addition to the prior exemptions discussed in the Advance Notice, which included personal communications, expressive information, financial services and transactions within a company/corporate group, the DOJ has proposed new exemptions for drug, biological product and medical device authorizations (if the data transactions involve “regulatory approval data” necessary to obtain or maintain regulatory approval in a country of concern), clinical investigations and post-marketing surveillance data (if the transactions are part of clinical investigations regulated by the FDA) and transactions that are ordinarily incident to and part of the provision of telecommunications services.
- ’Omic data. The Proposal would prohibit data brokerage transactions and covered data transactions involving access to bulk human genomic data or biospecimens from which such data can be derived. The Order previously deferred consideration of whether and how to regulate human genomic data, and the Advance Notice sought comment on this issue. In a change from the Advance Notice, the Proposal considers regulating transactions that provide access to bulk human ‘omic data other than human genomic data, including human epigenomic data, glycomic data, lipidomic data, metabolomic data, meta-multiomic data, microbiomic data, phenomic data, proteomic data and transcriptomic data.
- Risk of third party resale. Adding detail to the approach described in the Advance Notice, the Proposal also includes a prohibition specific to data brokerage to address transactions involving the subsequent transfer or resale of government-related data or bulk U.S. sensitive personal data to countries of concern and covered persons. As such, the Proposal prohibits any U.S. person from knowingly engaging in a covered data transaction involving data brokerage with any foreign person that is not a covered person unless the U.S. person contractually requires that the foreign person refrain from engaging in a subsequent covered data transaction involving that data with a country of concern or covered person.
- Passive investment threshold. The Proposal restricts three categories of transactions—vendor, employment and non-passive investment agreements. Consistent with the approach in the Advance Notice, passive investment agreements are excluded if the investment is made in (a) a publicly traded security, Investment Company Act of 1940 securities or as a capital-only limited partner, (b) that gives the investor less than 10% in total voting and equity interest and (c) does not give the investor rights beyond those reasonably considered to be standard minority shareholder protections. Whereas the Advance Notice contemplated a de minimis threshold, the Proposal sets the voting and interest threshold at 10% in total voting and equity interest.
- Bulk thresholds. As previewed by the Advance Notice, the Proposal’s prohibitions and restrictions would generally apply only to covered data transactions involving sensitive personal data that exceeds certain bulk volume thresholds. The Advance Notice provided a range within each potential threshold the DOJ was considering. Except with respect to human genomic data, the thresholds are approximately the middle order of magnitude of the preliminary ranges identified in the Advance Notice.
• Human genomic data: More than 100 U.S. persons.
• Biometric identifiers and precise geolocation data: More than 1,000 U.S. persons.
• Personal health data and personal financial data: More than 10,000 U.S. persons.
• Covered personal identifiers: More than 100,000 U.S. persons.
- Covered data transaction definition. In response to comments to the Advance Notice, the DOJ revised the definition of a “covered data transaction” to any transaction that involves any access to the data by the counterparty to a transaction (rather than any transaction that involves government-related data or bulk U.S. sensitive personal data).
- CFIUS exemption. Adding detail and implementing the approach contemplated by the Advance Notice, the Proposed Rule exempts investment agreements to the extent that they are the subject of a “CFIUS action” as defined in section 202.207 (i.e., CFIUS has suspended a proposed or pending transaction, or entered into or imposed mitigation measures to address a national security risk involving access to sensitive personal data by countries of concern or covered persons).
- Interaction with OICTS authority. Unlike the Advance Notice, the Proposal considers how the rule’s restrictions on vendor agreements could impact the authority of the Department of Commerce’s Office of Information and Communications Technology and Services (“OICTS”). As discussed in the preamble to the Proposal, the rule would set a baseline of security requirements for impacted agreements, while still allowing OICTS to take more stringent actions against a specific vendor, transaction, or class beyond those requirements established by the Proposal.
Key Takeaways
While the Proposal does not impose any immediate legal obligations, businesses that engage in the types of data transactions contemplated may wish to begin considering the following:
- Participate in the public notice and comment process. Independently or through industry associations, interested businesses should consider commenting on both the Proposal and the Proposed Security Requirements and looking for other opportunities to provide further feedback during the rulemaking process. The Proposal and the Proposed Security Requirements have a simultaneous comment period. Comments are due on November 29.
- Compliance and diligence. The Proposal would require companies to develop and implement risk-based compliance programs and would establish affirmative compliance obligations for U.S. persons engaging in a restricted transaction. Entities should consider whether they currently engage in data transactions contemplated by the Proposal or similar transactions, and, if so, consider enhancements to existing diligence processes that may be needed to screen for affiliations with “countries of concern” or related “covered persons” going forward. The Proposal describes in greater detail the affirmative due diligence requirements imposed as a condition of engaging in a restricted transaction.
• A company’s compliance requirements under the Proposal would include annual reports filed by U.S. persons engaged in certain restricted transactions, as well as certain reporting related to suspected or attempted violations of the proposed rules, and reports for those invoking the drug regulatory approval exemption.
• Similarly, entities can begin to consider enhancements to compliance audit processes that will capture covered data transactions and include monitoring data flows, assessing security protocols, vendor oversight and reviewing diligence on parties to data transactions.
- Security requirements. Businesses that might seek to engage in data transactions under the currently contemplated “restricted” category can review the Proposed Security Requirements for guidance on the types of organizational security measures that they will be expected to have implemented. These companies may consider conducting a preliminary gap analysis for purposes of compliance planning and to inform potential comment on the Proposed Security Requirements.
- Data mapping. Entities may wish to conduct a review to identify the sensitive personal data and U.S. government-related data that they hold and where that data is stored and processed—both geographically and whether it is stored at a third party. In particular, parties subject to the exemptions, particularly the new exemptions, could review their data and ensure that the exemptions adequately cover the scope of data that should be excluded from the rulemaking.
- Vendor agreements. Where data is held by a third party, businesses should keep in mind that new contractual terms may be needed in order to ensure compliance with any forthcoming obligations, noting that the vendor agreements requirements would provide a baseline of security requirements for impacted agreements, and OICTS may take further action beyond the requirements of any final rule.
***
To subscribe to the Data Blog, please click here. Please do not hesitate to contact us with any questions.
***
To subscribe to the Debevoise Fintech Blog, click here.