Ropes & Gray Discusses Executive Order Limiting Data Transfers to China and Other Nations

On February 28, 2024, President Biden announced an Executive Order (“EO”) directing the Department of Justice (“DOJ”) to promulgate regulations that restrict or prohibit transactions involving certain bulk sensitive personal data or United States Government-related data and countries of concern or covered persons. The DOJ’s initially identified countries are China (including Hong Kong and Macau), Russia, Iran, North Korea, Cuba, and Venezuela, and the restrictions would also apply to any entity owned by, controlled by, or subject to the jurisdiction or direction of a country of concern as well as any person “knowingly causing or directing, directly or indirectly, a violation” of the regulations.

As directed by the EO, on February 28, the DOJ published an Advance Notice of Proposed Rulemaking (“ANPRM”) on topics related to the implementation of the EO soliciting comments up to 45 days after the ANPRM is published in the Federal Register (typically posted a few days after the announcement), which would make comments due around April 15, 2024. The EO directs the DOJ to publish a proposed rule within 180 days of the EO publication, so on or before August 26, 2024.

The Executive Order does not purport to restrict all transactions within its ambit, nor does it establish a mandatory data localization regime. In this regard, it is much more of a national security restriction on certain types of transactions than an attempt to regulate data protection by Executive Order.

Businesses impacted by the forthcoming regulations, however, may need to add these restrictions on international transfers of personal data to the growing list of international transfer restrictions already imposed by data privacy laws, including the European Union’s General Data Protection Regulation, China’s cybersecurity data privacy laws and similar comprehensive privacy laws in other jurisdictions. Significantly, unless appropriate regulatory exceptions are recognized, the restrictions may have important operational impacts on certain international, financial, and life science companies, although it appears that the current intention is that transactions “ordinarily incident to and part of the provision of financial services” will not be covered by the forthcoming regulations.

Executive Order Summary

Prohibited and Restricted Data Transactions

Underscoring that the EO is not primarily driven by data protection concerns, President Biden used his national security authority under the Constitution, the International Emergency Economic Powers Act (50 U.S.C. 1701 et seq.) (“IEEPA”), the National Emergencies Act (50 U.S.C. 1601 et seq.) (“NEA”), and section 301 of title 3, United States Code, to enact the EO. Generally, subject to DOJ regulations, the EO governs transactions involving bulk sensitive personal data or United States Government-related data and countries of concern or covered persons. The EO provides certain definitions and requirements, which are discussed below:

  • “Transaction” means any acquisition, holding, use, transfer, transportation, or exportation of, or dealing in, any property in which a foreign country or national thereof has any interest.
    • The DOJ regulations shall identify classes of transactions that are to be prohibited as well as identify classes of transactions whose risk of access by countries of concern or covered persons to bulk sensitive personal data or United States Government-related data is adequately mitigated by security requirements established by the Department of Homeland Security (“DHS”) discussed below.
  • “Bulk sensitive personal data” means “covered personal identifiers, geolocation and related sensor data, biometric identifiers, human ‘omic data [sic], personal health data, personal financial data, or any combination thereof” that is “linked or linkable to any identifiable United States individual or to a discrete and identifiable group of United States individuals” and meets or exceeds a threshold amount over a set period of time.
    • The definition does not include “data that is a matter of public record” and certain communications and information within the scope of IEEPA.
    • “Covered person identifiers” means personally identifiable data that is reasonably linked to an individual or could be used with other data to identify an individual from a data set or link data across multiple data sets to an individual.
      • The definition does not include demographic or contact data that is linked only to another piece of demographic or contact data or a network-based identifier, account-authentication data, or call-detail data that is linked only to another network-based identifier, account-authentication data, or call-detail data.
  • “Human ‘omic data” means data generated from humans that characterizes or quantifies human biological molecule(s).
    • “Human genomic data” means data representing the nucleic acid sequences that constitute the entire set or a subset of the genetic instructions found in a cell.
    • However, restrictions do not apply to human ‘omic data transactions to the extent that they involve types of human ‘omic data other than human genomic data until the Assistant to the President for National Security Affairs (“APNSA”) (currently Jake Sullivan) submits a report to the President assessing the risks and benefits of regulating transactions involving types of human ‘omic data other than human genomic data and recommending the extent to which such transactions should be regulated. The report must be submitted within 120 days of the EO, so on or before June 27, 2024.
  • “United States Government-related data” means sensitive personal data that, regardless of volume, the Attorney General determines poses a heightened risk of being exploited by a country of concern.
    • The sensitive personal data must also be linked or linkable to categories of current or recent former employees or contractors, or former senior officials, of the federal government, linked to categories of data that could be used to identify current or recent former employees or contractors, or former senior officials, of the federal government, or linked or linkable to certain sensitive locations, the geographical areas of which will be specified publicly, that are controlled by the federal government.
  • “Country of concern” means any foreign government that has engaged in a long-term pattern or serious instances of conduct significantly adverse to the national security of the United States and poses a significant risk of exploiting bulk sensitive personal data or United States Government-related data to the detriment of the national security of the United States. The DOJ’s initially identified countries are China (including Hong Kong and Macau), Russia, Iran, North Korea, Cuba, and Venezuela,
  • “Covered person” means an entity owned by, controlled by, or subject to the jurisdiction or direction of a country of concern; a foreign person who is an employee or contractor of such an entity; a foreign person who is an employee or contractor of a country of concern; a foreign person who is primarily resident in the territorial jurisdiction of a country of concern; or any person designated by the DOJ as being owned or controlled by or subject to the jurisdiction or direction of a country of concern, as acting on behalf of or purporting to act on behalf of a country of concern or other covered person, or as knowingly causing or directing, directly or indirectly, a violation of the EO or any regulations implementing the EO.
    • “Foreign person” means anyone that is not a United States citizen, national, or lawful permanent resident; any individual admitted to the United States as a refugee under 8 U.S.C. 1157 or granted asylum under 8 U.S.C. 1158; any entity organized solely under the laws of the United States or any jurisdiction within the United States (including foreign branches); or any person in the United States.

In addition to the above-quoted definitions, the EO provides certain clarifications regarding the scope of the forthcoming regulations that may alleviate some concerns as to their breadth:

    • The regulations will not cover transactions that are ordinarily incident to and part of the provision of financial services, including banking, capital markets, and financial insurance services, or required for compliance with any federal statutory or regulatory requirements, including any regulations, guidance, or orders implementing those requirements.
    • The EO makes clear that it does not establish generalized data localization requirements to store bulk sensitive personal data or United States Government-related data within the United States or to locate computing facilities used to process bulk sensitive personal data or United States Government-related data within the United States.
    • The EO requires any promulgated regulations to account for any legal obligations applicable to the United States Government relating to public access to the results of taxpayer-funded scientific research, the sharing and interoperability of electronic health information, and patient access to their data.

Further Agency Guidance

Along with the general direction to DOJ to promulgate rules, the EO also directs DOJ to establish a process to issue licenses authorizing transactions that would otherwise be prohibited transactions or restricted transactions.

The EO directs DHS to publish security requirements, rules, regulations, standards, and interpretive guidance that address the unacceptable risk posed by restricted transactions based on the Cybersecurity and Privacy Frameworks developed by the National Institute of Standards, as well as directing DOJ to issue enforcement guidance.

The EO addresses the risk of access to bulk sensitive personal data and United States Government-related data where the data transits through a submarine cable owned or operated by persons owned by, controlled by, or subject to the jurisdiction or direction of a country of concern, or that connects to the United States and terminates in the jurisdiction of a country of concern. As a result, the EO directs the Committee for the Assessment of Foreign Participation in the United States Telecommunications Services Sector to review existing licenses for submarine cable systems and issue policy guidance regarding reviews of these license applications and existing licenses.

The EO directs the Secretary of Defense, the Secretary of Health and Human Services, the Secretary of Veterans Affairs, and the Director of the National Science Foundation to consider issuing regulations, guidance, or orders authorizing relevant federal assistance programs, to prohibit the provision of assistance that enables access by countries of concern or covered persons to United States persons’ bulk sensitive personal data or to impose mitigation measures with respect to such assistance. Further, the above agencies are directed to publish guidance to assist United States research entities in ensuring protection of their bulk sensitive personal data. The above agencies must publish a report within one year of the EO, so on or before February 28, 2025.

The EO further encourages the Consumer Financial Protection Bureau to address the data brokerage industry enabling access to bulk sensitive personal data and United States Government-related data by countries of concern and covered persons through rulemakings.

Lastly, within 120 days of the effective date of the general DOJ regulations, the EO directs the DOJ, DHS, and the Director of National Intelligence to recommend to the White House (through the APNSA) appropriate actions to detect, assess, and mitigate national security risks arising from prior transfers of United States persons’ bulk sensitive personal data to countries of concern. And then, within 150 days of the effective date of the general DOJ regulations, the APNSA shall review these recommendations and consult with relevant agencies on implementation. Within one year of the effective date of the general DOJ regulations, DOJ shall submit a report to the President assessing the effectiveness and economic impact of the regulations.

ANPRM on Provisions Regarding Access to Americans’ Bulk Sensitive Personal Data and Government-Related Data by Countries of Concern

As directed in the EO, on February 28, the DOJ published an ANPRM soliciting comments on various topics related to the implementation of the order. The DOJ is soliciting comments up to 45 days after the ANPRM is published in the Federal Register (typically posted a few days after the announcement), which would make comments due around April 15, 2024. The EO directs the DOJ to publish a proposed rule within 180 days of the EO publication, so on or before August 26, 2024.

ANPRM Summary

Classes of Transactions

The ANPRM further refines requirements laid out in the EO and provides that the DOJ is considering implementation of the EO through categorical rules that regulate certain data transactions involving bulk U.S. sensitive personal data and government-related data that present an unacceptable risk to U.S. national security. As such, the DOJ is considering establishing a program that would (1) identify certain classes of highly sensitive transactions that would be prohibited in their entirety (“prohibited transactions”), and (2) identify other classes of transactions that would be prohibited except to the extent they comply with predefined security requirements (“restricted transactions”). The ANPRM indicates that the DOJ plans to implement this program in tranches based on priority.

    • Similarly to the EO, the DOJ is proposing to define “transaction” as any acquisition, holding, use, transfer, transportation, exportation of, or dealing in any property in which a foreign country or national thereof has an interest.

Prohibited Transactions

The DOJ is considering two classes of prohibited transactions: (1) data brokerage transactions; and (2) any transaction that provides a country of concern or covered person (defined below) with access to “bulk” human genomic data (a subcategory of human ‘omic data) or human biospecimens from which that human genomic data can be derived.

    • The DOJ is proposing to specifically prohibit U.S. persons from knowingly engaging in covered data transactions involving data brokerage (defined below) with any foreign person unless the U.S. person contractually requires that the foreign person refrain from engaging in a subsequent covered data transaction involving the same data with a country of concern or covered person.
      • The DOJ is proposing defining “data brokerage” as the sale of, licensing of, access to, or similar commercial transactions involving the transfer of data from any person (the provider) to any other person (the recipient), where the recipient did not collect or process the data directly from the individuals linked or linkable to the collected or processed data.
    • The DOJ is proposing to specifically prohibit U.S. persons from knowingly engaging in covered data transactions with a country of concern or covered person that provides that country of concern or covered person with access to bulk U.S. sensitive personal data that consists of human genomic data, or to human biospecimens from which such data could be derived, on greater than [the applicable bulk threshold of] U.S. persons at any point in the preceding 12 months, whether in a single covered data transaction or aggregated across covered data transactions

Restricted Transactions

In addition to the prohibited transactions, the DOJ is considering three classes of restricted data transactions: (1) vendor agreements (including, among other types, agreements for technology services and cloud service agreements), (2) employment agreements, and (3) investment agreements. As noted above, these restricted transactions would be permitted provided that they comply with certain predefined security requirements.

    • The DOJ is proposing to decline to regulate restricted covered data transactions until the applicable security requirements are published, available to the public, and become effective by incorporation into the final rule.
    • The DOJ is proposing defining “vendor agreement” as any agreement or arrangement, other than an employment agreement, in which any person provides goods or services to another person, including cloud-computing services, in exchange for payment or other consideration.
    • The DOJ is proposing defining “employment agreement” as any agreement or arrangement in which an individual, other than as an independent contractor, performs work or performs job functions directly for a person in exchange for payment or other consideration.
    • The DOJ is proposing defining an “investment agreement” as any agreement or arrangement in which any person, in exchange for payment or other consideration, obtains direct or indirect ownership interests in or rights in relation to real estate located in the United States or a U.S. legal entity.
      • Further, the DOJ is considering excluding certain passive investments that do not convey the ownership interest or rights including publicly traded securities, index funds, and pooled investment funds.

A restricted covered data transaction would be permissible if the U.S. person:

    • Implements Basic Organizational Cybersecurity Posture requirements based on industry standards listed in the ANPRM;
  • Specific examples listed in the ANPRM based on industry standards.
    • Conducts the covered data transaction in compliance with the following three conditions:
  • data minimization and masking;
  • development of information-technology systems to prevent unauthorized disclosure; and
  • implementation of logical and physical access controls; and
    • Satisfies certain compliance-related conditions, such as retaining an independent auditor to perform annual testing and auditing of the requirements in (1) and (2) above, for so long as the U.S. person relies on compliance with those conditions to conduct the restricted covered data transaction.

Licenses

The DOJ proposes creating a licensing regime, including general and specific licenses, that would approve, or impose conditions on, covered data transactions that are prohibited or restricted and would include an interagency consultation process to ensure that agencies with relevant equities and expertise may weigh in.

Countries of Concern

The DOJ’s initially identified countries are China (including Hong Kong and Macau), Russia, Iran, North Korea, Cuba, and Venezuela.

Covered Persons

The DOJ is proposing defining the term “covered person” as the below:

    • An entity that is 50 percent or more owned, directly or indirectly, by a country of concern, or that is organized or chartered under the laws of, or has its principal place of business in, a country of concern;
    • An entity that is 50 percent or more owned, directly or indirectly, by an entity described in category (1) or a person described in categories (3), (4), or (5);
    • A foreign person who is an employee or contractor of a country of concern or of an entity described in categories (1), (2), or (5);
    • A foreign person who is primarily resident in the territorial jurisdiction of a country of concern; or
    • Any person designated by the Attorney General as being owned or controlled by or subject to the jurisdiction or direction of a country of concern, or as acting on behalf of or purporting to act on behalf of a country of concern or covered person, or knowingly causing or directing a violation of these regulations.

Bulk U.S. Sensitive Personal Data

The DOJ is proposing six defined categories of bulk U.S. sensitive personal data: U.S. persons’ covered personal identifiers, personal financial data, personal health data, precise geolocation data, biometric identifiers, and human genomic data—and combinations of those categories. The Agency proposes further defining the categories as explained below:

    • Covered Personal Identifiers.
      • The EO defines “covered personal identifiers as “specifically listed classes of personally identifiable data that are reasonably linked to an individual, and that—whether in combination with each other, with other sensitive personal data, or with other data that is disclosed by a transacting party pursuant to the transaction and that makes the personally identifiable data exploitable by a country of concern—could be used to identify an individual from a data set or link data across multiple data sets to an individual.”
      • The DOJ proposes in the ANPRM further refining the definition to include the below listed identifiers:
        • Full or truncated government identification or account numbers.
        • Full financial account numbers or personal identification numbers associated with a financial institution or financial services company.
        • Device-based or hardware-based identifier.
        • Demographic or contact data.
        • Advertising identifier.
        • Account-authentication data.
        • Network-based identifier.
        • Call-detail data.
      • The definition does not include:
        • Demographic or contact data that is linked only to other demographic or contact data, a network-based identifier, or account-authentication data.
        • Call-detail data that is linked only to other network-based identifiers, account-authentication data, or call-detail data as necessary for the provision of telecommunications, networking, or similar services.
        • Employment history
        • Educational history
        • Criminal history
        • Web-browsing history
      • The DOJ is considering defining identifiers as linked when the identifiers involved in a single covered data transaction, or in multiple covered data transactions or a course of dealing between the same or related parties, are capable of being associated with the same specific person(s). Identifiers would not be considered linked when additional identifiers or data not involved in the relevant covered data transactions would be necessary to associate the identifiers with the same specific person(s).
    • Geolocation and related sensor data.
      • The DOJ proposes regulating covered transactions involving only precise geolocation information defined as data, whether real-time or historical, that identifies the physical location of an individual or a device with a precision of within [number of meters/feet] based on electronic signals or inertial sensing units.
    • Biometric Identifiers
      • The DOJ proposes defining “biometric identifier” as measurable physical characteristics or behaviors used to recognize or verify the identity of an individual.
    • Human ‘omic data
      • The DOJ proposes regulating covered transactions involving only human genomic data defined as data representing the nucleic acid sequences that comprise the entire set or a subset of the genetic instructions found in a human cell, including the result or results of an individual’s “genetic test” (as defined in the Genetic Information Nondiscrimination Act of 2008 (42 U.S.C. § 300gg-91(d)(17))) and any related human genetic sequencing data.
    • Personal Health Data
      • The DOJ proposes defining “personal health data” as “individually identifiable health information” (as defined in the Health Insurance Portability and Accountability Act of 1996 (42 U.S.C. § 1302d(6) and 45 CFR § 160.103)), regardless of whether such information is collected by a “covered entity” or “business associate” (as defined in 45 CFR § 160.103).
    • Personal Financial Data
      • The DOJ proposes defining “personal financial data” as data about an individual’s credit, charge or debit card, or bank account.
    • Exclusions
      • The DOJ proposes excluding trade secrets, data that is lawfully available to the public, personal communications that do not transfer anything of value, and “information” under IEEPA.
    • Bulk Threshold
      • The DOJ proposes establishing volume-based thresholds based on a risk-based assessment that examines threat, vulnerabilities, and consequences as components of risk. For the six defined categories of sensitive data the DOJ proposes the following thresholds:
        • Human Genomic Data
          • Low: more than 100 U.S. persons
          • High: more than 1,000 U.S. persons
        • Biometric Identifiers
          • Low: more than 100 U.S. persons
          • High: more than 10,000 U.S. persons
        • Precise Geolocation
          • Low: more than 100 U.S. devices
          • High: more than 10,000 U.S. devices
        • Personal Health Data/Personal Financial Data
          • Low: More than 1,000 U.S. persons
          • High: More than 1,000,000 U.S. persons
        • Covered Personal Identifiers
          • Low: More than 10,000 U.S. persons
          • High: More than 1,000,000 U.S. persons

Government-Related Data

The DOJ is proposing two kinds of government-related data regardless of volume: (1) any precise geolocation data for any location within any area enumerated on a list of specific geofenced areas associated with military, other government, or other sensitive facilities or locations (the Government-Related Location Data List), or (2) any sensitive personal data that a transacting party markets as linked or linkable to current or recent former employees or contractors, or former senior officials, of the U.S. government.

For geolocation, the Government-Related Location Data List would be created through an interagency process in which each agency identifies any geofenced areas relative to its equities for inclusion on the list, and the DOJ would maintain and publish the list.

Exempt Data

The DOJ is considering exempting from this program: data transactions involving “personal communications” or “information” as defined under IEEPA; official business transactions, financial services-, payment processing-, and regulatory compliance-related transactions, intra-entity transactions incident to business operations; and transactions required or authorized by federal law or international agreements.

Interpretative Guidance

The DOJ is considering permitting any U.S. person engaging in covered data transactions regulated by the program to request an interpretation of any part of these regulations from the Attorney General.

Compliance & Enforcement

The DOJ is currently considering creating and implementing a compliance and enforcement program modeled on the Department of the Treasury’s IEEPA-based economic sanctions, which are administered by OFAC.

Subsequent Action

The program would not apply retroactively (before the effective date of the final rule). However, the Department of Justice may, after the effective date of the regulations, request information about transactions by United States persons that were completed or agreed to after the date of the issuance of the Order to better inform the development and implementation of the program.

Overlap with National Security Regulations

CFIUS

The Committee on Foreign Investment in the United States (“CFIUS” or the “Committee”) is an interagency committee of the U.S. government tasked with assessing whether certain foreign investments in the United States (called “covered transactions”) threaten to impair national security. In cases where CFIUS identifies national security concerns, it can seek to impose mitigation measures, or recommend that the President of the United States formally block a covered transaction.

In 2018, Congress passed the Foreign Investment Risk Review Modernization Act (“FIRRMA”), and the final regulations implementing FIRRMA were issued in February 2020. Pursuant to FIRRMA and its implementing regulations, CFIUS’s jurisdiction was expanded in a number of key respects, including to expand CFIUS’s jurisdiction to include certain non-controlling, non-passive investments in certain categories of U.S. businesses, called “TID U.S. businesses,” because they deal in “critical Technology,” “critical Infrastructure,” or “sensitive personal Data,” each as defined in the CFIUS regulations.

“Sensitive personal data” is defined to include identifiable data on U.S. persons that fits within one of several categories, many of which overlap with the categories of data set forth in the ANPRM. Categories of data that can qualify as “sensitive personal data” for CFIUS purposes include, inter alia, (i) financial data that could be used to assess financial distress or hardship; (ii) insurance-related information; (iii) data relating to the physical, mental, or psychological health of individuals; (iv) geolocation data; (v) biometric enrollment data; (vi) data stored and processed for the purpose of federal government identification; (vii) data relating to U.S. government personnel security clearance status; and (viii) genetic data. In many cases, CFIUS imposes a requirement that a company must collect at least one million records to qualify as a TID U.S. business, though there are exceptions, including that (i) any volume of genetic data is sufficient; (ii) companies that target or tailor offerings to the U.S. government can qualify; and (iii) companies that have a “demonstrated business objective” to collect at least 1 million records can also fall within CFIUS’s jurisdiction.

DOJ is a member agency of CFIUS, and the Committee generally has taken an increasingly broad view of the national security concerns with foreign access to “sensitive personal data.” For example, in his September 2022 Executive Order relating to CFIUS, President Biden underscored that foreign access to sensitive personal data is a key risk area. As such, the ANPRM is consistent with the current focus by CFIUS on data as a national security concern. Of note, however:

    • The ANPRM is broader in some respects than CFIUS’s jurisdiction. For example, DOJ proposes in the ANPRM to set thresholds for the volume of identifiable data that are lower than the typical, 1 million threshold in the CFIUS regulations (considering, for example, a threshold anywhere from 1,000 to 1,000,000 for health data). Second, the ANPRM would extend to categories of transactions that do not qualify as “covered transactions” for CFIUS purposes, such as sales of bulk data, vendor agreements, and employment agreements. If enacted, the regulations covered in the ANPRM would extend the universe of data-related transactions subject to at least one form of national security restriction, necessitating ever more careful review by covered parties.
    • The ANPRM contemplates overlapping jurisdiction with CFIUS in some cases. One category of transaction that DOJ anticipates applying restrictions to is “investment agreements,” wherein covered persons obtain an interest in U.S. companies. In certain cases, an “investment agreement” subject to the new data restrictions will also qualify as a “covered transaction” for CFIUS purposes. In the ANPRM, DOJ proposes for there to be overlapping jurisdiction, with DOJ forfeiting jurisdiction only if CFIUS initiates a formal review and imposes mitigation measures. This could, in practice, result in data-related transactions being subject to overlapping regulatory requirements and prohibitions, which covered parties would need to carefully assess.
    • The ANPRM observes the limits of documentary protections. One approach to mitigating CFIUS-related risk concerning companies that collect or maintain “sensitive personal data” is through the use of prophylactic documentary protections, including covenants that provide that a foreign person will not obtain access to any “sensitive personal data” collected by the Company. The ANPRM suggests in Example 30 that even if a covered investment agreement explicitly forbids the foreign person from accessing the data, the relevant restrictions could still be implicated. While care must be exercised in extrapolating takeaways from the ANPRM to the CFIUS context, this commentary suggests concern around addressing national security risk around data through contractual mechanisms.

Sanctions and Export Controls

Currently, the Office of Foreign Assets Control (“OFAC”) within the U.S. Department of the Treasury and the Bureau of Industry and Security (“BIS”) within the U.S. Department of Commerce implement broad sanctions and export controls. Collectively, these trade regulations, among other things, (i) broadly restrict most dealing with certain countries, such as Cuba, Iran, North Korea, Syria, and contested regions of Ukraine; (ii) impose broad-based restrictions (that do not constitute embargoes) on other countries, such as Russia and Venezuela; and (iii) impose wide-ranging but more targeted export controls targeting other countries and risk areas, including China.

The ANPRM suggests that DOJ intends to align with the general foreign policy restrictions expressed in OFAC sanctions and the Export Administration Regulations (“EAR”), including by defining “country of concern” to target China (inclusive of Hong Kong and Macau), Russia, Cuba, Iran, and Venezuela. Moreover, the ANPRM also suggests that DOJ intends to model the final regulations implementing the ANPRM on the sanctions regulations imposed by OFAC. This means that DOJ is (i) assessing the possibility of general licenses, comparable to those issued by OFAC under its sanctions programs; (ii) contemplating reporting requirements for parties that take advantage of general licenses; and (iii) intending to model its reporting and enforcement requirements on the enforcement mechanisms familiar to U.S. persons who are subject to OFAC’s sanctions jurisdiction.

While further information on the proposed regulations will be required to assess more fulsomely, the references to OFAC and BIS in the ANPRM suggest that DOJ intends to build a fulsome regulatory program with a strong enforcement and monitoring component.

Conclusion

The DOJ is soliciting comments up to 45 days after the ANPRM is published in the Federal Register (typically posted a few days after the announcement), which would make comments due around April 15, 2024. Entities that do business with or are otherwise involved in transactions with countries of concern or covered persons should monitor the rulemaking process closely.

This post comes to us from Ropes & Gray LLP. It is based on the firm’s memorandum, “New Executive Order Would Restrict Transfer of Certain Bulk Sensitive Personal Data and United States Government-Related Data to China and Other Countries of Concern,” available here.